HP and Dell, two of the largest server and enterprise workstation manufacturers, have stopped distributing BIOS/UEFI updates that include Intel’s CPU microcode patches for the Spectre vulnerability. The companies now advise customers to stop deploying the updates and wait for a new release.
Days after releasing the patches two weeks ago, Intel revealed it was investigating reports of higher reboot rates on data center and end user systems with Broadwell and Haswell CPUs where the fixes had been deployed. As a result, Lenovo halted the distribution of BIOS updates for those systems at the time.
On Monday, Intel announced it had identified the root cause for the reboot issues and has developed an improved patch for Broadwell and Haswell CPUs.
“Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed,” said Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel, in a blog post.
Until then, the company advises all OEMs, cloud service providers, system manufacturers, software vendors and end users to stop deploying the microcode updates released earlier this month. The company is also working with OEMs to provide users with the option of downgrading to a previous version of the microcode that does not cause any issues but lacks the mitigations for Spectre variant 2.
Following Intel’s announcement Monday, both HP and Dell updated their advisories to alert customers that the affected BIOS updates have been removed from their support pages. Dell is already providing customers with the option of downgrading to older BIOS versions, while HP will make BIOS versions with older microcode available Jan. 25.
From the time Intel revealed the initial microcode updates were causing issues, it was clear that fixing the problems will probably take weeks. That’s because any microcode patches need to go through extensive testing by both Intel and the OEMs that integrate them into BIOS updates.
Intel has been aware of the Meltdown and Spectre vulnerabilities since June, when the attacks were reported to the company by researchers at Google. This means the company’s engineers had months to come up with a solution, test it internally, share it with OEMs and have the updates ready for release by Jan. 9, when the public disclosure date was set. This is confirmed by the patched microcodes, some of which have a creation date of Nov. 17 although they were released in January.
“We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release,” Shenoy said. “We expect to share more details on timing later this week.”
It’s worth noting that only one variant of the Spectre attack, which allows local attackers to leak secrets from the memory of various applications, requires CPU microcode changes to fix. The Meltdown and Spectre variant 1 can be mitigated through OS and application updates that are already available.
However, the researchers who found Spectre warned that the two attack variants identified so far are likely not the only ones and that further research will uncover more. Also, the speculative execution feature in modern CPUs that makes these attacks possible cannot be completely removed or disabled without severely crippling performance.
Even if Intel’s patch turns out to be only a temporary solution, a delay of weeks in its availability increases the chances that malicious hackers will develop working exploits and start attacking users. Not to mention that the microcode patches released earlier this month only addressed Spectre on a limited number of CPUs, not all that are affected, and it remains to be seen if Intel’s new update will extend the number of protected processors.