Intel's Chip Bug Fixes Have Bugs of Their Own (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Intel's Chip Bug Fixes Have Bugs of Their Own (bleepingcomputer.com)

Posted by msmash on Friday January 12, 2018 @06:42AM from the bugception dept.

From a report: Intel said late Thursday it is investigating an issue with Broadwell and Haswell CPUs after customers reported higher system reboot rates when they installed firmware updates for fixing the Spectre flaw. The hardware vendor said these systems are both home computers and data center servers. "We are working quickly with these customers to understand, diagnose and address this reboot issue," said Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel Corporation. "If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue," Shenoy added. The Intel exec said users shouldn't feel discouraged by these snags and continue to install updates from OS makers and OEMs.

59 comments

Min score:

Reason:

Sort:

Oracle data center servers? by Anonymous Coward · 2018-01-12 06:47 · Score: 0

God help them if they are when they spontaneously reboot.
Don't feel discouraged?? by Anonymous Coward · 2018-01-12 06:53 · Score: 0

I was glad having both a Hazwell and Broadwell PC that I skipped the firmware for now. What's discouraging is no proper vetting of these fixes before pushing them out for the public. Frankly, I am about to just forgo this firmware and take my chances. The cure seems worse then the disease.
1. Re:Don't feel discouraged?? by Anonymous Coward · 2018-01-12 06:57 · Score: 0
  
  That's how "security" works these days.
  
  Remember a decade ago when Firesux started doing this and then Chrone came along?
  
  Trust us! Here's a zero-day update that we already installed for you (while you weren't looking) that will address all of these issues......and many more!
2. Re:Don't feel discouraged?? by houstonbofh · 2018-01-12 06:57 · Score: 2
  
  I too am holding back updates for exactly the same reason... And this made me laugh...
  
  "The Intel exec said users shouldn't feel discouraged by these snags and continue to install updates from OS makers and OEMs."
  
  Sure...
3. Re:Don't feel discouraged?? by Anonymous Coward · 2018-01-12 07:25 · Score: 1
  
  I'm not touching any updates for at least a few months; chances are i might not even bother with the patches at all.
  I don't run a hypervisor, i don't run untrusted software and i ALWAYS assume that anything i run can access all of the data on my machine regardless of which user i run them as.
  Anything which has the opportunity at exploiting these bugs is probably already in a position to steal what it wants from my machine in terms of passwords through the use of screen cap, keylogging and the like.
  And I can't imagine your standard skiddy modified ransomware is going to be sophisticated enough to exploit it; it's going to be targeted attacks against very specific targets, not your average joe.
4. Re:Don't feel discouraged?? by Anonymous Coward · 2018-01-12 08:46 · Score: 0
  
  a) MS updates are now cumulative. If you don't take this update for Windows, you'll never update again.
  b) there is already a Javascript POC exploit out there. The level of sophistication required to exploit is low
Well no wonder! by Gravis+Zero · 2018-01-12 06:53 · Score: 1

I just got this update and this cool browser extension that makes fart sounds when you click on links stopped working with the message:

TotallyNotAMeltdownExploit() has failed. Consider rebooting.
They really gotta test this stuff before the push it out. ;)

--
Anons need not reply. Questions end with a question mark.
Why am I not surprised? by davidwr · 2018-01-12 06:56 · Score: 2

Regression of new-bug risk is why many non-critical bugs go unfixed and why companies like IBM sometimes release patches only to those customers who complain and who are willing to accept a fix that hasn't been thoroughly tested.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Reminds me of the 2009 flu pandemic by Hal_Porter · 2018-01-12 06:57 · Score: 4, Informative

In both cases there was a lot of worry about the threat. An countermeasure was rushed out, and it seems like the countermeasure may have some side effects.
https://en.wikipedia.org/wiki/...
You have to wonder in each case if there's an element of overreaction going on.
In the Meltdown/Spectre case it the browser vendors are going to fuzz the timing functions to make side channel timing attacks harder to pull off
E.g.
http://news.softpedia.com/news...

Just like Microsoft and Mozilla, Google Chrome 64 will disable SharedArrayBuffer by default and modify the behavior of performance.now() by reducing precision from 5us to 20us in order to block exploits attempting to take advantage of the security vulnerabilities.
Also you can block third party scripts using uBlock Origin.
https://github.com/gorhill/uBl...

--
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
1. Re:Reminds me of the 2009 flu pandemic by sjames · 2018-01-12 09:38 · Score: 3, Interesting
  
  It doesn't help that Intel spread some confusion. Meltdown is very serious and really does need a quick fix. Spectre needs addressing but isn't as urgent since it is quite hard to exploit successfully. Meltdown workarounds should NOT be deployed on AMD systems.
  As best as I can tell, the microcode updates (BIOS) are for spectre, not meltdown.
2. Re:Reminds me of the 2009 flu pandemic by TechyImmigrant · 2018-01-12 19:05 · Score: 2
  
  It doesn't help that Intel spread some confusion. Meltdown is very serious and really does need a quick fix. Spectre needs addressing but isn't as urgent since it is quite hard to exploit successfully. Meltdown workarounds should NOT be deployed on AMD systems.
  As best as I can tell, the microcode updates (BIOS) are for spectre, not meltdown.
  That depends on your definition of urgent. Spectre is the problem with legs and it's going to keep running. Fix meltdown once and it's fixed. But unlike meltdown, which is a poor target, because it's being addressed, Spectre presents thousands of targets on many platforms and there is no shortage of governments and criminals sharpening their attacks right now.
  There is a lot more to do to address Spectre and it involves some kind of magic where all the software engineers suddenly learn how to both develop effective threat models and develop effective mitigations. Intel gave software engineers a safe place to put secrets and they didn't do it. SGX is there for a reason. If you're squealing "Oh noes! Teh Malwarez can read secrets in my process state", why the hell are you not using the tools in place to protect those secrets?
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
3. Re:Reminds me of the 2009 flu pandemic by sjames · 2018-01-13 08:52 · Score: 1
  
