Compared to the MDS flaws Intel addressed in those two previous patches, these latest ones have a couple of limitations. To start, one of the vulnerabilities, L1DES, doesn’t work on Intel’s more recent chips. Moreover, a hacker can’t execute the attack using a web browser. Intel also says it’s “not aware” of anyone taking advantage of the flaws outside of the lab.

However, like when the company issued its second MDS patch in November, security researchers are criticizing Intel for its piecemeal approach. “We spent months trying to convince Intel that leaks from L1D evictions were possible and needed to be addressed,” the international team of computer scientists that discovered the flaw wrote on their website. In an addendum to their original paper, there’s a sense of exasperation with the company. “We reiterate that RIDL-class vulnerabilities are non-trivial to fix or mitigate, and current ‘spot’ mitigation strategies for resolving these issues are questionable,” the researchers write. “Moreover, we question the effectiveness of yearlong disclosure processes and also raise concerns on their disruptive impact on the academic process.”

Intel downplayed the criticism, saying that it has taken significant steps to reduce the danger the flaws represent to its processors. “Since May 2019, starting with Microarchitectural Data Sampling (MDS), and then in November with TAA, we and our system software partners have released mitigations that have cumulatively and substantially reduced the overall attack surface for these types of issues,” a spokesperson for the company said. “We continue to conduct research in this area – internally, and in conjunction with the external research community.”

The Vrije Universiteit Amsterdam researchers who alerted Intel to the problems have told the New York Times that Intel apparently ignored key proof-of-concept exploits when developing the May update, and should have found the relevant flaws even without those ready-made examples. The team refused to stay quiet with the November patch knowing that there were still issues. There are also criticisms of Intel’s overall approach — instead of tackling the underlying problem, it’s allegedly focused more on patching variants of that problem as they pop up.

The initial problem affected many processors released since 2011 and applied regardless of your operating system. Software-level patches have mitigated some of the security problems on top of Intel’s microcode solutions.

We’ve asked Intel for comment. This isn’t a great look for the chip giant, whatever its response. As the researchers warned, the usual secrecy that governs vulnerability disclosures could hurt users here. Hackers could take advantage of security holes that people don’t realize are still open, and the flaw itself wasn’t all that secret — it leaked to the point where the researchers were told about their own discovery. There may be substantial work ahead (including possible chip design changes) before Intel’s CPUs are more trustworthy.