Security Update Issued to “Plug Intel’s Buggy Spectre Firmware Patch”
Microsoft Issues Emergency Security Update That Disables Intel’s Spectre Variant 2 Patch
CNBC reported (“Intel’s Spectre patch created its own problems, so Microsoft put out an update to fix it”) that “Microsoft issued an emergency security update on Monday [January 29, 2018] to plug Intel’s buggy Spectre firmware patch as the chipmaker’s fix caused computers to reboot frequently.” Further, according to CNBC:
Microsoft said it was rolling out an out-of-band update that specifically disables Intel’s Spectre variant 2 patch.
The latest update comes nearly four weeks after Intel confirmed that its chips were impacted by vulnerabilities known as Spectre and Meltdown, which make data on affected computers susceptible to espionage.
The Windows maker said system instability triggered by Intel’s faulty patch can in some cases cause “data loss or corruption”.
Microsoft said its latest update prevented computers to reboot unexpectedly and urged affected customers to manually download it from the Microsoft Update Catalog website.
[Emphasis added]
An article by ZDNet (“Windows emergency patch: Microsoft’s new update kills off Intel’s Spectre fix”) reported that
Microsoft has released an emergency Windows update to disable Intel’s troublesome microcode fix for the Spectre Variant 2 attack.
Not only was Intel’s fix for the Spectre attack causing reboots and stability issues, but Microsoft also found it resulted in the worse scenario of data loss or corruption in some circumstances.
To justify the out-of-band update, Microsoft highlights a comment in Intel’s fourth-quarter forward-looking statements that mentions for the first time that mitigation techniques potentially lead to data loss or corruption.
Until then, Intel had only mentioned its update was causing unexpected reboots and unpredictable system behavior.
ZDNet also reported that since
. . . there are no known reports of attacks on Spectre Variant 2, it would seem the greatest risk to systems and data at present is Intel’s buggy microcode.
The company is facing scrutiny from US lawmakers over its handling of the embargo, which has been described by some as an utter mess that left important software projects in the dark.
Jonathan Corbet, a member of the Linux Foundation’s Technical Advisory Board, said the disclosure process for Meltdown and Spectre was unusually secretive.
Additionally, ZDNet reported that “[w]hile the bugs affect Arm and AMD too, Intel is the only chipmaker whose hardware is vulnerable to all three attacks.”
[Emphasis added]
Class Actions Regarding Security Flaws of Intel’s Hardware Design
According to one class action lawsuit complaint, filed in United States District Court, Northern District of California, Intel has
[f]or over two decades, . . . been highly successful in loading most of the world’s computers with its processors. Unfortunately, Intel designed its processors to prioritize speed, not security. Until 2018, Intel didn’t even have a hardware security team.
As a result, Intel’s hardware design contains serious security flaws. On January 3, 2018, the news broke that security researchers had discovered two methods that could be used to exploit flaws in Intel’s hardware design. These two methods can give a hacker access to anything on the computer. And because they exploit flaws in hardware, not software, they work on any operating system, so long as it runs on an Intel processor.
With no hardware fix possible, software makers have recently attempted to create patches to protect Intel-based computers from hackers. But these software patches significantly slow down the computers on which they’re installed and don’t provide complete protection.
Consumers and businesses that purchased Intel-based computers now face an increased risk of being hacked, even after installing software patches that may substantially slow down their computers, giving them performance far below what they paid for.
Intel should not be permitted to retain the profits it made from skimping on security all these years.
[Emphasis added]
Image: Pixabay, Magnascan, CC0 1.0 Universal
Purchasers or Lessors of Intel Processors or Devices Containing an Intel Processor
Kehoe Law Firm, P.C. continues to investigate issues related to the flaws in Intel’s hardware design. If you purchased or leased one or more Intel processors, or one or more devices containing an Intel processor, and have questions or concerns about your potential legal rights or claims, please contact John Kehoe, Esq., (215) 792-6676, Ext. 801, [email protected], complete the form above on the right or e-mail [email protected].
Kehoe Law Firm, P.C.
