Intel failed to disclose Meltdown and Spectre to government until flaws made public, Apple and others confirm
Apple, Google parent Alphabet and Intel in letters to lawmakers on Thursday revealed a bit of background information concerning the recent airing of Meltdown and Spectre chip vulnerabilities, saying Intel notified U.S. cyber security officials of the flaws only after their existence was made public.
The letters were sent to U.S. Rep. Greg Walden, chair of the House Energy and Commerce Committee Addressing, in response to questions the congressman leveled over the disclosure of Meltdown and Spectre, reports Reuters.
Specifically, Walden sought answers as to why government officials were not informed of the hardware vulnerabilities before they became public knowledge, potentially posing a threat to national security.
For its part, Intel said it decided not to inform the United States Computer Emergency Readiness Team, or US-CERT, upon learning about Meltdown and Spectre as hackers had not taken advantage of the flaws. In its letter, Intel said government officials were not notified because there was "no indication that any of these vulnerabilities had been exploited by malicious actors."
The chipmaker ultimately informed the US-CERT about the vulnerabilities on Jan. 3, a day after The Register reported on the issue and some six months after Google researchers first brought the flaws to Intel's attention.
Intel notified other tech companies of the problem last year, within the 90-day disclosure deadline offered by Google as standard practice. Google later extended that deadline to Jan. 3, then Jan. 9, according to a letter from AMD.
Meltdown and Spectre exploit a modern CPU feature called "speculative executive," a hardware design meant to improve operating speed by executing multiple instructions at the same time.
"To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed," Apple explained in a January statement. "If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software."
Though the processes are supposed to be inaccessible by applications and end users, Google researchers discovered that speculative executions could potentially be used to gain access to sensitive information stored in system memory.
Initially thought to be limited to Intel silicon, Meltdown and Spectre were found to affect all modern processors, including ARM-based chips like Apple's A-series SoCs. Shortly after initial reports went live, Apple issued a statement confirming all Mac and iOS CPUs are impacted by the security flaw.