It turns out that Intel’s CPU security fixes from May didn’t address everything the company mentioned. Intel is rolling out another patch that does more to close the speculative execution flaws that could let attackers swipe passwords and other sensitive info. The New York Times reports that the fixes earlier this year only patched some of the security vulnerabilities that researches had discovered.
The New York Times interviewed key security researchers who discovered the latest round of processor vulnerabilities. Dutch researchers at Vrije Universiteit Amsterdam first reported a range of security issues to Intel back in September 2018, and Intel patched some of the problems in May. Intel issued another round of security updates earlier this week, but problems still exist.
“There are tons of vulnerabilities still left, we are sure,” says Herbert Bos, a professor at Vrije Universiteit Amsterdam, in an interview with The New York Times. “And they don’t intend to do proper security engineering until their reputation is at stake.”
These researchers have kept quiet about the issues for eight months, providing Intel vital time to develop fixes. Intel even asked the security researchers to alter a paper they were planning to present, after it was clear the chip maker needed more time and it didn’t want the flaws to become public knowledge.
As the researchers warned, the usual secrecy that governs vulnerability disclosures could hurt users here. Hackers could take advantage of security holes that people don’t realize are still open, and the flaw itself wasn’t all that secret it leaked to the point where the researchers were told about their own discovery. There may be substantial work ahead (including possible chip design changes) before Intel’s CPUs are more trustworthy.