Published in News

Intel fixes something it said fixed six months ago

by on13 November 2019


Dutch researchers found Intel's patch only fixed some of the issues

Chipzilla has issued a patch for some processor vulnerabilities which were supposed to have been fixed in an earlier patch it released six months ago.

In May, Intel released a patch for a group of security vulnerabilities researchers had found in the company's computer processors, Intel implied that all the problems were solved. But the  Dutch researchers at Vrije Universiteit Amsterdam who discovered the vulnerabilities and first reported them to the tech giant in September 2018 said that was not entirely true.

The software patch meant to fix the processor problem addressed only some of the issues the researchers had found. It would be another six months before a second patch, publicly disclosed by the company on Tuesday, would fix all of the vulnerabilities Intel indicated were fixed in May, the researchers said in a recent interview.

Cristiano Giuffrida, a professor of computer science at Vrije Universiteit Amsterdam and one of the researchers who reported the vulnerabilities said the public message from Intel was "everything is fixed... and we knew that was not accurate".

While many researchers give companies time to fix problems before the researchers disclose them publicly, the tech firms can be slow to patch the flaws and attempt to muzzle researchers who want to inform the public about the security issues.

Researchers often agree to disclose vulnerabilities privately to tech companies and stay quiet about them until the company can release a patch. Typically, the researchers and companies coordinate on a public announcement of the fix. But the Dutch researchers say Intel has been abusing the process. Now the Dutch researchers claim Intel is doing the same thing again.

They said the new patch issued still doesn't fix another flaw they provided Intel in May. The Intel flaws, like other high-profile vulnerabilities the computer security community, has recently discovered in computer chips, allowed an attacker to extract passwords, encryption keys and other sensitive data from processors in desktop computers, laptops and cloud-computing servers. Intel says the patches "greatly reduce" the risk of attack, but don't completely fix everything the researchers submitted.

The company's spokeswoman, Leigh Rosenwald, said Intel was publishing a timeline with Tuesday's patch for the sake of transparency.

 

Last modified on 13 November 2019
Rate this item
(1 Vote)

Read more about: