Intel’s Spectre and Meltdown advice just changed over reboot issues

[Reefa]

 

If you were about to install Intel’s fix for Spectre and Meltdown, don’t be so fast: the chip company is advising those with certain processors to avoid the security patches currently available. Intel began pushing out fixes along with the help of its system partners earlier this month, as it tried to deal with the twin security issues identified by Google Project Zero and others. However, that process hasn’t been entirely smooth-running.

 

Initially, plenty of attention was paid to just what sort of performance hit users could expect as a result of the patches. Early fears of a significant slowdown seemed to be unfounded, though independent testing of both consumer and server processors from Intel’s line-up did show some impact after the updates were installed. Others, though, ran into a more pressing problem.

 

Users of computers based on Intel Haswell or Broadwell processors reported a greater than typical number of unexpected restarts. It’s been impacting both consumer and server systems, the chip-maker confirmed back on January 11, though at that point the advice was to continue applying whatever software updates were being released. Now, though, that’s guidance has changed.

 

“We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior,” Intel said today. The company began testing a new version of the fix over the weekend, but it seems it’s not ready for public primetime quite yet. Instead, “we also ask that our industry partners focus efforts on testing early versions of the updated solution for Broadwell and Haswell we started rolling out this weekend, so we can accelerate its release,” the company said.

 

Since leaving systems unpatched could mean they’re more vulnerable to a Spectre or Meltdown hack, though, Intel also has an interim plan in the works. It’s also working on a previous version of its patch which doesn’t, apparently, lead to the reboot problem in Haswell and Broadwell systems. However, that was only possible by moving the so-called Variant 2 Spectre mitigations from the patch, leaving it protecting only against Variant 1 Spectre and Variant 3 Meltdown. That will be delivered by a BIOS update.

 

Clearly, it’s not been a great month for Intel. Though Spectre and Meltdown don’t affect the processor manufacturer uniquely, it seems to be having some of the most high-profile issues getting systems both patched and stably-so in the aftermath of the security flaws’ announcement.

 

“I apologize for any disruption this change in guidance may cause,” Navin Shenoy, executive VP at Intel and general manager of the company’s Data Center Group, said today of the updated advice. “The security of our products is critical for Intel, our customers and partners, and for me, personally. I assure you we are working around the clock to ensure we are addressing these issues.”

 

As for when the modified BIOS patch will be released, that will depend on the OEM responsible for manufacturing your computer or server.

 

MORE Intel Microcode revision list [pdf link]

 

source

[straycat19]

Nothing good is coming out of any of the patches.  Here we have a flaw that has existed for 23 years and has not been utilized by hackers and now all of a sudden everyone should be worried about it because they were able to obtain data off computers in a lab environment.  With all the security software available and security that can be set on switches and routers there is practically no chance (there is always a chance, it is just ridiculously small) that this will be used.  Even in home networks you can restrict access based on MAC addresses, etc.  If Intel wanted to do the right thing they would replace all our CPUs with new ones that had the code fix without any hit in performance.   Of particular concern should be those people with low end processors like the i3, i5, and other inexpensive pentium tagged processors typically found in the $300-500 laptops in discount stores.  Personally, I am not going to apply any patches to the bios/cpu.  I am confident that these flaws will never be taken advantage of on a large scale because it isn't as easy as they  make it out to be in their lab tests.

 

You can mitigate your vulnerability with a couple registry settings.  Thanks to an old PC Guru at Gibson Research there is a program available that will check your system, including the registry, and if the settings aren't there it has a couple buttons to set it for you.  Check it out on his page at

https://www.grc.com/inspectre.htm

 

[Karlston]

The warning, which encompasses just about every Intel processor out there, from all PC manufacturers, takes effect immediately. And there’s no indication when it will get fixed.

Thinkstock

You know how you’re supposed to flash the BIOS or update the UEFI on all of your Intel machines, to guard against Meltdown/Spectre? Well, belay that order, private! Intel just announced that you need to hold off on all of its new patches. No, you can’t uninstall them. To use the technical term, if you ran out and applied your Intel PC’s latest firmware patch, you’re hosed.

 

In what appears to be a catastrophic curtain call to the "oops" moment that I discussed 10 days ago, it now seems that the bright, new firmware versions — which Intel has had six months to patch — have a nasty habit of causing “higher system reboots.”

