Intel Spectre vulnerability memo raises questions of OEM disclosures

Intel first learned of the Meltdown and Spectre vulnerabilities in June, but a confidential company memo indicates the chipmaker didn't inform OEM partners of one of the Spectre vulnerabilities until late November.

TechTarget sister publication LeMagIT obtained a technical advisory from the Intel Product Security Incident Response Team (PSIRT) regarding the chipmaker's disclosure plan for a Spectre vulnerability, CVE-2017-5715, which is a branch target injection attack. The document, which is marked "Intel Confidential," showed the initial disclosure of the flaw for OEM customers was on Nov. 29, 2017, under a confidential nondisclosure agreement. In addition, the document showed the original planned public disclosure date of Jan. 9, 2018, which was preempted by industry speculation pointing to Meltdown and Spectre vulnerabilities.

"Intel's disclosure plan is designed to provide affected parties time to deploy mitigations for these issues prior to any planned public disclosure," the document stated.

Google Project Zero researcher Jann Horn notified Intel, AMD and ARM of the Spectre vulnerabilities on June 1. It's unclear why Intel didn't notify OEMs of the flaws until Nov. 29. Project Zero's issue tracker doesn't provide a complete timeline of events and only states that a "deadline grace" was granted on Aug. 7 to extend Google's 90-day disclosure deadline.

Intel did not respond to requests for comment.

The 11-page advisory, which was updated Dec. 20, 2017, contains a revision history for the planned microcode updates for the Spectre vulnerability. According to the advisory, which was viewed by SearchSecurity, the first round of Spectre microcode updates, including those for several Broadwell and Haswell products, was made available to third parties on Dec. 24.

The updates for Broadwell- and Haswell-based systems later proved to be problematic; Intel announced earlier this month that some client and data center systems running Broadwell and Haswell chips were experiencing "higher system reboots" after applying the updates. The chipmaker this week announced it was pulling the updates and urged OEMs, cloud providers, system builders and software vendors to stop deployment of the updates and wait for a new version.

"We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it," wrote Navin Shenoy, vice president and general manager of Intel's Data Center Group. "We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release."

The confidential Intel documents also include a list of planned microcode updates scheduled for Dec. 2017 to Jan. 2018 for other Intel products such as Sandy Bridge and Ivy Bridge chips. The documents do not offer specific dates for these updates.

In the company's fourth quarter 2017 earnings call Thursday, Intel CEO Brian Krzanich told analysts Intel is preparing new processors that are immune to the Meltdown and Spectre vulnerabilities. "We are working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware," he said. "Those products will begin appearing later this year."