Intel Fucks Up Jump Conditional Code Cache, New ucode

[grarpamp]

https://www.nytimes.com/2019/11/12/technology/intel-chip-fix.html

Intel caught lying about it.

Last May, when Intel released a patch for a group of security
vulnerabilities researchers had found in the company's computer
processors, Intel implied that all the problems were solved. But that
wasn't entirely true, according to Dutch researchers at Vrije
Universiteit Amsterdam who discovered the vulnerabilities and first
reported them to the tech giant in September 2018. The software patch
meant to fix the processor problem addressed only some of the issues
the researchers had found. It would be another six months before a
second patch, publicly disclosed by the company on Tuesday, would fix
all of the vulnerabilities Intel indicated were fixed in May, the
researchers said in a recent interview.

The public message from Intel was "everything is fixed," said
Cristiano Giuffrida, a professor of computer science at Vrije
Universiteit Amsterdam and one of the researchers who reported the
vulnerabilities. "And we knew that was not accurate." While many
researchers give companies time to fix problems before the researchers
disclose them publicly, the tech firms can be slow to patch the flaws
and attempt to muzzle researchers who want to inform the public about
the security issues. Researchers often agree to disclose
vulnerabilities privately to tech companies and stay quiet about them
until the company can release a patch. Typically, the researchers and
companies coordinate on a public announcement of the fix. But the
Dutch researchers say Intel has been abusing the process. Now the
Dutch researchers claim Intel is doing the same thing again. They said
the new patch issued on Tuesday still doesn't fix another flaw they
provided Intel in May. The Intel flaws, like other high-profile
vulnerabilities the computer security community has recently
discovered in computer chips, allowed an attacker to extract
passwords, encryption keys and other sensitive data from processors in
desktop computers, laptops and cloud-computing servers. Intel says the
patches "greatly reduce" the risk of attack, but don't completely fix
everything the researchers submitted.

The company's spokeswoman Leigh Rosenwald said Intel was publishing a
timeline with Tuesday's patch for the sake of transparency. "This is
not something that is normal practice of ours, but we realized this is
a complicated issue. We definitely want to be transparent about that,"
she said. "While we may not agree with some of the assertions made by
the researchers, those disagreements aside, we value our relationship
with them."