Published in PC Hardware

Intel failed to tell regulator about chip flaws

by on23 February 2018

Need to know only US-CERT

Chipzilla is in hot water for forgetting to tell US cybersecurity officials about the Meltdown and Spectre chip security flaws until they leaked to the public.

Six months after Alphabet notified the chipmaker of the problems, Government officials were still to hear about the problem until it was leaked to the newspapers. Apparently, they are a little concerned because if some foreign power found out about the issue, US systems were utterly vulnerable.

They are not happy about it either. Current and former US government officials had raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Chipzilla said it did not think the weaknesses needed to be shared with US authorities as hackers had not exploited the vulnerabilities.

Intel did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until January 3 after reports on them in online technology site The Rogister had begun to circulate.

Details of when the chip flaws were disclosed were detailed in letters sent by Intel, Alphabet, and Apple on Thursday in response to questions from Representative Greg Walden, an Oregon Republican who chairs the House Energy and Commerce Committee.

Alphabet said that security researchers at its Google Project Zero informed chipmakers Intel, AMD and SoftBank Corp-owned ARM Holdings of the problems in June.

It gave the chipmakers 90 days to fix the issues before publicly disclosing them, standard practice in the cybersecurity industry intended to provide the targets of bugs time to fix them before hackers can take advantage of the flaws.

Alphabet said it left the decision of whether to inform government officials of the security flaws up to the chipmakers, which is its standard practice.

Intel said it did not inform government officials because there was “no indication that any of these vulnerabilities had been exploited by malicious actors” according to its letter.

Intel said it did not perform an analysis of whether the flaws might harm critical infrastructure because it did not think it could affect industrial control systems. But Intel said that it did inform other technology companies that use its chips of the issue, according to its letter.

Microsoft said that it did inform several antivirus software makers about the flaws “several weeks” ahead of their public disclosure to give them time to avoid compatibility issues. AMD said that Alphabet extended the disclosure deadline from the standard 90 days twice, first to January 3, then to January 9.

Last modified on 23 February 2018
Rate this item
(0 votes)

Read more about: