THE Intel is being accused by a group of security experts of having released fixes for a set of flaws related to its processors, but not making it clear that, in fact, part of the vulnerabilities remained unsolved.
This unusual story began in September 2018, when analysts at the Free University of Amsterdam and other institutions reported to the company a series of security problems that, if exploited, could give an attacker access to various types of data that the user stores on the computer. .
In May 2019, Intel released a patch package that implied that all such issues had been resolved. Among them are the ZombieLoad fault. But, according to the New York Times, part of the reported failures remained without due correction.
The unsolved issues only received fixes this week. As the vulnerabilities were reported in September 2018, this means that part of them were left open for more than a year.
Researchers who discovered the flaws are known to have warned Intel that the patch package released in May was not fully effective. At the company’s request, they were silent about it so that Intel had time to develop the patches, just as they did not speak publicly during the period between September 2018 and May 2019.
But it seems to have been in vain: the corrections released this week remain incomplete. Gap exploitation can be mitigated with them, but not entirely avoided. In a note, Intel acknowledged that some flaws could still be exploited and promised to address them in future fixes and new processor versions.
Again, Intel was alerted and reportedly requested a new period of “silence” from analysts. This time, they denied the request. The reason? The impression that the company has not given due importance to vulnerabilities.
At the time when the Meltdown and Specter failures surfaced, researchers warned that similar or related problems could arise in the coming months. It was to be expected that Intel would maintain a more proactive stance on them, which would not be happening.
For Herbert Bos, a professor at the Free University of Amsterdam, “there are still tons of vulnerabilities, we’re sure.” The expert added by saying that Intel “does not intend to do adequate security engineering [sobre seus chips] until your reputation is at risk ”.
Despite this, there are no reports, at least so far, that the flaws in question were exploited in any attack.