What you need to know
- A patch released by Intel on Tuesday was purported to have fixed flaws in its processors.
- Researchers at Vrije Universiteit Amsterdam claim that problems are still not solved.
- The group also claims that Intel is abusing its power and that it can no longer stay silent.
A report from The New York Times claims that Intel has repeatedly asked a group of Dutch researchers to remain silent over vulnerabilities in its chips, despite repeated instances of Intel patches which have not fixed the problem in its entirety.
The vulnerability is essentially based around the fact that Intel chips often perform certain functions in anticipation of processing needs to speed up performance. If those functions are aborted however, the data created remains in the system for a brief period, whilst this data is being processed or stored it is vulnerable to extraction by hackers.
Researchers at the Vrije Universiteit Amsterdam discovered and reported vulnerabilities in Intel processors in September 2018. According to the report, an Intel patch released to fix the issue in May did not fully address the problem. As such, a second patch was released on Tuesday, November 12, 2019, which was apparently supposed to fix all of the issues. That is at least, according to the researchers. The report notes:
It would be another six months before a second patch, publicly disclosed by the company on Tuesday, would fix all of the vulnerabilities Intel indicated were fixed in May, the researchers said in a recent interview.
The public message from Intel was "everything is fixed," said Cristiano Giuffrida, a professor of computer science at Vrije Universiteit Amsterdam and one of the researchers who reported the vulnerabilities. "And we knew that was not accurate."
The inaccuracy Giuffrida is supposedly referring to, is the fact that the patch provided on Tuesday does not fix another flaw they are said to have told Intel about in May:
Now the Dutch researchers claim Intel is doing the same thing again. They said the new patch issued on Tuesday still doesn't fix another flaw they provided Intel in May.
Intel acknowledged that the May patch did not fix everything the researchers submitted, nor does Tuesday's fix. But they "greatly reduce" the risk of attack, said Leigh Rosenwald, a spokeswoman for the company.
The report notes standard industry practice surrounding this sort of thing, whereby security companies who discover vulnerabilities and report them often agree not to publish their findings until a company can release a patch to fix the problem. This is why you don't hear about most security vulnerabilities until after they are fixed. The Dutch researchers claim they remained silent for eight months following the initial report to Intel. When Intel released a fix in May, they became aware that the patch didn't include all of the exploits they had told Intel about and were asked to remain silent for a further six months. They were also apparently asked to alter a paper they had planned to present to a security conference.
The report claims that after Tuesday's release, the group was again asked to remain silent, however, they refused, hence this story:
"We think it's time to simply tell the world that even now Intel hasn't fixed the problem," said Herbert Bos, a colleague of Mr. Giuffrida and Mr. Razavi at Vrije Universiteit Amsterdam
The report goes on to suggest that Intel may have overlooked some of the "proof-of-concept" exploits provided by the group and that in doing so it has failed to uncover any additional vulnerabilities, which is why Intel hasn't been able to patch all the vulnerabilities in one go:
"There are tons of vulnerabilities still left, we are sure," Mr. Bos said. "And they don't intend to do proper security engineering until their reputation is at stake.... "Many of the attacks they missed were a few lines of code different from the others. Sometimes a single line of code," Mr. Giuffrida said. "The implication of this is of course worrisome. It means until we give them all possible variations of the problem, they won't actually fix the problem."
A spokeswoman for Intel said that the company had "greatly reduced" the risk of attack. She also said it had addressed the core problem through hardware fixes in some of its chips and planned to do the same for others.
Another reason that the group decided to go public in this case is the fact that the vulnerabilities have begun to leak, to the point that the information circled back to them from other sources. Now they are concerned that people may be able to use the vulnerability against people who are not protected. It remains unclear at this stage which vulnerabilities actually remain, and how long it may take Intel to fix them. You can read the full story here.