US lawmakers want to know why only a select few companies knew about Meltdown and Spectre, and whether these insiders considered the impact of their secrecy on others.
Leaders of the House of Representatives Committee on Energy and Commerce have asked the CEOs of tech firms privy to embargoed details about the Meltdown and Spectre attacks whether the secrecy was appropriate, given the number of firms “caught off guard” when it was publicly disclosed on January 3.
Greg Walden (R-OR), Gregg Harper (R-MS), Bob Latta (R-OH), and Marsha Blackburn (R-TN) raised question over the embargo in a letter on Wednesday to the CEOs of Intel, AMD, Arm, Apple, Microsoft, Amazon, and Google.
At least parts of each company had been aware of the CPU flaws since June 2017, when Google informed Intel of the side-channel attacks on speculative execution and details of the embargo were set. But many relevant parties were either notified late or, due to the embargo, unable to fully assess the risk of the vulnerabilities.
Linux kernel developers complained this week about the unusual disclosure process for these hardware flaws compared with well-established and functioning processes previously followed for industry-wide software flaws.
Jessie Frazelle, a Microsoft software engineer who works on Linux, called this embargo an “absolute sh*tshow” that should be avoided in similar scenarios in the future.
FreeBSD’s security team was only notified in late December and given the original embargo date of January 9. Google’s early disclosure on January 3, prompted by a report on The Register, meant FreeBSD couldn’t even offer users an estimate of when patches would be ready by the time the flaws were public.
As noted in the letter, US cloud firm DigitalOcean told customers on January 3 that “the strict embargo placed by Intel has significantly limited our ability to establish a comprehensive understanding of the potential impact”.
Carnegie Mellon’s CERT/CC, which plays an important role in informing industry about vulnerabilities, didn’t even know about Meltdown and Spectre until the websites went live.
Download now: IT leader’s guide to the threat of cyberwarfare (free PDF)
And, as became evident when Microsoft released its out-of-band Windows fixes, many antivirus vendors were not prepared for the early disclosure either.
“While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures,” the committee leaders wrote.
The lawmakers want to hear from each company why the embargo was imposed and who proposed it. They also want to know when US-CERT and CERT/CC was informed. And finally, whether or not any of the companies with knowledge had assessed the potential impact of the embargo on critical infrastructure providers and other IT providers.
Update: In a statement, Intel said: “The security of our customers and their data is critical to us. We appreciate the questions from the Energy and Commerce Committee and welcome the opportunity to continue our dialogue with Congress on these important issues. In addition to our recent meetings with legislative staff members, we have been discussing with the Committee an in-person briefing, and we look forward to that meeting.”
Previous and related coverage
Dell and HP have pulled Intel’s firmware patches for the Spectre attack.
AMD PCs can now install Microsoft’s Windows update with fixes for Meltdown and Spectre and the bug that caused boot problems.
Intel’s firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs.
The enterprise software giant is working on Spectre fixes for Solaris on Sparc V9.
Criminals have yet to exploit Meltdown and Spectre, but they’re playing on users’ uncertainties about the CPU flaws in their malware and phishing schemes.
Now Linux distributions get hit by Meltdown patch issues.
Roughly a week after the update was released, many machines still lack the fix for the critical CPU vulnerabilities.
Our devices may never truly be secure, says the CEO of the company that designs the heart of most mobile chips.