 

According to Executive Vice President Navin Shenoy, on the Intel Newsroom site, the current advice is:

We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior.

And that covers just about everybody in the sentient non-ARM universe.

 

While the affected products site doesn’t list individual chips, the breadth of the recall is breathtaking — second-, third-, fourth-, fifth-, sixth-, seventh- and eighth-generation Core processors, Xeon, Atom, and lesser Core i3, i5 and i7 processors — they’re all in the bin.

Meltdown/Spectre firmware updates from HP, Lenovo and Dell are worthless

By implication, that means the Meltdown/Spectre firmware updates you’ve installed from Lenovo or HP or Dell are officially trash. They’ll make your system unstable.

 

No official word from Microsoft, but it seems highly likely that the Surface firmware updates from Jan. 10 (“Surface - Firmware - 108.1926.769.0” and “233.1903.770.0,” among many others) are similarly afflicted. If you have Automatic Update turned on, you probably already have the buggy firmware, since Surface firmware patches get distributed through Windows Update.

 

If it makes you feel any better, yesterday Linus Torvalds launched another one of his trademarked broadsides, saying that from a Linux perspective, the Intel patches:

 

do literally insane things. ... I really don’t want to see these garbage patches just mindlessly sent out. … I think we need something better than this garbage.

What can you do about it? Not much. Except to realize that not one single Meltdown- or Spectre-based piece of malware is in circulation.

 

Moral of the story: It pays to hold off on firmware patches, too.

 

Intel support group meeting currently in session on the AskWoody Lounge.

 

Source: Belay that order: Intel says you should NOT install its Meltdown firmware fixes (Computerworld - Woody Leonhard)

[sandman117]

Thanks for that, I'd already upgraded my bios but now checking the Dell site I see that version has been pulled and it's back to the previous version.

Fortunately the bios is backwards flashable so that's what I've done, will check Intel software versions later when I have more time

 

Total foul up by all firms concerned, should have been fixed before the information hit the media fan causing alarm and under tested patches

[Recruit]

Yeah, NSA says the same !

[shorty6100]

I am going to take my chances with both Spectre and Meltdown. I have an older socket 1150 board from Asus (Z97-E/USB 3.1), and not seen an update for the bios, anyway. A side note-much further down the line, I may get an AMD chip next time because they don't change sockets as quickly as Intel. I can't upgrade unless I go from my i5 4690k to i7 4790k-not worth spending 350 bucks. Or-buy another MB. Annoying that my 2015 Haswell chip is considered old now, even though it still runs great overclocked.

[DKT27]

10 hours ago, Karlston said:

If it makes you feel any better, yesterday Linus Torvalds launched another one of his trademarked broadsides, saying that from a Linux perspective, the Intel patches:

 

do literally insane things. ... I really don’t want to see these garbage patches just mindlessly sent out. … I think we need something better than this garbage.

 

I think the above requires another news topic for it. The developer of the most famous open source software in world is known to use rude language, but he is always on point and holds value for a lot of people I think.

[straycat19]

2 hours ago, shorty6100 said:

I am going to take my chances with both Spectre and Meltdown. I have an older socket 1150 board from Asus (Z97-E/USB 3.1), and not seen an update for the bios, anyway. A side note-much further down the line, I may get an AMD chip next time because they don't change sockets as quickly as Intel. I can't upgrade unless I go from my i5 4690k to i7 4790k-not worth spending 350 bucks. Or-buy another MB. Annoying that my 2015 Haswell chip is considered old now, even though it still runs great overclocked.

 

You can mitigate your vulnerability without updating your microcode or bios with a couple registry settings that help protect your system.  Thanks to an old PC Guru at Gibson Research you can download a program that checks your system and if the settings aren't in the registry it will fix it for you with just a couple clicks.  Check it out at the link below.

https://www.grc.com/inspectre.htm

 

[DKT27]

18 hours ago, straycat19 said:

Nothing good is coming out of any of the patches.  Here we have a flaw that has existed for 23 years and has not been utilized by hackers and now all of a sudden everyone should be worried about it because they were able to obtain data off computers in a lab environment.  With all the security software available and security that can be set on switches and routers there is practically no chance (there is always a chance, it is just ridiculously small) that this will be used.  Even in home networks you can restrict access based on MAC addresses, etc.  If Intel wanted to do the right thing they would replace all our CPUs with new ones that had the code fix without any hit in performance.   Of particular concern should be those people with low end processors like the i3, i5, and other inexpensive pentium tagged processors typically found in the $300-500 laptops in discount stores.  Personally, I am not going to apply any patches to the bios/cpu.  I am confident that these flaws will never be taken advantage of on a large scale because it isn't as easy as they  make it out to be in their lab tests.

