Intel Spectre vulnerability memo raises questions of OEM disclosures

Intel first learned of the Meltdown and Spectre vulnerabilities in June, but a confidential company memo indicates the chip maker didn’t inform OEM partners of one of the Spectre vulnerabilities until late November.

TechTarget sister publication LeMagIT obtained a technical advisory from the Intel Product Security Incident Response Team (PSIRT) regarding the chip maker’s disclosure plan for a Spectre vulnerability, CVE-2017-5715, which is a branch target injection attack. The document, which is marked “Intel Confidential,” shows the initial disclosure of the flaw for OEM customers was on Nov. 29, 2017, under a confidential non-disclosure agreement. In addition, the document shows the original planned public disclosure date of Jan. 9, 2018, which was preempted by industry speculation pointing to   Meltdown and Spectre vulnerabilities.

“Intel’s disclosure plan is designed to provide affected parties time to deploy mitigations for these issues prior to any planned public disclosure,” the document states.

Google Project Zero research Jann Horn notified Intel, AMD

and
ARM of the Spectre vulnerabilities on June 1. It’s unclear why Intel didn’t notify OEMs of the flaws until Nov. 29. Project Zero’s issue tracker doesn’t provide a complete timeline of events and only states that a “deadline grace” was granted on August 7 to extend Google’s 90-day disclosure deadline.

Intel did not respond to requests for comment.

The 11-page advisory, which was updated Dec. 20, 2017, contains a revision history for the planned microcode updates for the Spectre vulnerability. According to the advisory, which was viewed by SearchSecurity, the first round of Spectre microcode updates, including those for several Broadwell and Haswell products, was made available to third parties on Dec. 24.

The updates for Broadwell and Haswell-based systems later proved to be problematic; Intel announced earlier this month that some client and data center systems running Broadwell and Haswell chips were experiencing “higher system reboots” after applying the updates. The chip maker this week announced it was pulling the updates and urged OEMs, cloud providers, system builders and software vendors to stop deployment of the updates and wait for a new version.

“We have now identified the root cause for Broadwell and Haswell

platforms,
and made good progress in developing a solution to address it,” Navin Shenoy, vice president and general manager of Intel’s Data Center Group, wrote. “We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release.”

The confidential Intel documents also

includes
a list of planned microcode updates scheduled for Dec. 2017 – Jan. 2018 for other Intel products such as Sandy Bridge and Ivy Bridge chips. The documents do not offer specific dates for these updates.

In the company’s

fourth quarter
2017 earnings call Thursday, Intel CEO Brian Krzanich told analysts Intel is preparing new processors that are immune to the Meltdown and Spectre vulnerabilities. “We are working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware,” he said. “Those products will begin appearing later this year.”