Intel is advising OEMs and partners to halt patching for the Spectre and Meltdown vulnerabilities amid numerous reports the updates are causing reboot issues on systems running the Broadwell and Haswell microprocessors.
“We recommend that OEMs, cloud service providers, system manufacturers, software vendors, and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior,” said Navin Shenoy, EVP and GM of Intel’s data center group, in a blog post Monday.
Dell EMC is among several OEMs that have heeded Intel’s guidance and is warning customers not install fixes for the Spectre vulnerabilities. On a post to its Knowledge Base Monday Dell EMC warned its customers the firmware BIOS update for the Spectre (Variant 2) vulnerability could lead to system errors.
“We have removed the impacted BIOS updates from our support pages and are working with Intel on a new BIOS update that will include new microcode from Intel,” wrote Dell EMC as part of its patch guidance. “If you have already deployed the BIOS update, in order to avoid unpredictable system behavior, you can revert back to a previous BIOS version.”
Problems associated with Intel’s rollout of patches for Spectre and Meltdown began to surface two weeks ago. At that time, Intel issued an advisory and Shenoy said the company was “working quickly with these customers to understand, diagnose and address this reboot issue.”
Despite Intel’s apparent earnest candor, many noted technologists are blasting the company for its patching efforts. For example, Linux creator Linus Torvalds wrote in a Linux forum thread Monday that Intel’s patches were “complete and utter garbage” and questioned the company’s motives overall.
Torvalds made his remarks in a debate between himself and another commenter in the thread:
“As it is, the patches are COMPLETE AND UTTER GARBAGE,” Torvalds wrote. “They do literally insane things. They do things that do not make sense.”
Torvalds’ comments are part of a lengthy discussion with another forum member, and reflect the outspoken personality he’s been known for since developing Linux in the early 1990s.
“We take the feedback of industry partners seriously,” an Intel spokesperson said in a statement. “We are actively engaging with the Linux community, including Linus, as we seek to work together on solutions.”
Bob Noel, director of strategic relationships and marketing for Plixer said he was also concerned about Intel’s patching woes because “the current unstable code for the Spectre and Meltdown CPU patches leaves end users vulnerable with no available options other than to wait for a stable fix.”
The Meltdown and Spectre hardware vulnerability opens the door for side-channel attacks that could allow an attacker to obtain passwords, encryption keys and emails by accessing system memory. The attacks were discovered earlier this month by Google’s Project Zero, Cyberus Technology and researchers from Graz University of Technology.
“Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been complete,” Shenoy said.
Source: ThreatPost