 

You can mitigate your vulnerability with a couple registry settings.  Thanks to an old PC Guru at Gibson Research there is a program available that will check your system, including the registry, and if the settings aren't there it has a couple buttons to set it for you.  Check it out on his page at

https://www.grc.com/inspectre.htm

 

 

My view is different. From what I know, an JS based script can steal information from an software's memory, supposedly browser's own memory, that too, because an Intel precessor does speculation based instructions which are done in an completely insecure manner. This I think, can be exploited on a large scale. Having said, I do agreed that everything being updated, from browser to AV and such things might stop this exploit though.

[straycat19]

27 minutes ago, DKT27 said:

 

My view is different. From what I know, an JS based script can steal information from an software's memory, supposedly browser's own memory, that too, because an Intel precessor does speculation based instructions which are done in an completely insecure manner. This I think, can be exploited on a large scale. Having said, I do agreed that everything being updated, from browser to AV and such things might stop this exploit though.

 

You are correct, this isn't the solution to the problem, just helps mitigate access to the data in memory.  I still have a difficult time believing that anyone is going to waste time trying to grab data from memory when they would have to go through gigabytes and not find anything worthwhile.  Especially with normal users.  If they targeted a government entity or something similar then they might be able to get something, but normal users who use safeguards provided aren't threatened.  For example, any charge to my credit card is sent immediately to my phone for approval/disapproval, I don't bank online, and I use two factor authentication for other important/sensitive logins.  So even if they had some of the information, they wouldn't have enough to actually affect me.

[Karlston]

An update from Woody...

 

UPDATE: In response to an anonymous post here, I re-read the Intel announcement, and it isn’t clear (to me) if the halt has been called just for Broadwell and Haswell chips, or for all of Intel’s product line. Here’s what the official announcement says:

Updated Jan. 22

We have now identified the root cause of the reboot issue impacting Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Based on this, we are updating our guidance for customers and partners:

• We recommend that OEMs, Cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions on the below platforms, as they may introduce higher than expected reboots and other unpredictable system behavior.
• We also ask that our industry partners focus efforts on testing early versions of the updated solution for Broadwell and Haswell we started rolling out this weekend, so we can accelerate its release. We expect to share more details on timing later this week.
• For those concerned about system stability while we finalize the updated solutions, we are also working with our OEM partners on the option to utilize a previous version of microcode that does not display these issues, but removes the Variant 2 (Spectre) mitigations. This would be delivered via a BIOS update, and would not impact mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown).

We believe it is important for OEMs and our customers to follow this guidance for all of the specified platforms listed below, as they may demonstrate higher than expected  reboots and unpredictable system behavior.  The progress we have made in identifying a root cause for Haswell and Broadwell will help us address issues on other platforms. Please be assured we are working quickly to address these issues.

Then there’s a link to this list of Intel products, which includes Coffee Lake, Kaby Lake, Skylake, Broadwell, Haswell, Ivy Bridge and Sandy Bridge processors.

Clear as mud.

The spontaneous rebooting problem extends beyond Haswell and Broadwell. As Intel said on Jan. 17:

we have determined that similar behavior occurs on other products in some configurations, including Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

So it isn’t clear if the “Belay that order” order applies just to Haswell and Broadwell, or to Haswell, Broadwell, Ivy Bridge, Sandy Bridge, Skylake and Kaby Lake as well.

 

Source: Intel says STOP installing firmware updates (AskWoody.com)

[DKT27]

23 minutes ago, straycat19 said:

 

You are correct, this isn't the solution to the problem, just helps mitigate access to the data in memory.  I still have a difficult time believing that anyone is going to waste time trying to grab data from memory when they would have to go through gigabytes and not find anything worthwhile.  Especially with normal users.  If they targeted a government entity or something similar then they might be able to get something, but normal users who use safeguards provided aren't threatened.  For example, any charge to my credit card is sent immediately to my phone for approval/disapproval, I don't bank online, and I use two factor authentication for other important/sensitive logins.  So even if they had some of the information, they wouldn't have enough to actually affect me.

