Intel is running into problems protecting its chips from the major Meltdown and Spectre vulnerabilities that became public last week. The company has been warning customers of three specific flaws in a recent firmware update and recommending that customers hold off installing the patch, according to emails first reported by The Wall Street Journal. According to a follow-up announcement by Intel, the issue may cause reboot issues in systems running older Haswell chips. Intel has been aware of the Spectre issues since June, but rewriting processor firmware to address the vulnerability proved to be a significant challenge. The company has committed to protecting 90 percent of its CPUs produced in the last five years, with patches to be deployed by January 15th, but technical issues have marred those patches across the board. Earlier this week, Microsoft had to halt the deployment of AMDs Spectre patches after they rendered some computers unbootable. Patching the CPU firmware is widely seen as the most technically difficult element of Spectre recovery, far more challenging than the operating system or browser patches that were deployed last week. Its also the patch most likely to slow computers down, although its still unclear how significant the performance hit will be. Intels recent benchmarks show less than 5 percent slowdowns on recent processors, but those tests did not extend to the Haswell processors affected by todays issues.
It hasnt been a fun time to be Intel. Last week the company revealed two chip vulnerabilities that have come to be known as Spectre and Meltdown and have been rocking the entire chip industry ever since (not just Intel). This week the company issued some patches to rectify the problem. Today, word leaked that some companies were having a reboot issue after installing them. A bad week just got worse. The company admitted as much in a blog post penned by Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel. We have received reports from a few customers of higher system reboots after applying firmware updates. Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center, Shenoy wrote. He added, If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. Just when you couldnt think this situation could spiral any more out of Intels control, it did. The Wall Street Journal is reporting it got its hands on a confidential memo issued by the company and shared with large companies and cloud providers not to install the patches. Its important to note that Intel is advising consumers to install all patches, and they point out this isnt a security issue. Its just a bad software issue and while they should have made certain this was rock solid, a situation like this tends to lead to pressure that leads to mistakes — and thats probably what happened here. The Spectre and Meltdown issues were discovered last year by Googles Project Zero security team. They found that because of a flaw in modern chip architecture, designed for speed over security, the chip kernel could be exposed. This is where private information like passwords and encryption keys are stored and supposed to be protected. Instead, because of this flaw they could be unprotected. Meltdown affects just Intel chips, while Spectre affects just about all modern chips, including AMD, ARM, IBM Power chips and Nvidia. Raspberry Pi appears to be the only computer spared from this. So far there hasnt been a documented case of anyone taking advantage of this exploit, which, Google pointed out in a blog post yesterday, has existed in chips for 20 years, but security experts have suggested it would be hard to attribute an issue to this particular exploit, even if they had known about it.
Intel told some customers to hold off on installing its updates. Earlier this week, Intel said it would have Meltdown and Spectre fixes available by the end of the month for all recently made chips. But as the Wall Street Journal reports, some of the patches the company has released have caused some problems of their own. Some firmware updates are apparently causing computers to reboot. The Wall Street Journal got its hands on a document Intel was sharing with some of its customers (see note below), in which it advised them to "delay additional deployments of these microcode updates." Stephen Smith, Intel's data-center group general manager, told the publication that the bugs didn't have anything to do with security and that the document was being shared with computer makers and large cloud providers. Since the Wall Street Journal published its report, Intel has released a blog post explaining the systems affected by the reboots are running Broadwell and Haswell CPUs. "We are working quickly with these customers to understand, diagnose and address this reboot issue," it said. Microsoft also halted some of its updates earlier this week after some AMD computer users reported that they couldn't boot their computers after installing its patch. And Intel reported that most people would experience a small amount of slowdown -- less than 10 percent -- on their personal computers after installing its fix. One of Intel's partners told the Wall Street Journal that only telling some of its customers about the issue was a bad move on the part of Intel, saying the public has "been given the microcode update but has not been given the important technical information that Intel recommends that you don't use this." But security researcher Paul Kocher, who discovered some of the issues with Intel's chips, said this sort of thing is to be expected. " It doesn't surprise me a lot that there would be some hiccups." Update: While the Wall Street Journal reported that only some of Intel's customers were receiving notice that they may want to hold off on installing its updates, Intel tells us that all of its customers were notified. The notice "was sent to all customers through the standard patch notification process," a spokesperson told us.
