Intel: Don’t Install Faulty Spectre, Meltdown Patches

In-brief: Intel has warned users not to install patches it released for the Spectre and Meltdown vulnerabilities in its processors, asking them to wait until it issues new software, which it’s working on now.

Finding out your device has vulnerabilities is bad enough, but finding out the patched issued to fix them are “complete and utter garbage,” according to Linux creator Linus Torvalds, is even worse.

This is what faced users of devices with Intel processors on Monday when Intel warned them not to install the patches the company already had released for the Spectre and Meltdown vulnerabilities.

In a blog post, Navin Shenoy, Intel’s executive vice president and general manager of the Data Center Group, said the company had identified the root cause of a frequent-reboot problem that was affecting customers who’d installed its patches for these vulnerabilities.

In the meantime, don’t install the patches nor tell customers or partners to do it either, he warned.

“We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior,” Shenoy wrote.

Intel is currently working on new software to fix the vulnerabilities and encouraging industry partners to focus efforts on testing early versions of the new release to hasten its distribution to everyone, Shenoy said in the post.

He also apologized “for any disruption this change in guidance may cause.”

“The security of our products is critical for Intel, our customers and partners, and for me, personally,” he wrote in the post. “I assure you we are working around the clock to ensure we are addressing these issues.”

Intel told customers this week not to install patches it issued for the Meltdown and Spectre vulnerabilities in its processors.

Intel issued its patch against Spectre and Meltdown after confirming on Jan. 3 that its chips were impacted by the vulnerabilities, which could allow hackers to steal passwords, encryption keys and other private information on affected devices.

Not long after, Intel acknowledged that the patch seemed to be causing some customers’ computers to reboot more frequently than normal, specifically on systems running Intel Broadwell and Haswell CPUs for both client and data center, the company said.

However, while Intel didn’t roll back its advice to install the patch then, a Wall Street Journal article published the same day reported that the company privately was advising some customers to “hold off” on installing the patches.

Over the past weekend, Torvalds used colorful language on the Linux kernel mailing list to criticize the Intel patches, perhaps inspiring the company to take action and warn customers not to install.

“All of this is pure garbage,” Torvalds wrote. “Is Intel really planning on making this shit architectural? Has anybody talked to them and told them they are f*cking insane? Please, any Intel engineers here–talk to your managers.”

A list of Intel processors affected by Spectre and Meltdown can be found on the company’s website. The list is long; indeed, the massive CPU vulnerabilities affect nearly every OS and device.

Meltdown is a CPU vulnerability that allows a user mode program to access privileged kernel-mode memory, according to security researchers.

Spectre, on the other hand, is actually a new class of attack. It’s enabled by the unintended side effects of what’s called speculative execution, something processors do to speed things up by predicting what instructions they’re about to receive and executing them ahead of time.

Comments are closed.