At the RSA 2020 security conference in San Francisco yesterday, Intel presented a summary of its security efforts from last year. In 2019, Intel said it patched 236 security flaws, of which only 5% (11 bugs) were CPU-related vulnerabilities.
All the 11 bugs were side-channel attacks that exploited the hardware architecture and internal design of Intel CPUs.
“These microarchitectural side-channel vulnerabilities are often closely related, generally difficult to exploit, and to Intel’s knowledge, have not been successfully utilized outside of a controlled lab environment at the time of this report,” the company said.
Intel released microcode (CPU firmware) updates to address all reported bugs. Reported issues included the likes of Zombieload, RIDL, Fallout, SWAPGSAttack, Zombieload v2, and NetCAT.
All the bugs mentioned above and fixed by Intel in 2019 are closely related to the now-infamous Meltdown and Spectre bugs that first showed the world that Intel and other CPU vendors had been cutting corners on security in the chase for better performance and faster processors.
Intel reacted to the Meltdown and Spectre bug disclosures in 2017 by changing silicon designs to prevent future bugs and re-focusing its efforts at a corporate level towards improving security.
The CPU maker launched a bug bounty program in March 2017, two months after the Meltdown and Spectre were disclosed, and a year later, in 2018, it increased bug rewards up to $250,000 for CPU side-channel vulnerabilities.
60% of all bugs fixed in 2019 were found by Intel staff
But as part of its “Security First” pledge, Intel also focused on building an internal security team with some of the world’s top-tier security researchers, meant to find bugs before attackers, and tasked with uncovering bugs in the company’s products before they reach store shelves.
“In 2019, 144 of the 236 CVEs (61%) published were discovered internally by Intel employees,” the company said.
“We believe documenting and publicizing internally found vulnerabilities provides a critical level of transparency to our customers.”
Intel also says that of the 92 vulnerabilities reported by external researchers, 70 (76%), were reported to Intel through its official bug bounty program, which suggests the program has become a success.
“Combining Bug Bounty and internally found vulnerabilities, the data shows that 91% of the issues addressed are the direct result of Intel’s investment in product assurance,” Intel said.
Last but not least, Intel also added that none of the 236 vulnerabilities patched in 2019 were used in real-world attacks against its customers at the time of public disclosure.