It turns out that Intel’s fix for its processor security issues needs a fix of its own. In a statement released on Jan. 22, Intel senior vice president Navin Shenoy, reversed course in an update that tells Intel customers to stop applying patches to fix a speculative execution flaw, widely known as Spectre.
According to a note released by Shenoy, Intel has discovered the root cause of a series of random reboots that has afflicted servers running mostly older Intel processors.
Shenoy said that Intel is now testing the fix to earlier the Spectre microcode patch caused problems and is asking its hardware partners to help with the testing. “Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed,” Shenoy said in his update message.
In the meantime, Shenoy is recommending that customers of Intel products maintain security best practices and keep their systems up to date with the code updates.
He said that he hopes to be able to issue an update on when Intel will be ready to release the new fix later in this week.
What Shenoy didn’t say directly, but indicated through a link to Intel’s Security Center page is that the list of Intel processors affected by the random reboot or related problems has been expanded significantly.
Included in the list of enterprise products such as processors intended for data center and workstation use, Intel also revealed for the first time that there are other stability issues that are being fixed beyond random reboots. However, Intel has not said exactly what stability problems had been created by its microcode revisions.
In addition, Intel released information on a new update that fixes only a portion of the Spectre issue and is being made available to OEMs for use as a BIOS update. There’s no indication whether any of the system vendors has started to implement the new update.
So now your update picture has changed abruptly. Intel is now saying that if you haven’t already updated your systems with currently available microcode, then don’t. This code will induce errors including random shutdowns, as well as other unpredictable behavior. If you need a stability fix, then there’s one available, provided your platform vendor decides to make it available.
Meanwhile, Intel is testing a new fix that should fix what the last fix broke, provided it passes muster with the company’s hardware partners. Exactly when that should happen is still unclear, but at least the timing may become clear sometime this week. But then there’s the next step, which depends on your system vendor to make the firmware fix available.
The timing for the delivery of the actual fix remains unclear. In fact, it’s not clear at all that there necessarily will be a fix for your particular hardware. For example, in my office I have an HP ProLiant server that I bought from HP about five years ago. There’s no fix available, either for the original buggy fix for its Xeon processor, nor an updated one. It’s unclear whether there will ever be a fix.
In fact, I’ve only seen microcode fixes delivered for computers that are fairly new, meaning less than a year old. Dell has provided a fix for a new server I bought recently, and Lenovo has provided a fix for a ThinkPad T470.
Intel has said that its providing fixes for processors developed within the past five years. This means it might be difficult for your IT shop to determine when the processors in your servers and workstations were developed. It’s not uncommon for new computers to use processors developed a few years ago, which may mean they won’t be fixed even though they’re relatively new.
This conundrum is why Intel is strongly recommending that you make sure your organization follows best security practices. It could easily be the case that there is no quick fix for any exploit of either the Spectre or Meltdown vulnerabilities. So your best practices may be the only protection you’ve got.
Even if all of your IT hardware inventory is on the list of processors for which Intel will provide fixes, you will likely find it takes a while for those fixes to appear for your computers. Given the track record so far, it may take a while longer before you’re prepared to implement the fix on most of your machines.
Even when the fixes actually appear, the rushed testing may fail to reveal operational problems, similar to what happened with the last fix. Ultimately this may mean accepting the possibility that some malware may eventually be developed that can access unprotected data using a weakness in speculative execution, which is at the core of the Spectre vulnerability.
So far, no exploit has been discovered in the wild that actually makes use of this processor flaw. While it’s not clear how such an exploit might be developed, this may also be a vulnerability that proves sufficiently difficult to use that it not practical to develop one any time soon.
As a result this is one situation in which it might be better to delay applying an update until it’s certain that it is stable and doesn’t cause any other problem. That might take a while.