Meltdown and Spectre continue to haunt Intel and the trouble could get far worse for the company, after the most recent development. According to a recent report from Reuters, Intel failed to report the Spectre and Meltdown flaws to US cyber security officials before the news went public. The report cites letters sent by major tech companies to Greg Walden, US Representative for Oregon who chairs the House Energy and Commerce Committee.
The report states that:
“Intel did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until Jan. 3, after reports on them in online technology site The Register had begun to circulate.”
In its letter, Alphabet Inc. said that the security researchers at Google Project Zero alerted, Intel, AMD, and ARM Holdings of the flaws back in June last year. Google gave the chipmakers 90 days to fix the issues before disclosing them publicly, as is standard practice in the cyber security industry. The company also mentioned that it left the decision of whether to inform government officials on the chipmakers, which is also standard practice.
Intel, on the other hand, wrote that it did not inform the government officials as there was “no indications that any of these vulnerabilities had been exploited by malicious actors”. The chipmaker also said that it did not perform an analysis of whether the flaws affected critical infrastructure because it didn’t think that industrial control systems would be affected.
AMD, ARM, Microsoft and Amazon also responded to queries from lawmakers regarding the issue. In its statement, Microsoft revealed that it had informed a number of antivirus software developers about the flaws “several weeks” before they were publicly disclosed in order to give them enough time to avoid compatibility issues. AMD mentioned that Alphabet extended its disclosure deadline twice, first to Jan. 3 and then to Jan. 9. As of now, US-CERT hasn’t released an official statement on the matter.