Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Tech Giants Hit by Meltdown, Spectre Respond to Lawmakers

Intel, AMD, ARM, Apple, Amazon, Google and Microsoft have responded to lawmakers who raised questions last month about the disclosure of the CPU vulnerabilities known as Meltdown and Spectre.

Intel, AMD, ARM, Apple, Amazon, Google and Microsoft have responded to lawmakers who raised questions last month about the disclosure of the CPU vulnerabilities known as Meltdown and Spectre.

The U.S. House Energy and Commerce Committee announced on January 24 that it had sent letters to the companies hit by the Meltdown/Spectre incident, inquiring about their disclosure process. The tech giants were instructed to respond by February 7 and their responses have now been made public.

The Meltdown and Spectre vulnerabilities, which allow malicious applications to access potentially sensitive data from memory, were discovered independently by researchers at Google and various universities and private companies. Affected vendors were first notified in June 2017 and the disclosure of the flaws was initially planned for January 9, but it was moved to January 3 after some experts figured out that operating system developers had been preparing patches for what appeared to be critical processor flaws.

The U.S. House Energy and Commerce Committee asked impacted vendors about why and who proposed an embargo, when were US-CERT and CERT/CC notified, the impact of the embargo on critical infrastructure and other technology firms, the resources and best practices used in implementing the embargo, and lessons learned regarding multi-party coordinated disclosure.

Overall, the companies said Google Project Zero, whose researchers discovered the vulnerabilities, set the embargo after consultations with affected firms. Project Zero typically gives vendors 90 days to release patches, but the deadline was significantly extended due to the “complex nature of the vulnerability and mitigations.”

None of the companies notified US-CERT and CERT/CC of Meltdown and Spectre prior to their public disclosure. The agencies learned about the flaws through the public disclosure on January 3, and US-CERT was contacted by Intel on that day and again two days later.

The companies told lawmakers that the embargo and the disclosure process were consistent with industry standard practices designed to protect the public against attacks exploiting unpatched vulnerabilities.

In response to questions regarding impact on critical infrastructure, Intel noted that “the generally understood characteristics of most [industrial control systems] suggest that risk to these systems is likely low.” Many of the major ICS vendors have published advisories to warn users of the risks associated with these attack methods.

Advertisement. Scroll to continue reading.

As for lessons learned, the tech giants claim they are evaluating the situation in an effort to improve their process in the future, and many say they are open to discussions on this topic.

Related: Intel Releases Spectre Patches for More CPUs

Related: Malware Exploiting Spectre, Meltdown Flaws Emerges

Related: IBM Releases Spectre, Meltdown Patches for Power Systems

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Cody Barrow has been appointed as CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...