CHIPMAKER Intel warned Chinese firms about the Meltdown and Spectre processor vulnerabilities before informing the US government, according to the Wall Street Journal.
The report, which cites unnamed people familiar with the matter, claims that select Intel customers, including China's Alibaba and Lenovo, were made aware of the design flaws before the US government was notified.
This has fuelled concerns that the Chinese government may have known about the vulnerabilities before Intel disclosed them to the American government and the public, and could have theoretically exploited the holes to intercept data before patches were available.
An Alibaba spokesperson told the WSJ that the notion the company may have shared threat intelligence with the Chinese government was "speculative and baseless", but this doesn't rule out officials intercepting details without Alibaba's knowledge.
Lenovo said Intel's information was protected by a non-disclosure agreement.
The WSJ hasn't said when Intel disclosed details to Alibaba and Lenovo, among others, but reports last week claimed that the chipmaker told some OEMs about the Meltdown and Spectre CPU flaws on 29 November.
Worryingly, this is the same day on which the firm's CEO, Brian Krzanich, flogged half of his shares in his company, making almost $11m in the process.
In the secret memo sent to OEMs in November last year, Intel said that the flaws would be publicly disclosed in a security advisory on 9 January, failing to predict that The Register would beat the company to it, disclosing the flaws on 2 January.
In a statement given to the Journal, an Intel spokesperson said that the company wasn't able to tell everyone it planned because the news was made public earlier than expected.
However, as ZDNet's Zach Whittaker points out on Twitter, Intel was only going to notify the US government a week before its public disclosure on 9 January.
This is grade A crap. Several people told me Meltdown/Spectre's planned disclosure was set for Jan. 9 but was revealed on Jan. 3 after a PoC came out. Based on WSJ, Intel was going to tell the US gov. only a week before disclosure?! It knew since June! https://t.co/DLusu37zoL pic.twitter.com/3s9COTub0C— Zack Whittaker (@zackwhittaker) January 28, 2018
Intel said in a statement: "The Google Project Zero team and impacted vendors, including Intel, followed best practices of responsible and coordinated disclosure.
"Standard and well-established practice on initial disclosure is to work with industry participants to develop solutions and deploy fixes ahead of publication. In this case, news of the exploit was reported ahead of the industry coalition's intended public disclosure date at which point Intel immediately engaged the US government and others."
An official at the US Department of Homeland Security, which runs US CERT, said it only learned of the processor vulnerabilities from early news reports.
"We certainly would have liked to have been notified of this," they said. µ
It's an onomatopoeic week for Google
Hope that free lunch was delicious
It's like Bixby being terrible never happened
Notch to be outdone