US lawmakers question handling of Meltdown, Spectre flaws

The tech industry's attempts to fix the Meltdown and Spectre vulnerabilities have been far from perfect. So it's perhaps no surprise a US congressional committee is getting involved.

On Wednesday, leaders of the House Energy and Commerce Committee sent letters to the CEOs of several major tech companies including Intel, Apple and Microsoft about their response to the chips flaws, which affect PCs, smartphones and servers.

In particular, the letters raise questions over the companies' decision to keep details of the Meltdown and Spectre vulnerabilities secret from the rest of the tech industry until January 3 when the information finally became public.

Companies not privy to the details may have been "caught off-guard" by the sudden announcement, the letters from the US lawmakers said.

In addition, some of the released patches have been "creating new problems, such as freezing patched computers or interfering with anti-virus products," the letters added.

The three major chip vendors Intel, AMD and ARM first learned about the vulnerabilities last June from a Google researcher. To prevent hackers from exploiting the flaws, the companies kept the information secret while they and other leading tech vendors worked on a patch.

But despite the seven-month embargo, not all the fixes have gone smoothly. Earlier this week, Intel told customers to hold off from installing an earlier patch because it was buggy and prone to causing reboots. Some of the fixes can also significantly degrade a machine's performance, particularly systems running older Intel chips, according to Microsoft.

The Wednesday letters from the US lawmakers are asking how the tech companies came about imposing the embargo, and whether they considered any "negative impacts" it might have on other IT companies and critical infrastructure sectors such as healthcare and energy. The letters ask that the tech companies respond by Feb. 7.

In an email, Intel told PCMag that its already discussing holding an in-person meeting with the US lawmakers over its response to the vulnerabilities.

"We appreciate the questions from the Energy and Commerce Committee and welcome the opportunity to continue our dialogue with Congress on these important issues," the company said.

Google said: "After working with security teams across the industry for months, we released our findings according to established prinicples of vulnerability disclosure, and deployed mitigations to help secure people's information on Google and other platforms."

This article originally appeared on PCMag.com.