In light of the revised recommended action from Intel, major system OEMs are recalling their previously issued patches for the Meltdown/Spectre vulnerabilities. Acer, Asrock, Dell, HP, and Lenovo have all made updates on their websites notifying customers that their existing patches are defective. Dell, HP, and Lenovo also withdrew their existing patches.
Dell’s updated advisory is interesting, because it said that its withdrawn patches were to solve Spectre Variant 2 only. The company maintains that Spectre variant 1 and Meltdown were fixed with OS patches. Dell said in its advisory:
As a reminder, the Operating System patches are not impacted and still provide mitigations to Spectre (Variant 1) and Meltdown (Variant 3). The microcode update is only required for Spectre (Variant 2), CVE-2017-5715.
This aligns with our previous understanding, which was that Intel’s patch was only to fix Spectre Variant 2. This assumption was based on information initially released by major tech firms like Google and Microsoft. However, this is counter to Intel’s updated advisory, which states that fixing Spectre Variant 2 was only a portion of its patch.
For those concerned about system stability while we finalize the updated solutions, we are also working with our OEM partners on the option to utilize a previous version of microcode that does not display these issues, but removes the Variant 2 (Spectre) mitigations. This would be delivered via a BIOS update, and would not impact mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown).
Evidently, either Intel has even more versions of its patch for different OEMs, or contradictory information on the patches is being communicated to OEMs and consumers. Linux founder Linus Torvalds recently lambasted Intel’s patch in a public email, saying that they did “things that do not make sense” for “unclear reasons.”
For those not caught up on the issue, the Meltdown/Spectre vulnerabilities affect CPUs from AMD, Intel, ARM, and others, to varying degrees. Intel CPUs are heavily affected by the issue--they refer to it as SA-00088--and require a low-level software patch to fix. Intel created a patch, but it can’t be applied in a universal method (i.e., through a driver update). It’s up to system OEMs to distribute the patch to their systems on a product-by-product basis.
The original patch that Intel issued to system OEMs was discovered to be defective, but system OEMs had already begun distributing the patch. The recall advisories mentioned above are a result of that. If you already installed a patch from your system OEM, then you’ll have to sit tight. Intel is currently working to have a new patch distributed to system OEMs, which should then make its way to consumers soon thereafter.
Thursday, January 25, 2018