What you need to know
- A patch released by Intel on Tuesday was purported to have fixed flaws in its processors.
- Researchers at Vrije Universiteit Amsterdam claim that problems are still not solved.
- The group also claims that Intel is abusing its power and that it can no longer stay silent.
A report from The New York Times claims that Intel has repeatedly asked a group of Dutch researchers to remain silent over vulnerabilities in its chips, despite repeated instances of Intel patches which have not fixed the problem in its entirety.
The vulnerability is essentially based around the fact that Intel chips often perform certain functions in anticipation of processing needs to speed up performance. If those functions are aborted however, the data created remains in the system for a brief period, whilst this data is being processed or stored it is vulnerable to extraction by hackers.
Researchers at the Vrije Universiteit Amsterdam discovered and reported vulnerabilities in Intel processors in September 2018. According to the report, an Intel patch released to fix the issue in May did not fully address the problem. As such, a second patch was released on Tuesday, November 12, 2019, which was apparently supposed to fix all of the issues. That is at least, according to the researchers. The report notes:
The inaccuracy Giuffrida is supposedly referring to, is the fact that the patch provided on Tuesday does not fix another flaw they are said to have told Intel about in May:
The report notes standard industry practice surrounding this sort of thing, whereby security companies who discover vulnerabilities and report them often agree not to publish their findings until a company can release a patch to fix the problem. This is why you don't hear about most security vulnerabilities until after they are fixed. The Dutch researchers claim they remained silent for eight months following the initial report to Intel. When Intel released a fix in May, they became aware that the patch didn't include all of the exploits they had told Intel about and were asked to remain silent for a further six months. They were also apparently asked to alter a paper they had planned to present to a security conference.
The report claims that after Tuesday's release, the group was again asked to remain silent, however, they refused, hence this story:
The report goes on to suggest that Intel may have overlooked some of the "proof-of-concept" exploits provided by the group and that in doing so it has failed to uncover any additional vulnerabilities, which is why Intel hasn't been able to patch all the vulnerabilities in one go:
A spokeswoman for Intel said that the company had "greatly reduced" the risk of attack. She also said it had addressed the core problem through hardware fixes in some of its chips and planned to do the same for others.
Another reason that the group decided to go public in this case is the fact that the vulnerabilities have begun to leak, to the point that the information circled back to them from other sources. Now they are concerned that people may be able to use the vulnerability against people who are not protected. It remains unclear at this stage which vulnerabilities actually remain, and how long it may take Intel to fix them. You can read the full story here.
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.