alswart - stock.adobe.com
Intel started to notify hardware makers under non-disclosure about the Spectre and Meltdown chip flaws more than a month before the vulnerabilities were revealed to users.
Computer Weekly’s sister title, LeMagIT, has seen a document which shows that the chip maker's partners were informed on 29 November 2017 - which was also the day that Intel’s chief executive, Brian Krzanich, sold 266,000 Intel shares. The chip problems were officially revealed in the first week of January.
The stock transaction is the subject of at least one class action in the US, led by the Boston law firm Block & Leviton LLP, which was involved in the case against Volkswagen’s fake diesel emission tests.
Intel has recently come under fire over the patch it released and then recalled to protect systems with its microprocessors from the Spectre flaw.
Questions remain over why hardware manufacturers were not alerted sooner, given the flaw that was originally discovered in June by Google’s Project Zero. The fact that the Intel patch is flawed is also worrying.
As Computer Weekly has previously reported, Navin Shenoy, executive vice-president and general manager of the datacentre group at Intel Corporation, said of the faulty patches: “We recommend that equipment manufacturers, cloud service providers, system manufacturers, software suppliers and users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behaviour.”
Alan Priestley, research director at Gartner, said: “The increased rate of reboot was only identified in a small number of cases at customers who had a large number of installed servers. Most supplier testing tries to cover a comprehensive set of conditions, but these will always be limited in number.
“When the microcode update was applied to a large number of systems, an edge case scenario was found to cause an increased number of reboots on certain system,” he added.
Read more about Spectre and Meltdown
- As IT recoils from the Spectre and Meltdown chip exploits, companies face patches that are incompatible, leading to crashes, reduced performance and lock-ups.
- Security experts have warned that cyber attackers will be quick to use the Meltdown and Spectre exploits, but the first attempt to capitalise on them has come in the form of fake updates.
- Very few UK enterprise mobile devices have been patched against the recently discovered Meltdown and Spectre exploits and almost a quarter cannot be patched, a study shows.
Intel has come under particular criticism from Linus Torvalds, inventor of the Linux kernel, who rubbished Intel’s proposed solution to fixing Spectre in future processors.
Intel has suggested that processors that do ship with a fix for Spectre will have this feature disabled by default. The operating system will then need to query the processor when it starts up and enable the Spectre fix to get the extra security.
On the Linux Kernel Mail List archive, Torvalds wrote: “Do you really think that is acceptable? The interface implies Intel will never fix it. I think we need something better than this garbage.”
Gartner’s Priestley said: “It’s reasonable to expect that in the future, processor suppliers will design around these exploits and they will be removed by default. The current situation is that early patches have a performance impact. Some users may decide not to deploy the patches on systems that have little risk of exposure to the exploits.”
Given that microcode updates vary by processor generation, not all processors will be able implement the Spectre mitigations, according to Priestley. This means that system software will need to determine what capabilities the local processor has and take action based on its feature set.