cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
flyingboy
Newcomer III

Intel Says to Hold Off on Patches While It Gets Better Ones Ready

'Intel is telling its customers to stop applying its recently-released patches for the Meltdown and Spectre CPU vulnerabilities because the company is developing new fixes to address the rebooting issues in the earlier patches.'

 

http://www.business-standard.com/article/companies/intel-asks-users-to-delay-updates-says-patches-ca...

 

Great, we are now back to the start. But better be safe than sorry.

4 Replies
Badfilemagic
Contributor II

I really think that Intel has been handling this whole thing badly from the get-go. Arguments on the Linux kernel mailing lists related to fixes, their released public statements at the beginning which purposefully tried to conflate meltdown and spectre in order to punt fire onto AMD and ARM as well (AMD's not vulnerable to Meltdown because they had to implement permissions checking correctly because they couldn't copy Intel due to patent issues), etc.

 

Patches were rushed on the microcode side, Linux and Microsoft had to rush as well, FreeBSD is behind, and OpenBSD weren't even given the information. (although they also have a bad track record of keeping embargoed bugs embargoed, so they may have brought that on themselves). Kernel patches affect system performance because the kernel developers basically had to rearchitect around design decisions made based on being able to take advantage of CPU features which were implemented with a speed-over-corectness approach.

 

One could also pile the vulns in Intel Management Engine that were patched last year (or, for privacy fans, the fact that IME exists at all) if one were so inclined to pile on Intel. I'll give them a pass on the default creds issue that got press last week, since that's really on people buying a system with a feature then failing to know about it and configure it correctly, then leaving their laptop unattended in a public place.

 

But, what are the options, really, except quit computers and go become a farmer? (but embedded computers in combines, drones for crop tracking....)

-- wdf//CISSP, CSSLP
Early_Adopter
Community Champion

Yeah, reminds me of Intel Anti-theft. That could have pretty much year 0'd everything on demand if very widely deployed and abused.

 

"So, we install it on the right system and then all our computers go to a web address and once activated can be rendered unbootable in HW?"

 

"Yup"

 

I'm going now to herd sheep with dogs.

kratzy11
Newcomer II

This vulnerability has certainly been an interesting experience an d from a risk management perspective was a good exercise (I need a life outside of risk management) when deciding whether to apply patches and risk bugs / performance hits.

On a serious side, it is scary to think that one vulnerability can have almost universal effects and despite weeks of working on a solution, even after a public disclosure, people still had to sit on their hands and wait and wait some more until a solution was/will be offered.

Caute_cautim
Community Champion

Well here is another take from Intel:  https://www.darkreading.com/risk/microsoft-issues-emergency-patch-to-disable-intels-broken-spectre-f...

 

The provision of an advanced option to disable any updates or allow them to happen.   Some thing this is a good idea?  What is the consensus?