“We think it’s time to simply tell the world that even now Intel hasn’t fixed the problem,” said Herbert Bos, a colleague of Mr. Giuffrida and Mr. Razavi at Vrije Universiteit Amsterdam.
The initial vulnerabilities were discovered in part by the university’s VUSec group, which includes Mr. Giuffrida, Mr. Bos and Mr. Razavi as well as four of their graduate students: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund and Pietro Frigo. A second group of researchers at the University of Graz in Austria independently discovered some of the same issues and reported those to Intel in April.
All of the vulnerabilities stem from a single issue with the way Intel processors handle data.
To save time, the processors perform certain functions they anticipate they will need to perform, and store the processed data. If the function is aborted and the data isn’t needed, it remains in the system for a brief period.
The vulnerabilities would let someone extract the data while it’s being processed or while in storage. Each of the variants the researchers discovered provides another way for attackers to extract the data.
“There’s one real problem and then there are many variants,” Mr. Bos said.
When Intel released the fixes in May, it classified the problems as “low to medium severity.” The researchers said the company paid them a bounty of $120,000 for discovering and reporting the vulnerabilities — a common reward for pointing out problems but a high sum for bugs that would be considered low-to-medium severity.
When the researchers reported their first vulnerabilities to Intel in September 2018, they provided proof-of-concept exploits — malicious code showing how each vulnerability could be successfully attacked.
Intel’s security response team worked for the next eight months to verify the findings and develop a patch, scheduled to be released on May 14. Four days before the release, however, when the company provided the researchers with details of the fix, the researchers quickly realized that the patch didn’t address all of the vulnerabilities.