Meltdown-Spectre: A reminder to the IT industry that security is a mirage
Intel is recommending that people stop pushing its current firmware updates designed to address the Meltdown and Spectre vulnerabilities, and hold tight for further information later in the week.
"We recommend that OEMs, cloud service providers, system manufacturers, software vendors, and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior," Intel Data Center Group general manager Navin Shenoy said in a security note.
Shenoy said Intel had released updated firmware with its partners for testing at the weekend, and asked them to test harder.
"We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release," Shenoy wrote.
"I apologise for any disruption this change in guidance may cause."
The company said it had found the root cause of the "reboot issue" affecting its Haswell and Broadwell chips, which came to light earlier this month.
When Intel admitted the crashes were also hitting its Kaby Lake and Skylake processors, its advice was to keep deploying the patches.
Now read: Cybersecurity in 2018: A roundup of predictions
Late last week, Red Hat pulled an update to the microcode package that was designed to mitigate Meltdown and Spectre.
"Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot," the company said.
"The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released prior to the Spectre/Meltdown embargo lift date on Jan 3rd. Customers are advised to contact their silicon vendor to get the latest microcode for their particular processor."
Yesterday, Linux kernel creator Linus Torvalds let fly at proposed patches from Intel.
"They do literally insane things. They do things that do not make sense," he said. "And I really don't want to see these garbage patches just mindlessly sent around."
Torvalds said earlier this month that Intel should admit it has problems with its CPUs, instead of writing fluff stating its processors were working as designed.
Meltdown and Spectre were discovered by Project Zero researcher Jann Horn, who reported the flaws to Intel, AMD, and ARM on June 1, 2017.
Earlier this month, Microsoft had to reissue patches after its original update prevented some AMD systems from booting.
26% of organizations haven't yet received Windows Meltdown and Spectre patches (TechRepublic)
Roughly a week after the update was released, many machines still lack the fix for the critical CPU vulnerabilities.
Industrial equipment manufacturers reporting difficulties with Meltdown and Spectre patches
Fixing the security flaws is causing errors to pop up elsewhere for some companies.
Meltdown and Spectre patches now available for Oracle systems (TechRepublic)
Among the 237 fixes in Oracle's Critical Patch Update for January are patches for both Spectre and Meltdown.
How to protect Windows Server from Meltdown and Spectre
The headlines are all about how the Meltdown and Spectre security vulnerabilities will affect Windows PCs, but the real problems are how these bugs will impact servers and the cloud.
Spectre puts the brakes on CPU need for speed
Instead of focusing on single-digit percentage increases in performance, a bigger question needs to be asked: Is it safe?