It has admitted that its chips are susceptible to both Spectre variants. While Intel is at the center of the Spectre/Meltdown fiasco, AMD's chips are also affected by the CPU vulnerabilities. The company previously said that the risk of exploit using variant 2 was near zero due to its chips' architecture. But in its latest announcement, it said that because both variants are still "applicable to AMD processors," it also plans to release patches for the second variant to be absolutely safe. AMD already provided PC manufacturers its fix for the first Spectre version, and Microsoft has begun rolling it out. The chipmaker also said it's working with Redmond to address a problem that delayed the distribution of patches for its older processors. Since the second version of Spectre needs a different fix, AMD will provide its customers and partners for Ryzen and EPYC processors with a patch for its chips starting this week. Firmware updates for its older chips will follow in the coming weeks. If you use Linux, you might get it sooner than you think, since Linux vendors have already started releasing OS patches for the second variant. You might have to wait a bit if you're a Windows user, though, since AMD is still working out distribution timing with Microsoft. Despite deciding to release a patch for version 2, the company reiterated that its chips' architecture will make it very difficult for attackers to use the exploit. It also maintained that Meltdown isn't applicable to AMD chips at all. AMD's processors aren't "susceptible" to Meltdown, the chipmaker wrote, "due to [the company's] use of privilege level protections within paging architecture. " Since "no mitigation is required" for variant 3, it won't be creating a patch for the vulnerability. Update: AMD clarified that it never said its chips were not susceptible to variant 2.
Intel has admitted that PCs and servers are experiencing unexpected reboots after applying a patch designed to address the Spectre and Meltdown processor flaws. Spectre and Meltdown are design flaws in modern CPUs that could allow hackers to bypass system protections on a wide range of devices, allowing attackers to read sensitive information, such as passwords, from memory. Intel began making software and firmware updates available to mitigate attacks exploiting these flaws last week, pushing them out via system manufacturers. However, yesterday the chip maker admitted these updates were causing certain computers to unexpectedly reboot. The random reboots appear to be affecting both PCs and servers that use Intel Broadwell and Haswell processors. "We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels," wrote Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel. Despite the issues, Shenoy says that computer users and admins should "continue to apply updates recommended by their system and operating system providers". While tech firms have been preparing updates to mitigate the Spectre and Meltdown flaws for months, details of the vulnerabilities leaked out early. In the rush to issue patches there have been other instances of Spectre and Meltdown updates causing problems of their own. Microsoft recently said that Windows PCs won't receive any further security updates until third-party AV software is verified as compatible with Windows patches for Spectre and Meltdown. And chipmaker AMD has been working with Microsoft to resolve problems after the patches caused PCs running on some older AMD Opteron, Athlon and AMD Turion X2 Ultra processors to refuse to boot. AMD said yesterday the issue should be resolved shortly. AMD also announced that, starting this week, it will address the branch target injection exploit for Spectre by making microcode updates available for its Ryzen and Epyc processors. Updates for older processors will follow in the "coming weeks", with all updates being made available via OS vendors and system manufacturers. The Meltdown flaw doesn't affect AMD processors. As well as triggering undesirable behaviour the Spectre patches are degrading machine performance, particularly for older processors. Microsoft said earlier this week that people running computers on 2015-era Intel Haswell or earlier processors would see the biggest performance slowdown, particularly if they weren't using Windows 10. Those running Windows 10 systems on newer CPUs would see minimal impact, it said. Microsoft cautioned the performance of Windows Server systems could suffer a more significant impact, "especially in any IO-intensive application". Intel has also published data, gathered both from users and its own synthetic benchmarks, which identified a real-world performance hit of between about six and eight percent across all systems. Like Microsoft, it found that computers running on 8th-generation processors suffered a smaller impact than those running 7th- or 6th-generation CPUs. Apple claims that performance of Macs, iPhones and iPads is largely unaffected by the patches, stating "our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks". Major cloud providers, AWS, Google and Microsoft say that, for the majority of workloads, customers should not notice a difference in performance following the updates. However, there have been reports from some customers of a drop off. AWS customer Epic Games attributed a more than 20 percent spike in CPU load on a cloud server hosting games of Fortnite to the impact of the Spectre and Meltdown patches. Also see