The IT Nerd

Intel has released new microcode to address the stability and reboot issues on systems after installing its initial mitigations for Variant 2 of the Meltdown and Spectre attacks. Allegedly these ones work without crashing PCs and servers. Intel has also said that more fixes are inbound “in the coming days” which should be interesting to see given how this last round of patches went.

It seems that the rush to NOT fix the Spectre vulnerability has spread to other companies besides Intel. I say that because Dell and HP are now saying not to install BIOS updates that solve this issue. First to Dell:

The Spectre and Meltdown mess continues with Dell now recommending their customers to not install the BIOS updates that are supposed to resolve the Spectre (Variant 2) vulnerabilities. These updates have been causing numerous problems for users including performance issues, boot issues, reboot issues, and general system stability. Due to this, Dell EMC has updated its knowledgebase article with a statement advising customers to not install the BIOS update and to potentially rollback to the previous BIOS if their computers are exhibiting “unpredictable system behavior”.

And in the case of HP, ZDNet reports that they too has issued a similar advisory. The computer manufacturer pulled its softpaqs BIOS updates with Intel’s patches from its website, and said it would be releasing a BIOS update with a previous version of Intel’s microcode on Thursday.

The bottom line is that Intel has to be embarrassed. Starting with the fact that the issue exists. Then to this clearly botched response. Not to mention that some have criticized the response on other fronts. Clearly Intel needs to hit the reset button and figure out how to right the ship quickly before this turns into more of a gong show than it already is.

If you were deploying patches for those CPU vulnerabilities known as Meltdown and Spectre, Intel via a blog post suggests that you should put the kibosh on that for the time being. Here’s what Intel Executive Vice President Navin Shenoy said in the blog post in question:

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.

And:

We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. 

That’s pretty embarrassing to have a non-trivial problem of this scale, and to have a fix that is worse than the problem. You have to wonder what is going on at Intel these days. Is it amateur hour over there??

Linus Torvalds is calling out Intel, again, because it looks like the chipmaker isn’t going to fix one of the variants of the Spectre CPU bug. In short, Intel chips, at least for a few years until microarchitecture changes can be implemented, will ship vulnerable to the Spectre variant 2 exploit by default but will include a protection flag that can be set by software. What’s worse is that Intel explains this in a paper called Speculative Execution Side Channel Mitigations where they argue that instead of treating Spectre as a bug, the chip maker is offering Spectre protection as a feature.

Now if you’re thinking “Intel, like what the hell??” then you’re not alone. Torvalds went off on Intel in a message posted to the Linux kernel mailing list on Sunday. Now if you read the message in full, it’s highly technical. But you don’t have to be nerdy like me to get the point that he thinks that Intel’s patches suck:

As it is, the patches are COMPLETE AND UTTER GARBAGE.

They do literally insane things. They do things that do not make
sense. That makes all your arguments questionable and suspicious. The
patches do things that are not sane.

WHAT THE F*CK IS GOING ON?

And that’s actually ignoring the much _worse_ issue, namely that the
whole hardware interface is literally mis-designed by morons.

Come on Linus. Tell us how you really feel.

Seriously, Torvalds has a point. The way that Intel plans to deal with this issue sucks. It appears to be more about lawsuit mitigation, or recall mitigation rather than exploit mitigation. Assuming that’s true, Intel looks like it doesn’t take this issue seriously. Thus they deserve to be called out.

There’s nothing worse for a guy in my line of work to find out that a fix that remedies a critical bug is itself buggy. Case in point is the fixes that Intel put out for Spectre and Meltdown. Apparently they have bugs that cause system reboots:

Intel said today it is investigating an issue with Broadwell and Haswell CPUs after customers reported higher system reboot rates when they installed firmware updates for fixing the Spectre flaw.

The hardware vendor said these systems are both home computers and data center servers.

“We are working quickly with these customers to understand, diagnose and address this reboot issue, “said Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel Corporation.

“If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue,” Shenoy added.

The Intel exec said users shouldn’t feel discouraged by these snags and continue to install updates from OS makers and OEMs.

Sure, right. this really inspires confidence. I say that because it suggests that Intel rushed these fixes out the door to mitigate not only the threat, but the PR disaster that is in progress. Of course if that’s true it is not good. My advice to Intel is to get to the bottom of this quickly and do whatever is required to get working patches on the street that have been fully QA’ed. Because if you don’t, you’ll look like Apple and their ability to QA their products.

Here’s a new security issue for Intel to deal with that is really, really bad. F-Secure has discovered a security flaw in Intel’s Active Management Technology (AMT) can be used by attackers with physical access to get around authentication processes in seconds, effectively pwning the device. Here’s an overview of the security flaw:

The issue allows a local intruder to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, Bitlocker and login credentials are in place. No, we’re not making this stuff up.

According to F-Secure, this issue affects most corporate laptops and PCs running Intel AMT. And for the record AMT has had other security issues in the past. Now the F-Secure post has recommendations to mitigate this. But the’re not exactly quick and easy for companies to implement. Thus this is a problem that is should rightfully get a lot of attention until a solution is found for it.

Clearly 2018 hasn’t been a good year for Intel, and we’re only 12 days into 2018.

Intel CEO Brian Krzanich has posted an open letterto Intel customers following the Meltdown and Spectre vulnerabilities that impact its processors. In it he says among other things, these three points:

1. Customer-First Urgency: By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.

2. Transparent and Timely Communications: As we roll out software and firmware patches, we are learning a great deal. We know that impact on performance varies widely, based on the specific workload, platform configuration and mitigation technique. We commit to provide frequent progress reports of patch progress, performance data and other information. These can be found at the Intel.com website.

3. Ongoing Security Assurance: Our customers’ security is an ongoing priority, not a one-time event. To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.

The cynic in me is saying that this is an attempt to mitigate the public relations nightmare that is in progress. But basically saying “Trust us, we’ll do better next time” doesn’t cut it. Here’s what Intel customers really want to hear:

1. How did this slip through the cracks and went undetected for so long?
2. What is Intel doing to make sure that this scenario never happens again.

If they did that, then this statement would have meant something. They didn’t thus it’s PR fluff that means nothing.

If you’re Intel CEO Brian Krzanich, the optics of this just don’t look good. Apparently he sold stock right before the company disclosed the Meltdown and Spectre security flaws. The sale earned Krzanich $20 million US. Now some Senators want some answers:

News reports that more than $20 million in share sales by Krzanich were scheduled in October of last year before the company made public that its processors were vulnerable to hackers are “troubling,” Senators Jack Reed and John Kennedy wrote in Tuesday letters to the Securities Exchange Commission and the Justice Department. Reed, a Rhode Island Democrat, and Kennedy, a Louisiana Republican, are members of the Senate Banking Committee.

“These reports are troubling not only because of the risk to nearly all phones and computers, but also because these reports raise concerns of potential insider trading,” the senators wrote. “If you uncover such violations through your examinations, we expect you to enforce our laws to the fullest extent possible.”

Now Intel says that the stock sale was pre-arranged. But like I said, the optics suck. And in an election year, that’s not good for the chipmaker and its CEO. I’m pretty sure that this story is going to have legs and you’ll be reading a lot about it in the weeks and months ahead.