OpenBSD founder: Intel leaves open-source out in the cold

Summary:OpenBSD founder Theo de Raadt wants Intel to come clean on the severity of bugs in the Intel Core 2 processors, warning that some of the bugs "will *ASSUREDLY* be exploitable from userland code."de Raadt's comments follow Intel's release of a BIOS patch to cover potential unpredictable system behavior on Windows machines running Core 2 and Xeon 3000/5000 chips.

OpenBSD founder wants Intel to come clean on severity of bugs

OpenBSD founder Theo de Raadt wants Intel to come clean on the severity of bugs in the Intel Core 2 processors, warning that some of the bugs "will *ASSUREDLY* be exploitable from userland code."

de Raadt's comments follow Intel's release of a BIOS patch to cover potential unpredictable system behavior on Windows machines running Core 2 and Xeon 3000/5000 chips.

In a note posted to the OpenBSD mailing list, de Raadt said the processors were "buggy as hell" and warned that in addition to causing development and debugging problems, they are exploitable.

"As is typical, BIOS vendors will be very late providing workarounds/fixes for these processors bugs. Some bugs are unfixable and cannot be worked around. Intel only provides detailed fixes to BIOS vendors and large operating system groups. Open Source operating systems are largely left in the cold," he declared.

He accused Intel of understating the impact of the bugs "very significantly" and cautioned OS developers that they will most certainly run into these bugs.

Some of these bugs are along the lines of "buffer overflow"; where a write-protect or non-execute bit for a page table entry is ignored. Others are floating point instruction non-coherencies, or memory corruptions -- outside of the range of permitted writing for the process -- running common instruction sequences," de Raadt added

"All of this is just unbelievable to many of us," he declared.

de Raadt said he cannot recommend the purchase of any machines based on the Intel Core 2 until these issues are dealt with.

"Intel must be come more transparent," he said, noting that rival AMD isn't much better.

"I would like to say that AMD is becoming less helpful day by day towards open source operating systems too, perhaps because their serious errata lists are growing rapidly too," de Raadt said.

More discussion at Slashdot and Matasano

[UPDATE: June 28, 2007 @ 6:12 PM]  A note from the TalkBack comments:

I am from Intel, and I thought I would give you our perspective. Months ago, we addressed a processor issue by providing a BIOS update for our customers that in no way affects system performance. We publicly documented this as an erratum in April. All processors from all companies have errata, and Intel has a well-known errata communication process to inform our customers and the public. Keep in mind the probability of encountering this issue is low.

Specification Updates for the affected processors are available at http://developer.intel.com.  All errata are thoroughly investigated for issues and vulnerabilities, should they have any we fix them, usually through a microcode update. We feel we’ve resolved the issue and were open about it with customers and then publicly publishing it, but this is a good venue for ideas on how we could do better or more. I am interested in any constructive comments...

Topics: Open Source, Intel, Operating Systems, Software

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.