Intel published a security report today that claims it doubled down on investments in the security of its products in 2019, following all the revelations of side-channel speculative execution attacks that its chips have suffered over the past two years.
Following the Spectre flaws scandal, Intel promised it would put security first. Its new report shows that in 2019, the company’s own security team found 144 of the 236 (61%) of the Common Vulnerability and Exposures (CVEs) for its own products, with the rest uncovered by external researchers.
Of the 92 uncovered by external researchers, 70 (76%) came through Intel’s bug bounty program, showing that both of Intel’s bug discovery strategies are working quite well.
Intel said that 91% of the reported bugs in 2019 were due to its investment in product assurance. It also noted that none of the 236 vulnerabilities uncovered in 2019 were known to be used in attacks at the time of public disclosure.
According to the report, a little more than half of the public disclosures were part of Intel’s Platform Update (IPU) process through which security and functional updates are bundled by platform. The bundles can include microcode and firmware updates that are provided to Intel’s partners, such as motherboard and laptop makers.
However, many of these vendors don’t often update several-years-old devices. This leaves a large portion of their customers still vulnerable to certain bugs, even if Intel itself released the patches for them. Some software patches can be delivered to Windows users via a monthly security update.