Spectre-style Intel chip vulnerability disclosures delayed, patches not expected until August
The release of patches to fix new Spectre-style flaws in Intel's processor designs is allegedly delayed by two more weeks to late May, but a report suggests Intel wants to push the release back even further into July while it works to finalize the required updates.
Intel had previously intended for processors affected by the new batch of flaws, unofficially named Spectre NG, to be fixed by patches starting from May 7, at the same time as details about the vulnerabilities themselves are disclosed to the public. According to sources ofHeise.de, Intel is now planning a co-ordinated release on May 21, two weeks later than planned.
The report claims the eventual release of patches and the disclosures isn't fixed, as Intel is claimed to have requested another extension to the delay. If granted, this extra alleged extension could end up with the details of the flaws, and some of the patches being released on July 10.
Security researchers usually inform manufacturers of the flaw once confirmed, giving the company a period of time to find a solution before publishing their findings, typically 90 days later. While delays can be requested, they are not always accepted by the research teams, who may opt to keep to their original schedule if it believes enough time has already passed for a fix to be created and distributed.
It was reported last week that eight new security flaws were found in Intel's CPUs, all caused by the same design-related issue, and with each requiring their own patches. Two waves of patches were scheduled, starting with one batch released in May followed by a second wave covering the more severe vulnerabilities in August.
Of the eight vulnerabilities, Intel apparently classified four as "high risk" while the other four are "medium risk." While seven are thought to be similar vulnerabilities to those found in Spectre, the eighth is considered an exception due to being able to exploit a virtual machine to attack a host system, making it potentially damaging to cloud-based services.
The vulnerabilities are said to affect all Core i processors and Xeon derivatives since 2010, as well as Atom, Pentium, and Celeron processors produced since 2013. As Intel chips are used in the Mac product ranges, it is highly likely Apple is affected by the flaws, and either has already issued or is actively working on patches for macOS.
Last week, Intel issued a statement ahead of the potential disclosures, effectively confirming the vulnerabilities exist. The company says it routinely works with other parties to "understand and mitigate any issues that are identified," that it strongly believes in the "value of co-ordinated disclosure," and reminds users to keep their systems up to date.
Revealed in January, the Meltdown and Spectre chip flaws in Intel and ARM-based processors allowed the creation of a number of exploits in systems using the components. All Mac and iOS devices were found to be affected by the issue, but Apple advised at the time it had already released mitigations for current operating system versions, and was working to develop other fixes.
In the following months, Intel became the subject of a number of lawsuits over the design flaws, including their effect on Intel's share price, and accusations that CEO Brian Krzanich allegedly sold shares worth millions of dollars after Intel was informed of the vulnerabilities, but before they were publicly disclosed.
Intel was also criticised for failing to notify U.S. cybersecurity officials of the flaws until after the public became aware of their existence.