Intel Fixes a Security Flaw It Said Was Repaired 6 Months Ago

An anonymous reader quotes a report from The New York Times: Last May, when Intel released a patch for a group of security vulnerabilities researchers had found in the company's computer processors, Intel implied that all the problems were solved. But that wasn't entirely true, according to Dutch researchers at Vrije Universiteit Amsterdam who discovered the vulnerabilities and first reported them to the tech giant in September 2018. The software patch meant to fix the processor problem addressed only some of the issues the researchers had found. It would be another six months before a second patch, publicly disclosed by the company on Tuesday, would fix all of the vulnerabilities Intel indicated were fixed in May, the researchers said in a recent interview.

The public message from Intel was "everything is fixed," said Cristiano Giuffrida, a professor of computer science at Vrije Universiteit Amsterdam and one of the researchers who reported the vulnerabilities. "And we knew that was not accurate." While many researchers give companies time to fix problems before the researchers disclose them publicly, the tech firms can be slow to patch the flaws and attempt to muzzle researchers who want to inform the public about the security issues. Researchers often agree to disclose vulnerabilities privately to tech companies and stay quiet about them until the company can release a patch. Typically, the researchers and companies coordinate on a public announcement of the fix. But the Dutch researchers say Intel has been abusing the process. Now the Dutch researchers claim Intel is doing the same thing again. They said the new patch issued on Tuesday still doesn't fix another flaw they provided Intel in May. The Intel flaws, like other high-profile vulnerabilities the computer security community has recently discovered in computer chips, allowed an attacker to extract passwords, encryption keys and other sensitive data from processors in desktop computers, laptops and cloud-computing servers. Intel says the patches "greatly reduce" the risk of attack, but don't completely fix everything the researchers submitted.

The company's spokeswoman Leigh Rosenwald said Intel was publishing a timeline with Tuesday's patch for the sake of transparency. "This is not something that is normal practice of ours, but we realized this is a complicated issue. We definitely want to be transparent about that," she said. "While we may not agree with some of the assertions made by the researchers, those disagreements aside, we value our relationship with them."

Oh be honest

[oldgraybeard]

every developer has had the bug that was fixed! "kinda"

Just my 2 cents ;)

Re:

[oldgraybeard]

" I think" "Let me check on that"

My 2 cents ;)

Re:

[Anonymous Dotter]

I don't think these are vulnerabilities that can be fixed with BIOS and software alone.

Re: Oh be honest

[fbobraga]

Yeap, I think the same: smells like a hardware issue

Re:

[93 Escort Wagon]

Are you sure that's not Teen Spirit?

Re:

[sound+vision]

I think they could, it would just cripple the processor so much that it would make the computer near-unusable. Not the smaller 10% or 30% performance hits we've seen so far.

Then again, I'm just basing this off Intel's reaction, not a deep understanding of the architecture itself. Don't assume malice when it could be incompetence.... unless it was malice the last 5 times?

Re:

[arglebargle_xiv]

This is like Intel's ingenious 320--series self-bricking SSDs from a couple of years ago:

"We've fixed the bug that causes the drives to brick themselves".

"OK, now we've really fixed the bug that causes the drives to brick themselves".

"This time we've really really really fixed the bug that causes the drives to brick themselves, promise and pinky-swear".

"We've now resolved the problem by withdrawing the 320 from sale and pretending it never existed. 320? What's that? We never sold anything like that, and

Re:

[Tailhook]

But it's a bash Intel story! And it's NYT! Omg I'm getting moist!

Re:

[Ryzilynt]

But it's a bash Intel story! And it's NYT! Omg I'm getting moist!

I'm getting moist just hearing that you are getting moist.

Re:

[Mike Frett]

Intel should stop making bugs then.

Re:

[bblb]

Wait, I thought you fixed that?

What, no... I thought you said you were gonna fix it?

Re:

[awe_cz]

True story!

Re: Oh be honest

[slick7]

every developer has had the bug that was fixed! "kinda"

If by "kinda", you mean it wasn't done right the first time; what makes you think any half measure "patches" will correct the issue? My experience has shown me, at least, doing the job right the first time regardless of time constraints, pressure from others or trying to save face is the only way. Even if one needs to start over from scratch. The saying "Pay me now or pay me later" comes to mind. It's just that paying later usually involves interest; time, money or embarrasment.

Re:

[John_Sauter]

...My experience has shown me, at least, doing the job right the first time regardless of time constraints, pressure from others or trying to save face is the only way. Even if one needs to start over from scratch. The saying "Pay me now or pay me later" comes to mind. It's just that paying later usually involves interest; time, money or embarrasment.

Sometimes the price is paid in human lives. I am thinking of Boeing and the 737-MAX.

Re:

[Aighearach]

Sometimes the price is paid in human lives. I am thinking of Boeing and the 737-MAX.

Nothing important would run on an Intel though

Re:

[dissy]

If by "kinda", you mean it wasn't done right the first time; what makes you think any half measure "patches" will correct the issue? My experience has shown me, at least, doing the job right the first time regardless of time constraints, pressure from others or trying to save face is the only way.

I'm not sure about the "only way"

I wouldn't mind a partial mitigation released ahead of the full fix, so long as it is explicitly described as exactly that, a partial mitigation until the full patch gets released.

It's the lying and hiding what's happening that makes all of it unacceptable.

Had instead Intel released a partial fix and stated what it mitigates and what it doesn't, with the remaining "doesn't" to be fixed in the next months patch, I don't think many would think any less of them that they curren

Re:

[jwhyche]

Way to go Intel. Let's just keep dropping that ball and kicking that can on down the street.

So is it really fixed now ?

[Alain Williams]

Or is this another step ? The trouble is that they have lied once, so do we trust them this time round ?

Re:

[93 Escort Wagon]

But they pinkie-swore this time!

Re:

[HiThere]

I don't think you've been keeping count accurately. I've lost track but I'm sure it's more than once.

Anyone else kinda moved on from CPU wars?

[Seven Spirals]

Computers became fast enough for me around the C2D 2.0Ghz mark. I stopped caring so much who had the fastest and now it's more about who has the most interesting ISA, hardware, or other quirks. So, Intel vs AMD isn't nearly as important as it was in the 90s when those new CPU gains meant entirely new games, effects, and software was possible. Now, it feels like just folks trying to squeeze off a few more FPS. Meh.

Re:

[DrMrLordX]

Nope, it's just you.

Re:

[Seven Spirals]

Hehe, says the ARM user.

It is way too complex to ever be bug free

[aberglas]

No one person at Intel will understand how all the microcode works, let alone the hardware. It is massive.

So we need patch Tuesday for CPUs!

Re:

[drinkypoo]

No one person at Intel will understand how all the microcode works, let alone the hardware. It is massive.

There's obviously parts of the architecture that no one at Intel understands. Otherwise they could have brought out a version not vulnerable to MELTDOWN by now.

Re: It is way too complex to ever be bug free

[slick7]

Now about the backroom boys and their bonuses - somebody did a cover up and they have not beem marched out.

If you can't understand the logic of a situation, first look at the money then look at the ego.

Would this be an apropriate job for A.I.?