 

I disagree just a little again. Most softwares use less than a GB of RAM. But I agree, normal users might not worry much. But what about sites specifically hacked to exploit this vulnerability. Lots of users being hackable increases their chances of finding something worthy. We are not only talking about passwords but also everything else a software holds in the RAM. For 2FA, not every site has it though.

 

What I'm trying to say here, is that my personal view is that while I agree, it's not likely to be exploited everywhere, but if it is exploited then it can be an big issue I think.

[ZaG]

wow, this is some good stuff...this forum rocks...Im alot confused about this topic, but love to read what you guys say! I learn this way! 

[Holmes]

Im using Intel Core iSeven fortysevenseventyK haswell processor and there are no new bios or UEFI updates for my motherboard on msi's website and if there somewhere else Ill just stick with steve gibson's fix and standby for them to fix the microcode bios uefi firmware updates.

[Reefa]

Quote

Threads merged....

 

[Karlston]

The 'old hands' have seen it all before...

 

1. A security researcher discovers a new vulnerability and publishes their findings.

2. The media pick up on it and a the-sky-is-falling article tsunami floods the internet.

3. The tech companies knee-jerkingly respond and release poorly tested patches which fail to mitigate the vulnerability and/or create more device problems than the original threat could ever have done. Commonly there are NO active exploits at this time.

4. Those who swallow the updates-must-be-applied-within-nanoseconds-of-release-or-the-universe-will-implode nonsense patch their systems immediately and suffer the consequences.

5. Eventually, proven working and safe patches are released,  and the sensible users apply them.

 

Let's hope the dolts at Microsoft and Intel applied the flaky patches immediately to their servers/workstations/etc and are now re-thinking their methodology. The former is probably true, but the latter sadly, won't happen. Some companies will hold on to their flawed methodologies with death-grips...

[shorty6100]

InSpectre protection buttons are both grayed out. I can try my MB website to see if a bios update is available. Good to see GRC on top of all of this.

[DKT27]

One important thing that made this vulnerabilities famous. Their impact on CPU performance. Not many would have that concerned if that was not so.

[Karlston]

Let the BIOS/UEFI firmware recall begin!

If you own a PC from Dell, HP or Lenovo, chances are very good that the BIOS or UEFI firmware update you installed earlier this month is bad. Here’s how to dig yourself out of the Meltdown/Spectre mess.

IDG

With Intel announcing a massive “Oops! Belay that order!” mea culpa earlier this week for its Meltdown/Spectre-related firmware updates, it didn’t take long for hardware manufacturers to announce their own recalls – and set in motion an enormously complex series of stopgap and half-gap measures.

 

Bottom line: If you flashed your BIOS or UEFI this month, you’ll almost undoubtedly have to flash it again just to get rid of the buggy code. Then you’ll have to upgrade the firmware once again, at a later time. But nobody knows yet just when or how.

 

Intel has posted its list of buggy microcode families. While the initial warning went up for Broadwell and Haswell processors, this new list brings even more muck. Specifically, Intel warns that microcode patches for all of these processors are bad:

• Haswell (4th generation), Haswell Perf and Haswell ULT;
• Broadwell H (5th generation), Broadwell U/Y;
• Skylake H/S (6th generation), Skylake U/Y/U23e, Skylake X;
• Kaby Lake H/S/X/G (7th generation), Kaby Lake U/Y, U23e, Kaby Lake Refresh U4+2 (8th generation);
• Coffee Lake S + KBL PCH (8th generation).

That covers a very large percentage of Intel-based Windows PC shipped in the past five years. (If you have an older PC, be aware – they never "fixed" it anyway.)

 

Most people don’t download firmware updates from Intel. Instead, the system manufacturer – most likely Lenovo, Dell, or HP – integrates the microcode into their own BIOS/UEFI upgrades, then pushes those out to retail machines.

 

For most of us, that’s where the goo hits the road.

 

Yesterday, HP Customer Support released a (very!) lengthy list of all of its machines that are affected by the Intel announcement:

In response to Intel’s recommendation, HP is taking the following actions:

• HP is removing HP BIOS softpaqs with Intel microcode patches from hp.com.
• HP will be reissuing HP BIOS softpaqs with previous Intel microcode starting January 25, 2018.
• Once Intel reissues microcode updates, HP will issue revised Softpaqs.

