Meltdown-Spectre: Why were flaws kept secret from industry, demand lawmakers

Great work on patching your own products, but why were smaller tech companies kept in the dark?

usrepresentativescommitteeenergycommerce.jpg

The lawmakers want to know whether the secrecy was appropriate, given the number of firms "caught off guard".

Image: US House of Representatives Committee on Energy and Commerce

US lawmakers want to know why only a select few companies knew about Meltdown and Spectre, and whether these insiders considered the impact of their secrecy on others.

Leaders of the House of Representatives Committee on Energy and Commerce have asked the CEOs of tech firms privy to embargoed details about the Meltdown and Spectre attacks whether the secrecy was appropriate, given the number of firms "caught off guard" when it was publicly disclosed on January 3.

Greg Walden (R-OR), Gregg Harper (R-MS), Bob Latta (R-OH), and Marsha Blackburn (R-TN) raised question over the embargo in a letter on Wednesday to the CEOs of Intel, AMD, Arm, Apple, Microsoft, Amazon, and Google.

At least parts of each company had been aware of the CPU flaws since June 2017, when Google informed Intel of the side-channel attacks on speculative execution and details of the embargo were set. But many relevant parties were either notified late or, due to the embargo, unable to fully assess the risk of the vulnerabilities.

Linux kernel developers complained this week about the unusual disclosure process for these hardware flaws compared with well-established and functioning processes previously followed for industry-wide software flaws.

Jessie Frazelle, a Microsoft software engineer who works on Linux, called this embargo an "absolute sh*tshow" that should be avoided in similar scenarios in the future.

FreeBSD's security team was only notified in late December and given the original embargo date of January 9. Google's early disclosure on January 3, prompted by a report on The Register, meant FreeBSD couldn't even offer users an estimate of when patches would be ready by the time the flaws were public.

As noted in the letter, US cloud firm DigitalOcean told customers on January 3 that "the strict embargo placed by Intel has significantly limited our ability to establish a comprehensive understanding of the potential impact".

Carnegie Mellon's CERT/CC, which plays an important role in informing industry about vulnerabilities, didn't even know about Meltdown and Spectre until the websites went live.

Download now: IT leader's guide to the threat of cyberwarfare (free PDF)

And, as became evident when Microsoft released its out-of-band Windows fixes, many antivirus vendors were not prepared for the early disclosure either.

"While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," the committee leaders wrote.

The lawmakers want to hear from each company why the embargo was imposed and who proposed it. They also want to know when US-CERT and CERT/CC was informed. And finally, whether or not any of the companies with knowledge had assessed the potential impact of the embargo on critical infrastructure providers and other IT providers.

Intel said it appreciated the questions from the Energy and Commerce Committee and welcomed the opportunity to continue its dialog with Congress on these important issues.

"In addition to our recent meetings with legislative staff members, we have been discussing with the Committee an in-person briefing, and we look forward to that meeting," Intel told ZDNet.

Previous and related coverage

Spectre flaw: Dell and HP pull Intel's buggy patch, new BIOS updates coming

Dell and HP have pulled Intel's firmware patches for the Spectre attack.

Windows 10 Meltdown-Spectre patch: New updates bring fix for unbootable AMD PCs

AMD PCs can now install Microsoft's Windows update with fixes for Meltdown and Spectre and the bug that caused boot problems.

Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch

Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs.

Meltdown-Spectre: Oracle's critical patch update offers fixes against CPU attacks

The enterprise software giant is working on Spectre fixes for Solaris on Sparc V9.

Windows Meltdown-Spectre: Watch out for fake patches that spread malware

Criminals have yet to exploit Meltdown and Spectre, but they're playing on users' uncertainties about the CPU flaws in their malware and phishing schemes.

Linux vs Meltdown: Ubuntu gets second update after first one fails to boot

Now Linux distributions get hit by Meltdown patch issues.

26% of organizations haven't yet received Windows Meltdown and Spectre patches (Tech Republic)

Roughly a week after the update was released, many machines still lack the fix for the critical CPU vulnerabilities.

Bad news: A Spectre-like flaw will probably happen again (CNET)

Our devices may never truly be secure, says the CEO of the company that designs the heart of most mobile chips.