Intel, Arm, Microsoft, Amazon and Google are among the major tech firms challenged by US lawmakers over the secrecy surrounding the Spectre and Meltdown CPU flaws.
CEOs of tech firms that kept quiet about the Meltdown and Spectre flaws for half a year are being asked to justify not revealing details of the vulnerabilities more widely.
In a letter, the leaders of the House of Representatives Committee on Energy and Commerce say a number of firms were "caught off guard" when the flaws came to light on January 3rd this year.
These companies have complained of not having enough time to assess the risk of the vulnerabilities and prepare measures to protect themselves, the representatives write.
SEE: Incident response policy (Tech Pro Research)
"While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," they write.
The letter references complaints by US cloud firm DigitalOcean, which said it didn't have enough time to fully understand the possible impact of any Spectre and Meltdown-related attacks.
The politicians also highlight the raft of problems caused by Meltdown and Spectre patches that were rushed out the door, such as the widespread incompatibility of updates with third-party, anti-virus software in Windows.
While the US representatives accept the flaws needed to be kept under wraps while tech firms prepared patches against possible attacks, the letter asks whether the negative impact of restricting knowledge of the flaws to a limited number of companies had been fully considered.
The letter asks why an embargo was imposed after the flaws came to light in June last year, and who proposed it, as well as when the cybersecurity hub CERT/CC was told about the vulnerabilities.
In response to the letter an Intel spokesperson said: "We appreciate the questions from the Energy and Commerce Committee and welcome the opportunity to continue our dialogue with Congress on these important issues. In addition to our recent meetings with legislative staff members, we have been discussing with the committee an in-person briefing, and we look forward to that meeting."
The concerns over the downsides of keeping the flaws hidden were shared by developers of the Linux kernel, who have said the approach didn't following the usual technology industry procedures for disclosing flaws.
Microsoft software engineer Jessie Frazelle described the embargo as an "absolute sh*tshow" and said the approach should not be repeated, while the team behind the FreeBSD operating system complained of not having enough time to prepare the necessary patches.
- Intel: Don't install our Spectre fix, risk of unwanted reboots is too great (TechRepublic)
- Intel chips have critical design flaw, and fixing it will slow Linux, Mac, and Windows systems (TechRepublic)
- 26% of organizations haven't yet received Windows Meltdown and Spectre patches (TechRepublic)
- Meltdown-Spectre: More businesses warned off patching over stability issues (ZDNet)
- Intel halts some chip patches as the fixes cause problems (CNET)
- Spectre flaw: Dell and HP pull Intel's buggy patch, new BIOS updates coming (ZDNet)
- Spectre-Meltdown glitches: Intel warns that new PCs, servers also risk unexpected reboots (TechRepublic)
- This fake Spectre/Meltdown patch will infect your PC with malware (TechRepublic)
- Spectre and Meltdown: Insecurity at the heart of modern CPU design (ZDNet)
- How to protect yourself from Meltdown and Spectre CPU flaws (CNET)
Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.