Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

Egg, Meet Face: Intel forced to Roll Back Meltdown and Spectre Fixes

Egg, Meet Face: Intel forced to Roll Back Meltdown and Spectre Fixes

Egg, meet face: Intel forced to roll back Meltdown and Spectre fixes amid reports of computer instability after installation

In a worsening PR disaster for chipmaker Intel, multiple reports have surfaced that the “fixes” intel pushed out to mitigate Spectre and Meltdown are causing computers to become unstable, randomly crash, and reboot.   Intel has promised more “stable” fixes to come later in 2018 without providing a specific time frame.   

This is in stark contrast to reports that Microsoft’s own Meltdown and Spectre patches were also causing instability and random reboot issues only on computers with improperly configured AV software.  Intel was notifying its OEM partners, cloud service providers, and systems manufactures to stop installing the new update and to roll back to a previous version of firmware.  This guidance indicates that Intel’s fix is inherently flawed and does not require any other variable such as improperly configured AV in order to cause system instability. 

In a rush to combat negative public perception on their respective industries, Intel and Microsoft have pushed out “fixes” to the Meltdown and Spectre vulnerabilities without properly QA-ing the releases.  Through responsible disclosure, Google’s Project Zero notified chip makers almost 6 months ago of these vulnerabilities.  The details of the vulnerabilities were kept private in order to give chip manufacturers and software developers sufficient time to write and test patches to be release before or at the time of the public disclosure.  However, this was not enough time for the chip and software industries to develop a software/firmware fix for a vulnerability in the actual hardware’s silicon. 

More troubling is that Intel’s press release indicates that the fix receiving the highest engineering effort only covers the most recent family of Intel processors: Broadwell and Haswell platforms.  Development for previous platforms is ongoing, but Intel is planning to use the data collected from the Broadwell and Haswell platform fixes to assist with back-patching older chips.  In other words, if your computer is more than 2 years old, a Meltdown and Spectre fix could be a way out. 

In response to the instability caused by Intel’s patches, Microsoft issued a rare out-of-band, emergency update to disable Intel’s patch. 

While Meltdown and Spectre haven’t yet been exploited in real-world attacks, the known methods to abuse them increased this week after researchers created a tool that found new ways to leverage the CPU bugs. 

The Zscaler cloud protects its users from the known Meltdown and Spectre JavaScript attacks and continually monitors for other attack vectors.

 

Further reading:

https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

https://www.cyberscoop.com/microsoft-spectre-meltdown-intel-patches/

https://blog.qualys.com/news/2018/02/16/hackers-hit-the-olympics-while-patch-tuesday-and-meltdown-spectre-keep-it-departments-on-edge

New York State Enacts Sarbanes-Oxley-Type Controls for Cybersecurity

New York State Enacts Sarbanes-Oxley-Type Controls for Cybersecurity

Do Not Use Facebook’s New Security Feature, Seriously

Do Not Use Facebook’s New Security Feature, Seriously