For the past few weeks Intel has been very cagey around their fixes and patches to mitigate the impact of the Meltdown and Spectre vulnerabilities in their processors. For those of you not familiar yet, Meltdown is a side-channel attack on Intel architectures that reveals secure, privileged contents of the operating system’s kernel memory, which is extremely valuable information. Spectre is a related attack that relies on Intel’s aggressive speculative execution algorithms to trick the processor into running code that leaks information about the memory contents of other programs running on the system. The consequences of this are far-reaching, and may ultimately damage Intel’s standing with consumers in the long term. Intel has now started to talk about the work they’re doing to fix these vulnerabilities, and in a surprise twist, recommends that users on older hardware do not install the available patches to fix these problems.
On 11 January 2018, Intel admitted in a blog post that it had begun to log complaints about patches and critical fixes it issued to users on Linux, Windows, and MacOS operating systems, some of which had been in the works for months since Intel was made aware of Meltdown and Spectre by security researchers. These updated had to be rapidly tested and made available for consumption because of the dangers posed by not patching systems. Anyone who ran cloud services, like Amazon Web Services or Microsoft Azure, was otherwise left vulnerable if they didn’t issue the updates.
However, there were several issues with these patches, including random reboots on mission critical servers, data corruption, odd behaviour in virtual machine hosts, and a smorgasbord of other weird things that happened after network administrators performed the upgrades. Despite this, Intel recommended that everyone should apply the patches anyway.
Just 11 days later, on 22 January, Intel admitted in a follow-up blog post that they had identified what was causing the random reboots and odd behaviour, and called on their partners and customers to not install the updates. Just… think about that for a second. Intel is now telling everyone that they should rather uninstall the patches and avoid further system crashes, and risk losing customer data by leaving these systems vulnerable to attackers who might be able to gain access to them over the internet.
An excerpt below mentions the basic guidelines that it recommends customer follow:
“As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.”
“We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behaviour. For the full list of platforms, see the Intel.com Security Center site.”
“We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.”
“We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.”
Now granted, these issues are now limited to systems based on the Broadwell and Haswell platforms, which includes server hardware based on the same architecture, but it will probably also apply to older hardware as well in some fashion for systems based on Ivy and Sandy Bridge, and perhaps even Nehalem and Westmere. The company apologises for the disruptions and pledges that a new set of patches for these systems will be made available once the final phase of testing is complete.