Intel Confirmed the Patch Designed to Fix Two High Profile Security Vulnerabilities in Chips Is Faulty - What Happens Next?
On January 22, 2018, Intel mentioned that the patches it released to address the two high-profile security vulnerabilities in its chips are faulty, advising customers, computer manufacturers and cloud service providers to stop installing them.
In one of my previous blog posts, I talked about the major design flaws, Meltdown and Spectre, detected in Intel chips, which seem to affect nearly every device manufactured in the past 20 years. Intel and its partners released security patches as well as firmware updates to protect against the two major CPU bugs. However, on January 22, 2018, Intel mentioned that the patches it released to address the two high-profile security vulnerabilities in its chips are faulty, advising customers, computer manufacturers and cloud service providers to stop installing them. The Wall Street Journal first reported Intel asking customers to halt using the patches.
Intel asked technology providers to start testing a new version of the patches, which it began distributing on Saturday, January 20, 2018. The warning came nearly three weeks after Intel confirmed on January 3, that its chips were impacted by bugs known as Spectre and Meltdown, which make data on affected computers vulnerable to espionage.
Meltdown was specific to chips from Intel, as well as one from SoftBank Group’s ARM Holdings. Spectre affected nearly every modern computing device, including ones with chips from Intel, ARM and Advanced Micro Devices. Problems with the patches have been growing since Intel on January 11 said they were causing higher reboot rates in older chips and then mentioned last week that the problem was affecting newer processors as well.
Random Reboots and Instability Due to Faulty Patch
The chipmaker has discovered the root cause of a series of random reboots that has afflicted servers running mostly older Intel processors.The company is now testing to fix the Spectre microcode patch that caused problems and is asking its hardware partners to help with the testing. Over the weekend, Intel began rolling out an early version of the updated solution to industry partners for testing, and it will make a final release available once that testing has been completed, according to Intel senior vice president Navin Shenoy. In the meantime, he is recommending that customers of Intel products maintain security best practices and keep their systems up to date with the code updates. The company expects, later this week to be able to issue an update on when it will be ready to release the new fix.
It seems the list of Intel processors affected by the random reboot or related problems has been expanded significantly. Included in the list of enterprise products such as processors intended for data centre and workstation use, Intel also revealed for the first time that there are other stability issues that are being fixed beyond random reboots. However, Intel has not disclosed exactly what stability problems had been created by its microcode revisions.
Dependency on System Vendor to Make the Firmware Fix Available
In addition, Intel released information on a new update that fixes only a portion of the Spectre issue and is being made available to OEMs (Original Equipment Manufacturers) for use as a BIOS update. There’s no indication whether any of the system vendors has started implementing the new update. So now your update scenario has changed abruptly. Intel is now saying that if you haven’t already updated your systems with currently available microcode, then don’t. This code will induce errors including random shutdowns, as well as other unpredictable behaviour. If you need a stability fix, then there’s one available, provided your platform vendor decides to make it available.
Meanwhile, Intel is testing a new patch that should fix what the last patch broke, provided the company’s hardware partners pass it. Exactly when that should happen is still inevident, but at least the timing is expected to be declared by Intel sometime this week. However, need to remember there’s the next step, which depends on your system vendor to make the firmware fix available.
In fact, it’s not clear at all that there necessarily will be a fix for your particular hardware. For example, in our office we have a Dell PowerEdge server that we bought from Dell store about seven years ago. It’s unclear whether there will ever be a fix. In fact, I’ve only seen microcode fixes delivered for computers that are fairly new, meaning less than a year old. Dell has provided a fix for a new server I purchased recently, and Lenovo has provided a fix for a ThinkPad T470. Intel has said that its providing fixes for processors developed within the past five years. This means it might be difficult for your IT vendor to determine when the processors in your servers and workstations were built. It’s not unusual for new computers to use processors developed a few years ago, which may signify they won’t be fixed even though they are comparatively new.
Intel Recommends Organizations to Follow Best Security Practices
Due to the intricacies posed by the flaws and faulty patches, Intel is strongly recommending that you make sure your organization follows best security practices. It might be the case that there is no quick fix for any exploit of either the Spectre or Meltdown vulnerabilities. So your best practices may be the only protection you’ve got against any attacks.
Even if all of your IT hardware inventory is on the list of processors for which Intel will provide fixes, you will likely find it takes a while for those fixes to appear for your computers. Given the track record so far, it may take a while longer before you’re prepared to implement the fix on most of your machines. Even when the fixes actually appear, the rush-hour testing may fail to reveal operational issues, similar to what happened with the last fix. Ultimately this may mean accepting the possibility that some malware may eventually be developed that can access unprotected data using a weakness in speculative execution, which is at the core of the Spectre and Meltdown vulnerabilities.
So far, no exploit has been discovered in the wilderness that actually makes use of this processor flaw. While it’s not clear how such an exploit might be developed, this may also be a vulnerability that proves sufficiently difficult to use that is not practical to develop one any time soon. As a result this is one situation in which it might be better to delay applying a patch update until it’s certain that it is stable and doesn’t cause any other problem. That might take a while to ascertain.
Expected Slowdown in Purchases of New Computers
The issue of the faulty patches is different from complaints by customers for weeks that the patches slow computer performance. Intel has said a typical home and business PC user should not experience significant slowdowns. Intel‘s inability to provide a usable patch could cause enterprises to postpone purchasing new computers, predicted IDC analyst Mario Morales as it seems Intel is still trying to get the hang on what’s actually happening. The matter stands unresolved and there is lot of speculation on what happens in the next two weeks.