Security

Intel Meltdown patches pulled with little explanation

Intel said it has identified the cause of the reboot issues related to firmware updates assumed to be the Spectre and Meltdown patches, but hasn’t offered much more information than that.

It is widely assumed the Spectre and Meltdown patches led systems running on Intel Broadwell and Haswell chips to reboot. However, when Intel announced the problem on Jan. 11, the company only admitted that customers saw “higher system reboots after applying firmware updates.” So far, Intel has been careful to avoid mentioning the Spectre and Meltdown patches in connection to the reboot issues with Broadwell and Haswell chips.

Despite not outright admitting the connection, Intel has pulled its Spectre and Meltdown patches while it tests an updated version of the fix. The company said it has now discovered the “root cause” of the reboot issues and has “made good progress in developing a solution to address it.”

“We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior,” Navin Shenoy, executive vice president and general manager of the data center group at Intel, wrote in a blog post. “We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.”

Bob Noel, director of strategic relationships and marketing for Plixer, a network traffic analysis company based in Kennebunk, Maine, said the current unstable code for the Spectre and Meltdown patches “leaves end users vulnerable, with no available options other than to wait for a stable fix.”

Meltdown logo

“In times like these, customers should be extra vigilant to ensure they have not been compromised. Network traffic analytics should be used to monitor their environment for anomalous traffic patterns and unusual behaviors,” Noel told SearchSecurity. “The secondary problem this unstable patch code creates is a general hesitancy for end users to quickly apply future patches. Early adopters of these patches experienced hardware reboots and downtime, which is likely to leave them wary of becoming early adopters for future patches.”

Ben Johnson, CTO at Obsidian, based in Newport Beach, Calif., and former National Security Agency computer scientist, agreed the way Intel has handled the Spectre and Meltdown patches may harm customer trust.

“Consumers have no patience for perceived inactivity when it comes to vulnerabilities or security issues, so organizations want to take action as soon as a vulnerability becomes public. But if you roll out a patch without proper testing, you can exacerbate the problem by paralyzing your system and your workforce, as Intel and Dell’s customers found out over the past week,” Johnson told SearchSecurity. “This is particularly problematic, because one of the biggest issues in security is getting people to patch vulnerabilities. Incidents like this just make matters worse because they make IT teams gun-shy. Your customers need to have faith that, when you roll out a patch, it isn’t going to hammer their system. If they don’t trust you, they won’t patch.”

Linus Torvalds, creator of Linux, had much harsher words for Intel’s handling of the situation and called the Spectre and Meltdown patches “complete and utter garbage.”

“I’m sure there is some lawyer there who says ‘we’ll have to go through motions to protect against a lawsuit.’ But legal reasons do not make for good technology, or good patches that I should apply,” Torvalds wrote in a Linux Kernel Mailing List post. “[The patches] do literally insane things. They do things that do not make sense. That makes all your arguments questionable and suspicious. The patches do things that are not sane … I think we need something better than this garbage.”


Source link

Tags