Greg Kroah-Hartman criticizes Intel’s practices in Meltdown, Spectre vulnerability disclosure

At the North American Open Source Summit this week, Linux stable kernel maintainer Greg Kroah-Hartman criticised Intel’s practices in Meltdown and Spectre vulnerability disclosure. He said that Jann Horn discovered the vulnerability in July 2017, but until October 25, 2017, a small number of people in the kernel community heard loophole rumours, and they could hear the stories because there was a significant operating system developer (presumably Microsoft, Microsoft’s many services are now running on Linux). It pressures Intel to disclose vulnerabilities to the kernel community.

Intel did not officially announce the Meltdown and Spectre vulnerabilities until January 3 this year. Kroah-Hartman said, “Normally when we get a kernel security bug, it goes to the Linux kernel security team, we drag in the right people, we work with the distributions getting everyone on the same page and push out patches. Intel siloed SUSE, they siloed Red Hat, they siloed Canonical. They never told Oracle, and they wouldn’t let us talk to each other.”

Developers of Linux distributions usually collaborate on bug fixes, but this time they can only rely on themselves, so each has a different fix. Intel did not allow the kernel community to exchange information until the last week of December 2017, ruining the Christmas holidays for kernel developers.

He said that Intel has messed up all this. Kroah-Hartman noted that Intel has improved on recent vulnerability disclosures, such as the Foreshadow vulnerability kernel community, which received notifications in advance, so the community can quickly develop patches through collaboration.         

Via: eweek