Intel revealed a new set of security problems with its processors earlier this year, and issued fixes to resolve them. While the chip maker may have implied the problems were solved, that couldn’t be further from the truth. The New York Times reports that the fixes earlier this year only patched some of the security vulnerabilities that researches had discovered.
In a damning report, The New York Times interviewed key security researchers who discovered the latest round of processor vulnerabilities. Dutch researchers at Vrije Universiteit Amsterdam first reported a range of security issues to Intel back in September 2018, and Intel patched some of the problems in May. Intel issued another round of security updates earlier this week, but problems still exist.
These researchers have kept quiet about the issues for eight months, providing Intel vital time to develop fixes. Intel even asked the security researchers to alter a paper they were planning to present, after it was clear the chip maker needed more time and it didn’t want the flaws to become public knowledge.
In advance of Intel’s latest patches, released on Tuesday, the company was notified of more unfixed flaws and asked researchers to once again stay silent, but they’ve refused. These security researches have now revealed that Intel didn’t properly test vital proof-of-concept code that was provided back in September 2018, and that the company is not fixing the root of the problem.
Intel sent The Verge the following statement:
We are committed to addressing security vulnerabilities affecting our customers and providing responsible guidance on the solution, impact, severity and mitigation. We have been very public about how we handle disclosures, including our strong belief in the value of coordinated disclosure (see https://www.intel.com/content/www/us/en/corporate-responsibility/product-security.html). We take seriously all potential security vulnerabilities whether they are found internally or externally, and actively collaborate with all parties to ensure mitigations are in place before public disclosure.
At the heart of these issues are the Meltdown and Spectre vulnerabilities that were originally discovered in processors in January 2018. When these were first disclosed, researchers warned that variants and other consequences of the bug would appear for years to come. Intel isn’t fixing the core problem in existing processors, which would mean a redesign, instead it’s an endless game of whack-a-mole to patch each variant that pops up.
The bigger issue is still that Intel lacks transparency over these processor issues. The company tried to downplay the problems early on, with confusing and carefully worded statements. We’re now approaching two years since these key processor flaws were discovered, and Intel is still misleading its customers over the status of fixes.
“There are tons of vulnerabilities still left, we are sure,” says Herbert Bos, a professor at Vrije Universiteit Amsterdam, in an interview with The New York Times. “And they don’t intend to do proper security engineering until their reputation is at stake.”
Update, 2:16 PM ET: With Intel statement.