Intel didn't tell CERTS, govs, about Meltdown and Spectre because they couldn't help fix it
Letters to Congress detail the plan to keep CPU flaws secret
Letters sent to the United States Congress by Intel and the other six companies in the Meltdown/Spectre disclosure cabal have revealed how and why they didn't inform the wider world about the dangerous chip design flaws.
Republican members of the House Energy and Commerce Committee sent letters to the seven in January, to seek answers about the reasons they chose not to disclose the flaws and whether they felt their actions were responsible and safe.
All the letters go over old ground: Google Project Zero spotted the design errors, told Intel, which formed a cabal comprising itself, Google, AMD, Arm, Apple, Amazon and Microsoft. The gang of seven decided that Project Zero's 90-day disclosure deadline had to be extended to January, then spoke to others to help them prepare fixes. But stray posts and sharp-eyed Reg hacks foiled that plan as we broke the news on January 3rd.
The flaws are so serious that Congressman insisted the seven explain themselves, and now we have the letters in which they attempt to do so, with links on this page .
SHL just got real-mode: US lawmakers demand answers on Meltdown, Spectre handling from Intel, Microsoft and palsREAD MORE
Intel's letter (PDF) is the most informative because it reveals "Before the leak, Intel disclosed information about Spectre and Meltdown only to companies who could assist Intel in enhancing the security of technology users."
That meant the cabal felt none of the US government, the United States Computer Emergency Readiness Team or the Computer Emergency Readiness Team Coordination Center would be useful in preparing a response to the mess it made. Once news of the flaws broke, Intel "expedited its plans to deploy the mitigations and promptly briefed governments and others about the issues."
Intel explained that it devised this response after considering the "CERT Guide to Coordinated Vulnerability Disclosure", the "Common Vulnerabilities and Exposures (CVE) Numbering Authority Rules" the "Forum of Incident Response Security Teams Common Vulnerability Scoring System".
The letter also states that "Later this year, Intel will introduce new hardware design changes in our products to address vulnerabilities such as Spectre and Meltdown."
The other letters mostly point out that Spectre and Meltdown are Intel's problems, so while the cabal members answer the questions they defer to Chipzilla's actions. But there are still a few fun factoids.
Microsoft's, for example, revealed that it knew its fixes would break some anti-virus software and tried to warn vendors of such products in advance, but couldn't tell them why it was making changes for fear of leaking news of Meltdown and Spectre.
Arm's response almost feels like it was chuffed to be asked to play with the big boys. "Before Spectre and Meltdown, Arm had not been involved in multiparty coordinated vulnerability disclosure." Its letter says the company's senior managers and Board were made aware of the issue, and the fix was made a "major priority".
Amazon said it "focussed our efforts on developing countermeasures for the Linux operating system and the Xen hypervisor".
There's no sign of responses from the Congressmen who sent the letters. If that changes, so will this story. Or we'll write another. ®
Sponsored: Becoming a Pragmatic Security Leader