Latest in Gear

Image credit:

Intel fixes CPU security flaw it said was patched in May (updated)

Its earlier patch hadn't fully addressed the chip vulnerability.
Jon Fingas, @jonfingas
November 13, 2019
Share
Tweet
Share

Sponsored Links

Olly Curtis/Maximum PC Magazine/Future via Getty Images

It turns out that Intel's CPU security fixes from May didn't address everything the company mentioned. Intel is rolling out another patch that does more to close the speculative execution flaws that could let attackers swipe passwords and other sensitive info. The mitigations in the patch should "substantively reduce" the possibility of an attack, Intel said. This still doesn't fully resolve the problem, but Intel is promising future CPU-level microcode fixes. There's a larger concern over how Intel has handled these vulnerabilities in the first place, however.

The Vrije Universiteit Amsterdam researchers who alerted Intel to the problems have told the New York Times that Intel apparently ignored key proof-of-concept exploits when developing the May update, and should have found the relevant flaws even without those ready-made examples. The team refused to stay quiet with the November patch knowing that there were still issues. There are also criticisms of Intel's overall approach -- instead of tackling the underlying problem, it's allegedly focused more on patching variants of that problem as they pop up.

The initial problem affected many processors released since 2011 and applied regardless of your operating system. Software-level patches have mitigated some of the security problems on top of Intel's microcode solutions.

We've asked Intel for comment. This isn't a great look for the chip giant, whatever its response. As the researchers warned, the usual secrecy that governs vulnerability disclosures could hurt users here. Hackers could take advantage of security holes that people don't realize are still open, and the flaw itself wasn't all that secret -- it leaked to the point where the researchers were told about their own discovery. There may be substantial work ahead (including possible chip design changes) before Intel's CPUs are more trustworthy.

Update 11/13 3:05PM ET: Intel tells Engadget that it has been "very public" about its approach to disclosures, and takes "seriously" all vulnerabilities no matter who discovers them. You can read the full statement below. The company also pointed to Twitter comments from Daniel Gruss, who played a role in the disclosure. Gruss said Intel took concerns "very seriously" and has improved its approach "substantially" over the past year. Those are fair points, but it remains true that Intel didn't patch all the known issues in one go and still had communication issues.

"We are committed to addressing security vulnerabilities affecting our customers and providing responsible guidance on the solution, impact, severity, and mitigation. We have been very public about how we handle disclosures, including our strong belief in the value of coordinated disclosure (see https://www.intel.com/content/www/us/en/corporate-responsibility/product-security.html). We take seriously all potential security vulnerabilities whether they are found internally or externally, and actively collaborate with all parties to ensure mitigations are in place before public disclosure."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

The 2020 Engadget Holiday Gift Guide

The 2020 Engadget Holiday Gift Guide

View
Curiosity rover finds evidence of ancient megafloods on Mars

Curiosity rover finds evidence of ancient megafloods on Mars

View
Sony says the PS5 would still be sold out without a pandemic

Sony says the PS5 would still be sold out without a pandemic

View
Fortnite's Crew subscription is built for the battle royale superfan

Fortnite's Crew subscription is built for the battle royale superfan

View
Comcast is expanding its 1.2TB cap to its entire 39-state footprint in January

Comcast is expanding its 1.2TB cap to its entire 39-state footprint in January

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr