Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Incident Response

Lawmakers Raise Questions About Disclosure of CPU Flaws

The U.S. House Energy and Commerce Committee on Wednesday sent letters to several tech giants, raising questions about how the disclosure of the CPU vulnerabilities known as Spectre and Meltdown was handled.

The U.S. House Energy and Commerce Committee on Wednesday sent letters to several tech giants, raising questions about how the disclosure of the CPU vulnerabilities known as Spectre and Meltdown was handled.

Lawmakers have asked the CEOs of Intel, AMD, ARM, Apple, Amazon, Google and Microsoft to answer a series of questions on how the disclosure of the flaws was coordinated.

Specifically, the tech giants have been asked about why an embargo was imposed and who proposed it, when were US-CERT and CERT/CC notified, the impact of the embargo on critical infrastructure and other technology companies, the resources and best practices used in implementing the embargo, and lessons learned. The targeted companies have been instructed to respond by February 7.

The Meltdown and Spectre vulnerabilities allow malicious applications to exploit weaknesses in CPU designs and bypass memory isolation mechanisms. An attacker can leverage the flaws to access data as it’s being processed, including passwords, photos, documents, and emails.

The vulnerabilities were discovered independently by researchers at Google and various universities and companies. Major vendors were first notified in June 2017 and the disclosure of the flaws was initially planned for January 9, but some experts figured out that Microsoft and Linux developers had been preparing patches for critical CPU flaws and the disclosure was moved to January 3.

The companies that were notified quickly rolled out patches after information on the Meltdown and Spectre attack methods was made public – some firms released fixes even before disclosure – but some organizations, such as Digital Ocean, were caught off guard by the news and complained about the embargo.

“While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures,” the congressional committee wrote in its letter.

Advertisement. Scroll to continue reading.

“As more products and services become connected, no one company, or even one sector, working in isolation can provide sufficient protection for their products and users,” the lawmakers added. “Today, effective responses require extensive collaboration not only between individual companies, but also across sectors traditionally siloed from one another. This reality raises serious questions about not just the embargo imposed on information regarding the Meltdown and Spectre vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general.”

While many companies have managed to quickly address the vulnerabilities, mitigations have been found to introduce performance penalties and cause systems to become unstable. Both software and microcode updates caused problems for users, and system manufacturers have decided to halt BIOS updates due to buggy patches provided by Intel.

Related: Industry Reactions to Meltdown, Spectre Attacks

Related: Fake Meltdown/Spectre Patch Installs Malware

Related: Oracle Fixes Spectre, Meltdown Flaws With Critical Patch Update

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...