Wednesday, January 24, 2018

​Spectre flaw: Dell and HP pull Intel's buggy patch, new BIOS updates coming

@Dell and @HP have heeded Intel's advice and stopped deploying BIOS updates carrying its buggy patch for the #Spectre attack. HP, the world's biggest PC maker, has updated its advisory for the Meltdown and Spectre bugs following Intel's advice on Monday to halt deploying the chip makers' microcode or firmware patch due to unexpected reboots. Early last week, Intel admitted its patch for Variant 2 Spectre (CVE-2017-5175) caused stability issues with its Broadwell and Haswell CPUs, and later confirmed the same problems affected Kaby Lake and Skylake CPUs. On Tuesday, HP pulled its softpaqs BIOS updates with Intel's patches from its website, and on Thursday will release a BIOS update with a previous version of Intel's microcode. Intel has prepared microcode updates for OEMs like HP and Dell that don't trigger the reboots, but also don't contain its patch for Variant 2, while leaving in place mitigations for Meltdown Variant 3 and Spectre Variant 1. In the meantime, it's also developed a complete and -- hopefully -- stable patch for Broadwell and Haswell, but this is still being tested with OEMs. New microcode updates for Kaby Lake and Sky Lake will be released later. "Once Intel reissues microcode updates, HP will issue revised Softpaqs," said HP. Dell's updated advisory also notes it has removed its BIOS updates until Intel issues new stable firmware. "Dell is advising that all customers should not deploy the BIOS update for the Spectre (Variant 2) vulnerability at this time. We have removed the impacted BIOS updates from our support pages and are working with Intel on a new BIOS update that will include new microcode from Intel," it said. The Variant 2 attack, known as "indirect branch speculation", is considered the most difficult attack to mitigate, and carries the highest risk for virtualized environments in the cloud. Microsoft and Google have confirmed Intel's mitigation for the Variant 2 -- IBRS or Indirect Branch Restricted Speculation -- caused significant performance overheads on current hardware.

No comments:

Post a Comment