Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Intel failed to disclose Meltdown and Spectre to government until flaws made public, Apple and others confirm

Last updated

Apple, Google parent Alphabet and Intel in letters to lawmakers on Thursday revealed a bit of background information concerning the recent airing of Meltdown and Spectre chip vulnerabilities, saying Intel notified U.S. cyber security officials of the flaws only after their existence was made public.

The letters were sent to U.S. Rep. Greg Walden, chair of the House Energy and Commerce Committee Addressing, in response to questions the congressman leveled over the disclosure of Meltdown and Spectre, reports Reuters.

Specifically, Walden sought answers as to why government officials were not informed of the hardware vulnerabilities before they became public knowledge, potentially posing a threat to national security.

For its part, Intel said it decided not to inform the United States Computer Emergency Readiness Team, or US-CERT, upon learning about Meltdown and Spectre as hackers had not taken advantage of the flaws. In its letter, Intel said government officials were not notified because there was "no indication that any of these vulnerabilities had been exploited by malicious actors."

The chipmaker ultimately informed the US-CERT about the vulnerabilities on Jan. 3, a day after The Register reported on the issue and some six months after Google researchers first brought the flaws to Intel's attention.

Intel notified other tech companies of the problem last year, within the 90-day disclosure deadline offered by Google as standard practice. Google later extended that deadline to Jan. 3, then Jan. 9, according to a letter from AMD.

Meltdown and Spectre exploit a modern CPU feature called "speculative executive," a hardware design meant to improve operating speed by executing multiple instructions at the same time.

"To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed," Apple explained in a January statement. "If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software."

Though the processes are supposed to be inaccessible by applications and end users, Google researchers discovered that speculative executions could potentially be used to gain access to sensitive information stored in system memory.

Initially thought to be limited to Intel silicon, Meltdown and Spectre were found to affect all modern processors, including ARM-based chips like Apple's A-series SoCs. Shortly after initial reports went live, Apple issued a statement confirming all Mac and iOS CPUs are impacted by the security flaw.

Apple began the process of mitigating Mac vulnerabilities in December, while later software and security updates patched iOS devices in January. Additional fixes for macOS High Sierra and older Mac operating systems were also pushed out last month.



15 Comments

maestro64 19 Years · 5029 comments

What Intel is really saying if the government is the biggest leaky bucket around and if they told the government they were insuring the information would have found it way into the wrong hands before intel and others could fix it.

CheeseFreeze 7 Years · 1339 comments

Isn't that a good thing? I bet the government would try to abuse the leak way before it got public.

Soli 9 Years · 9981 comments

Isn't that a good thing? I bet the government would try to abuse the leak way before it got public.

Yeah. Blabbing about it would be the most surefire way to make a potential issue into a kinetic issue.

In its letter, Intel said government officials were not notified because there was "no indication that any of these vulnerabilities had been exploited by malicious actors." 

rob53 13 Years · 3312 comments

Security by obscurity doesn’t work in this case. If they had notified US-CERT the vulnerability would have become public since that’s how they work. Except in those instances where they don’t—at least not until someone talks. 

seanismorris 8 Years · 1624 comments

No.  Intel is stupid for not informing them.

Does Microsoft not bother with patches and disclose until there is a major breach?

Intel sat on their asses for months then put out “garbage” fixes because it became a PR problem.

Google frequently puts a fire under Microsoft to fix security issues (90 days) and they are right to do so...

IT people need to know about security vulnerabilities ASAP, to mitigate potential breaches, that goes doubly so for Government systems.


Peope are thinking about the NSA (etc.) exploits getting out in the wild.  That’s another issue entirely.

Instead people should consider that Chinese hackers stole stealth fighter jet designs.  What if that was NK and nukes?