Intel’s forthcoming release of patches to fix Spectre-style flaws in its processors has apparently been delayed by two more weeks to late May, a new report suggesting that Intel wants to push the release back even further into July while it works to finalize the required updates.
The new batch of flaws, unofficially named “Spectre NG”, were expected to be fixed by patches beginning on May 7th, around the same time that the vulnerabilities were disclosed to the public. Intel is now say to be planning a co-ordinated release on May 21st, two weeks later than planned.
The report also states that Intel is claimed to have requested another extension to the delay, with some of the patches being released on July 10th.
This comes off as unusual in that security researchers usually inform manufacturers of the flaw once confirmed, giving the company a period of time to find a solution before publishing their findings, typically 90 days later. Even though delays can be requested, they’re not always accepted by the research teams, who may prefer to keep to their original publishing schedules if they feel enough time has already passed for a fix to be created and distributed.
It was reported last week that eight new security flaws were found in Intel’s CPUs, all caused by the same design-related issue, and with each requiring their own patches. Two waves of patches were scheduled, starting with one batch released in May followed by a second wave covering the more severe vulnerabilities in August.
Intel has classified four of the vulnerabilities as “high risk” while the other four have been classified “medium risk.” While seven are thought to be similar vulnerabilities to those found in Spectre, the eighth is considered an exception due to being able to exploit a virtual machine to attack a host system, making it potentially damaging to cloud-based services.
The vulnerabilities are said to affect all Core i processors and Xeon derivative processors manufactured since 2010. The vulnerabilities also affect all Atom, Pentium, and Celeron processors produced since 2013. As Intel chips are used in the Mac product ranges, it is highly likely Apple is affected by the flaws, and either has already issued or is actively working on patches for macOS.
Intel confirmed the existence of the vulnerabilities last week and stated that it routinely works with other parties to “understand and mitigate any issues that are identified,” that it strongly believes in the “value of co-ordinated disclosure,” and reminds users to keep their systems up to date.
The vulnerabilities, known as “Meltdown” and “Spectre”, are based around chip flaws in Intel and ARM-based processors allowed the creation of a number of exploits in systems using the components. All Mac and iOS devices were found to be affected by the issue, but Apple advised at the time it had already released mitigations for current operating system versions, and was working to develop other fixes.
Intel has received criticism for failing to notify U.S. cybersecurity officials of the flaws until after the public became aware of their existence.
Stay tuned for additional details as they become available.
Via AppleInsider and Heise.de