Cyber Security JISC Reuse

The United States House of Energy and Commerce Committee wants tech giants to explain why the Meltdown and Spectre security flaws were not made public. In an open letter to companies, including Microsoft and Apple, the house wants more information about why the Intel and AMD chip vulnerability was kept secret.

In the letter, the House points out Apple, Amazon, AMD, ARM, Google, Intel, and Microsoft knew about the flaw in June 2017. All agreed to embargo the information. That embargo ended on January 9, 2018.

In the House letter sent to CEOs of the companies, the committee simply asks “Why was an information embargo imposed?” It goes on to read “What company or combination of companies proposed the embargo?”

With the closure of the embargo, the world got to know about the flaw. Meltdown and Spectre affects chips at a kernel level. It leaves machines stretching back over a decade open to exploit.

Giants of the tech industry kept the flaw embargoed in an effort to create patches. Effectively, the companies were buying time to avoid public backlash. Interestingly, it was only once the vulnerability did reach the public domain that companies acted with patches. On January 2, the flaw was disclosed and companies scrambled to issue fixes.

Representatives of the companies involved will meet with the house on February 7, 2018. Pressure is being applied by the US Congress, which argues the giants involved hurt other companies not involved in the embargo. By keeping Meltdown and Spectre secret, other companies were unable to work on patches:

“It is reasonable to assume that additional companies have been negatively impacted by the embargo.”

“Some observers have raised questions about the effect of the embargo on the ability of companies not included in the original June 2017 disclosure to protect their own products and users, compared to those companies that were included.”

Meltdown and Spectre

The kernel-level flaw leaves all most Intel-powered machines open to attack, while also affecting some running AMD and ARM chips. The flaw lies in kernel operations. When a command is issued on a system, the CPU gives system control to the kernel. To maintain efficiency of performance, the kernel stays below the surface of processes even when the CPU resumes control. This is what leaves machines at risk.

There is a Kernel Page Table Isolation (PTI) workaround that has been issued by most companies. PTI places the kernel in a dedicated address space, making it unavailable to running processes. However, there are performance trade-offs, which Microsoft detailed two weeks ago.