Intel, AMD, ARM, Apple, Amazon, Google and Microsoft have responded to lawmakers who raised questions last month about the disclosure of the CPU vulnerabilities known as Meltdown and Spectre.
The U.S. House Energy and Commerce Committee announced on January 24 that it had sent letters to the companies hit by the Meltdown/Spectre incident, inquiring about their disclosure process. The tech giants were instructed to respond by February 7 and their responses have now been made public.
The Meltdown and Spectre vulnerabilities, which allow malicious applications to access potentially sensitive data from memory, were discovered independently by researchers at Google and various universities and private companies. Affected vendors were first notified in June 2017 and the disclosure of the flaws was initially planned for January 9, but it was moved to January 3 after some experts figured out that operating system developers had been preparing patches for what appeared to be critical processor flaws.
The U.S. House Energy and Commerce Committee asked impacted vendors about why and who proposed an embargo, when were US-CERT and CERT/CC notified, the impact of the embargo on critical infrastructure and other technology firms, the resources and best practices used in implementing the embargo, and lessons learned regarding multi-party coordinated disclosure.
Overall, the companies said Google Project Zero, whose researchers discovered the vulnerabilities, set the embargo after consultations with affected firms. Project Zero typically gives vendors 90 days to release patches, but the deadline was significantly extended due to the “complex nature of the vulnerability and mitigations.”
None of the companies notified US-CERT and CERT/CC of Meltdown and Spectre prior to their public disclosure. The agencies learned about the flaws through the public disclosure on January 3, and US-CERT was contacted by Intel on that day and again two days later.
The companies told lawmakers that the embargo and the disclosure process were consistent with industry standard practices designed to protect the public against attacks exploiting unpatched vulnerabilities.
In response to questions regarding impact on critical infrastructure, Intel noted that “the generally understood characteristics of most [industrial control systems] suggest that risk to these systems is likely low.” Many of the major ICS vendors have published advisories to warn users of the risks associated with these attack methods.
As for lessons learned, the tech giants claim they are evaluating the situation in an effort to improve their process in the future, and many say they are open to discussions on this topic.