Intel shared interesting statistics at a recent RSA 2020 conference in the USA. It turns out that only 5% of the vulnerabilities (11 of 236) fixed by the company’s engineers last year were related to processors.
All these 11 vulnerabilities were side-channel problems, that is, they allowed attacks on third-party channels, for the operation of which the architecture and structure of Intel processors were used. So, in particular, we are talking about such “heirs” of the Meltdown and Specter vulnerabilities as Spoiler, RIDL, Fallout and ZombieLoad, ZombieLoad 2, NetCAT, TPM-FAIL, Plundervolt.
The company’s researchers emphasize that vulnerabilities of this kind are extremely difficult to exploit, and examples of their exploitation in practice, outside of test laboratories, have not yet been recorded. In addition, Intel has released microcode updates to address all of these errors.
It should also be said that shortly after discovering the problems of Meltdown and Specter, Intel launched its own bug bounty program, in which researchers are asked to look for side-channel problems in the company’s products, and the reward is up to $ 250,000.
And Intel’s reward for vulnerabilities wasn’t limited to just one. An internal security team was also created, which included the world’s leading information security researchers. The goal of this group is to find vulnerabilities in Intel products faster than attackers, and preferably before the products reach store shelves.
Apparently, the creation of this group paid off, since, according to a recent report by the company, in 2019, 144 of 236 discovered vulnerabilities (61%) were discovered by Intel employees themselves.
It is also reported that of the 92 vulnerabilities that the company was notified by third-party researchers, 70 (76%) were brought to the attention of Intel through the official vulnerability search program. That is, bug bounty also fully justifies itself.
Intel emphasizes that none of the 236 vulnerabilities fixed in 2019 were used in real attacks (at the time of publication of the problem data).