Intel warned Chinese suppliers about Meltdown and Specter vulnerabilities earlier than the US government

On January 3, 2018, Intel publicly announced information about the serious vulnerabilities of Meltdown and Specter , to which practically all processors currently used in desktop computers, servers, tablets, smartphones, etc. are subject to varying degrees. Vulnerabilities are associated with the mechanism of speculative execution of instructions in modern processors - and this is the most serious CPU security bug found in recent years.

The press release was planned to be published on January 9, but on January 2, the information was leaked to the Publication of The Register .

Of course, Intel became aware of the vulnerability much earlier than it was reported to the general public (in reality, a member of the Google Project Zero security department found bugs in June 2017). Previously, it was necessary to develop patches, notify equipment manufacturers and update systems in cloud data centers. What is most interesting, according to informed sources, Intel notified Chinese partners about vulnerabilities before they were reported to US government agencies, writes The Wall Street Journal .

On the one hand, such a sequence seems reasonable from the point of view of developing patches. But some experts are concerned that because of this policy of Intel, the Chinese intelligence services might have learned about the vulnerabilities earlier than the US - and use them before the release of the patches.

The researchers point out that these are only speculative assumptions. In fact, no traces have been revealed that such attacks actually took place. But in the case of targeted attacks on specific targets, information about them may never come to the surface - or the attack may go unnoticed, or the victim chooses to keep silent about the incident. So the absence of traces at the moment does not guarantee that the Chinese hackers did not use the information received.

A spokesman for the Department of Homeland Security (DHS) said its employees had learned about vulnerabilities in the January 3 news.

The representative of the NSA also admitted that they knew nothing about bugs and could not exploit them. Although he made a reservation that he understood: not everyone would believe his words.


Nevertheless, the vulnerabilities are so serious and so many processors are exposed to them (almost all computers), that any intelligence agency in the world would pay dearly for information about vulnerabilities last year. Former NSA employee Jake Williams (Jake Williams) is “almost certainly” sure that Chinese government agencies received information about Meltdown and Specter in advance because they routinely track communications between Intel and Chinese companies, including hardware manufacturers and cloud hosting providers.

The paranoid sentiments of specialists are fully justified, because in the past there have already been evidences of the participation of Chinese “state” hackers in the development of exploits and attacks against foreign targets using 0day software vulnerabilities. Now the situation is not much different, except that the vulnerabilities are more serious.

Intel representatives refused to provide a list of companies that had previously been given information about 0day in processors and with whom they had worked in advance to eliminate the consequences. Naturally, among them, Google (in fact, its employees and found bugs). Intel says that among them are also "key" computer manufacturers. It is known that Lenovo is among them, because she acknowledged in a press release on January 3 that she had worked in advance to fix bugs. Cloud hosting (Microsoft, Amazon, Chinese Alibaba Group Holding, the first two reported this fact for marketing purposes), ARM Holdings and some others were notified in advance.

Intel stated that it could not inform everyone it wanted, including the American special services, because the information became public before it was provided for (January 2 instead of January 9), but the excuse looks weak.

Be that as it may, Intel's policy to notify in advance only the largest partners of the identified bugs puts everyone else in an awkward position. This includes unfair competition. For example, cloud providers Joylent and DigitalOcean are still working to eliminate vulnerabilities, while large cloud hosting companies - their competitors - had a head start in half a year. And it is not clear why Intel first of all did not notify the National Computer Incident Response Center (CERT).