Last May, when Intel released a patch for a group of security vulnerabilities researchers had found in the company’s computer processors, Intel implied that all the problems were solved.
But that wasn’t entirely true, according to Dutch researchers at Vrije Universiteit Amsterdam who discovered the vulnerabilities and first reported them to the tech giant in September 2018. The software patch meant to fix the processor problem addressed only some of the issues the researchers had found.
It would be another six months before a second patch, publicly disclosed by the company Tuesday, would fix all of the vulnerabilities Intel indicated were fixed in May, the researchers said in a recent interview.
The public message from Intel was “everything is fixed,” said Cristiano Giuffrida, a professor of computer science at Vrije Universiteit Amsterdam and one of the researchers who reported the vulnerabilities. “And we knew that was not accurate.”
The claims made by the researchers are indicative of the tensions between tech companies and the security experts who routinely scour their products, looking for flaws that make systems vulnerable to attacks.
While many researchers give companies time to fix problems before the researchers disclose them publicly, the tech firms can be slow to patch the flaws and attempt to muzzle researchers who want to inform the public about the security issues.
Researchers often agree to disclose vulnerabilities privately to tech companies and stay quiet about them until the company can release a patch. Typically, the researchers and companies coordinate on a public announcement of the fix. But the Dutch researchers say Intel has been abusing the process.
Now the Dutch researchers claim Intel is doing the same thing again. They said the new patch issued Tuesday still doesn’t fix another flaw they provided Intel in May.
The Intel flaws, like other high-profile vulnerabilities the computer security community has recently discovered in computer chips, allowed an attacker to extract passwords, encryption keys and other sensitive data from processors in desktop computers, laptops and cloud-computing servers.
Intel acknowledged that the May patch did not fix everything the researchers submitted, nor does Tuesday’s fix. But they “greatly reduce” the risk of attack, said Leigh Rosenwald, a spokeswoman for the company.
While not directly addressing some of the complaints from the researchers, Rosenwald said Intel was publishing a timeline with Tuesday’s patch for the sake of transparency.
“This is not something that is normal practice of ours, but we realized this is a complicated issue. We definitely want to be transparent about that,” she said. “While we may not agree with some of the assertions made by the researchers, those disagreements aside, we value our relationship with them.”
The Dutch researchers had remained quiet for eight months about the problems they had discovered while Intel worked on the fix it released in May. Then when Intel realized the patch didn’t fix everything and asked them to remain quiet six more months, it also requested that the researchers alter a paper they had planned to present at a security conference to remove any mention of the unpatched vulnerabilities, they said. The researchers said they reluctantly agreed to comply because they didn’t want the flaws to become public knowledge without a fix.
“We had to redact the paper to cover for them so the world would not see how vulnerable things are,” said Kaveh Razavi, also a professor of computer science at Vrije Universiteit Amsterdam and part of the group that reported the vulnerabilities.
After they notified Intel about the unfixed flaws in advance of Tuesday’s patch release, the company asked the researchers to continue to stay silent until it could produce another patch, the researchers said. But this time they refused.
“We think it’s time to simply tell the world that even now Intel hasn’t fixed the problem,” said Herbert Bos, a colleague of Giuffrida and Razavi at Vrije Universiteit Amsterdam.
The initial vulnerabilities were discovered in part by the university’s VUSec group, which includes Giuffrida, Bos, and Razavi as well as four of their graduate students: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, and Pietro Frigo. A second group of researchers at the University of Graz in Austria independently discovered some of the same issues and reported those to Intel in April.
All of the vulnerabilities stem from a single issue with the way Intel processors handle data.
To save time, the processors perform certain functions they anticipate they will need to perform, and store the processed data. If the function gets aborted and the data isn’t needed, it remains in the system for a brief period.
The vulnerabilities would let someone extract the data while it’s being processed or while in storage. Each of the variants the researchers discovered provides another way for attackers to extract the data.
“There’s one real problem and then there are many variants,” Bos said.
When Intel released the fixes in May, it classified the problems as “low to medium severity.” The researchers said the company paid them a bounty of $120,000 for discovering and reporting the vulnerabilities — a common reward for pointing out problems but a high sum for bugs that would be considered low to medium severity.
When the researchers reported their first vulnerabilities to Intel in September 2018, they provided proof-of-concept exploits — malicious code showing how each vulnerability could be successfully attacked.
Intel’s security response team worked for the next eight months to verify the findings and develop a patch, scheduled to be released on May 14. Four days before the release, however, when the company provided the researchers with details of the fix, the researchers quickly realized that the patch didn’t address all of the vulnerabilities.
Intel’s engineers had overlooked some of the proof-of-concept exploits the researchers had provided. But the researchers said that even without seeing the exploits, Intel should have been able to uncover the additional vulnerabilities on their own.
The researchers said Intel has chosen an ineffective way to address its chip vulnerabilities. Rather than fix the core issue, which would possibly require re-architecting the processor, it has patched each variant as it is discovered.
“There are tons of vulnerabilities still left, we are sure,” Bos said. “And they don’t intend to do proper security engineering until their reputation is at stake.”
Whenever a new class of vulnerability is discovered, it is standard practice for engineers fixing the code to search for additional instances of the problem beyond what is known and reported.
None of the attack variants the Dutch researchers gave Intel were fundamentally different from the ones Intel did patch, so Intel should have been able to extrapolate and find the others on their own, the researchers argued.
“Many of the attacks they missed were a few lines of code different from the others. Sometimes a single line of code,” Giuffrida said. “The implication of this is of course worrisome. It means until we give them all possible variations of the problem, they won’t actually fix the problem.”
The company has addressed the core problem through hardware fixes in some of its chips and will do similar fixes to other chips, Intel’s Rosenwald said.
Despite the gag on the researchers, discussion about the vulnerabilities began to leak. The information was passed around so loosely that eventually it came back to the researchers.
“More and more people knew about this vulnerability to the point that it actually circled back to us,” Bos said. “So they provide an illusion that they have this whole disclosure process under control. But it’s not controlled at all; it’s leaking.”
All of this meant that while the researchers kept mum, others who wanted to exploit the vulnerabilities could potentially have learned about them.
“Anybody can weaponize this. And it’s worse if you don’t actually go public, because there will be people who can use this against users who are not actually protected,” Razavi said.