HP is working closely with our partners, and updates will be made as soon as possible.

Which is a polite way of saying that, if you got suckered into installing an earlier firmware patch from HP, you’ll need to install the new patch (which will take you back to the older firmware) sometime after tomorrow. Then, you’ll get a new-new patch, uh, sometime. Maybe the new-new one will work.

 

Dell has a consumer-oriented description of its recall here and an Enterprise description here. On the consumer side, the recall says:

Dell is advising that all customers should not deploy the BIOS update for the Spectre (Variant 2) vulnerability at this time. We are removing the impacted BIOS updates from the web and suspending further BIOS updates for affected platforms.

If you have already applied the BIOS update, please wait for further information and an updated BIOS release, no other action is recommended at this point. Please continue to check back for updates.

Unlike HP, it appears as if Dell isn’t going to fix its error by re-issuing older firmware. If you’re running a Dell machine, and got suckered into installing new BIOS/UEFI software, you can just wait and see.

 

Lenovo has an equally impressive, massive list of affected machines. The warning now says:

Intel has changed their guidance for customers who have already deployed these microcode updates: If you are not experiencing system stability difficulties, you may decide to remain on the BIOS/UEFI level you have installed currently. For others, Lenovo is currently working with Intel to make available BIOS/UEFI updates to revert to an earlier, known stable microcode level.

Which is slightly different advice from that proposed by Dell and HP.

 

Almost all Lenovo machines in the list bear the imprimatur “Update withdrawn by Intel; Target TBD” but about 30 ThinkPads, mysteriously, say “Target availability 2/9/2018.” Assuming that’s Feb. 9, instead of Sept. 2, 2018, is it possible that Lenovo knows something we don’t?

 

For what it’s worth, I haven’t heard a peep out of Microsoft. One has to wonder what will become of the Surface Jan. 10 firmware updates.

 

My advice is the same as it’s always been: Sit tight. There are no known Meltdown/Spectre exploits in the wild as yet, and when they do appear, they probably won’t be directed at your poor PC. Let’s let the Titans (and Titanesses) duke it out and see what emerges from the bloody mess.

 

Grab some sarsaparilla and sit it out on the AskWoody Lounge.

 

Source: Let the BIOS/UEFI firmware recall begin! (Computerworld - Woody Leonhard)

[smokeyjoe]

The InSpectre app both the Enable Meltdown Protection and Enable Spectre Protection are greyed out and I can not apply it to my computer. Windows 10 X64

[Karlston]

27 minutes ago, smokeyjoe said:

The InSpectre app both the Enable Meltdown Protection and Enable Spectre Protection are greyed out and I can not apply it to my computer. Windows 10 X64

 

Check the FAQ here... https://www.grc.com/inspectre.htm

 

But... before you think about updating the BIOS/firmware read my earlier Woody Leonhard post 2 above this one.

[Karlston]

Update from Woody...

 

More fun ‘n games.

 

Last night, Microsoft released KB 407813040 , which is specifically designed to turn off the Intel-identified buggy code in the Meltdown/Spectre patches. Sayeth Microsoft:

‘Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection) – specifically Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and then noted that situations like this may result in “data loss or corruption.” Our own experience is that system instability can in some circumstances cause data loss or corruption.

While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing this update has been found to prevent the behavior described.

The patch is only available from the Update Catalog, and it’s the same patch for all versions of Windows.

 

@MrBrian has taken a look and confirms:

This update indeed does set the registry values… documented weeks ago to disable CVE 2017-5715 mitigation in Windows.. This update doesn’t appear in the list of installed updates. This update needs admin privileges to function properly.

If you’ve avoided this month’s Meltdown/Spectre patches, there’s nothing you have to do. On the other hand, if you jumped into the trenches, this one might keep you from losing some data.

 

Microsoft goes on to say:

As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.

It’s highly likely that when Intel gives the all-clear for Spectre variant 2, it’ll be part of yet another patch.

 

Moral of the story: Wait.

 

Source: Yet another surprise patch, KB 4078130, for all versions of Windows, disables part of the Meltdown/Spectre patches (AskWoody.com)