  Patching browsers will kill practically all vectors for the Spectre attack. Even that is a little less urgent than fixing meltdown simply because it will take longer to get from POC to practical exploit.
4. Re:Reminds me of the 2009 flu pandemic by TechyImmigrant · 2018-01-13 10:03 · Score: 1
  
  Patching browsers will kill practically all vectors for the Spectre attack. Even that is a little less urgent than fixing meltdown simply because it will take longer to get from POC to practical exploit.
  That was kind of my point. Meltdown is a short term attack with a short term fix. Spectre is a long term attack strategy which can be deployed in many contexts.
  Let's say you are an application developer in a popular application, but you have an evil streak. You could employ Spectre in a difficult to find way to attack one of the many other bits of software on a machine. This will go on and on an on. So there's a urgency to changing software development practices to adapt to this new reality.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
5. Re:Reminds me of the 2009 flu pandemic by sjames · 2018-01-15 20:16 · Score: 1
  
  Compilers are evolving to produce hard to exploit binaries.
There is a better fix available. by Gravis+Zero · 2018-01-12 07:01 · Score: 2, Informative

Use AMD chips because they actually are immune to Meltdown and have already mitigated Spectre at the Microcode and OS level with a negligible impact on performance. Intel has yet to get their shit together and it's performance impact is growing with every new patch.

--
Anons need not reply. Questions end with a question mark.
1. Re:There is a better fix available. by Anonymous Coward · 2018-01-12 07:05 · Score: 0
  
  *ding*ding*ding*
2. Re:There is a better fix available. by houstonbofh · 2018-01-12 07:08 · Score: 1
  
  Of course, Windows bricks AMD systems now. https://www.gamespot.com/artic...
3. Re:There is a better fix available. by hey! · 2018-01-12 07:16 · Score: 1
  
  And your point would be?
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
4. Re:There is a better fix available. by Anonymous Coward · 2018-01-12 07:35 · Score: 0
  
  Of course, you don't know what bricking even means. And you get your news from gamespot? Back to the FUD barn with you. Shoo shoo.
5. Re:There is a better fix available. by green1 · 2018-01-12 07:46 · Score: 2
  
  it's not called "Wintel" for nothing....
6. Re:There is a better fix available. by Anonymous Coward · 2018-01-12 08:18 · Score: 0
  
  Of course, Windows bricks AMD systems now.
  Look up the definition of "brick". Microsoft borked AMD systems, but it definitely didn't brick them. And they stopped borking AMD systems when they got called out for doing it, so you're still better off overall running an AMD-based machine than an Intel-based machine.
7. Re:There is a better fix available. by Anonymous Coward · 2018-01-12 08:39 · Score: 1
  
  It's very, very hard not to see a pattern where these "fixes" are used to screw over AMD. We see the same pattern over and over again, from ranging from the initial Linux patch for Meltdown which treated all x86 cpus as "insecure" without any exceptions, to Microsoft outright bricking AMD based computers.
  We will see much more of this. Intel is big and has tentacles going deep into both the proprietary and free software world, and apparently there is plenty of people without any kind of morals in both worlds. I predict there will be quite a lot of pressure on both gcc, the Linux kernel and possibly even glibc to apply "fixes" that not only nominally helps Intel fixing their problem, but also "accidentally" completely screws over AMD. As it is, although AMD is only theoretically vulnerable under quite limited circumstances to one of the vulnerabilities, and they have already been partially been kneecapped.
  Intel screwed up big time, and they certainly didn't cheat an bribe their way to their current position just throw it away by suddenly starting to play fair.
8. Re:There is a better fix available. by Anonymous Coward · 2018-01-12 08:45 · Score: 0
  
  And you can always just treat it as a golden opportunity to switch to Linux :-)
9. Re:There is a better fix available. by Anonymous Coward · 2018-01-12 09:04 · Score: 0
  
  A few old AMD chips crash when booting up. None are bricked.
10. Re:There is a better fix available. by Anonymous Coward · 2018-01-12 09:06 · Score: 0
  
  Microsoft didn't outright brick any AMD systems. A few older AMD chips didn't follow their specs, and crash when you boot in to Windows. None are bricked. Stop this nonsense fake news.
11. Re:There is a better fix available. by thegarbz · 2018-01-12 09:10 · Score: 1
  
  Define "better". Personally I define "better" as the option that doesn't require a new motherboard, CPU and RAM.
12. Re:There is a better fix available. by Gravis+Zero · 2018-01-12 09:28 · Score: 1
  
  Define "better".
  A superior outcome.
  
  --
  Anons need not reply. Questions end with a question mark.
13. Re:There is a better fix available. by ELCouz · 2018-01-12 09:40 · Score: 1
  
  Try again later.... https://news.slashdot.org/stor...
14. Re:There is a better fix available. by Anonymous Coward · 2018-01-12 09:45 · Score: 0
  
  Oh, yeah. Didn't follow specs, says who? Fact is that the systems where knocked out. "Didn't follow specs", well, all we have for that is Microsoft's word, which frankly isn't worth anything.
  I'll wait and see, but I'd be very surprised if AMD comes through this without somehow taking much worse hits to performance than Intel, despite not really suffering from any of the real problems. Intel's little helpers and sycophants will see to that.
15. Re:There is a better fix available. by thegarbz · 2018-01-12 11:31 · Score: 1
  
  So not spending loads of money for something that can be fixed with a software update.
  Thanks for clarifying.
16. Re:There is a better fix available. by Gravis+Zero · 2018-01-12 11:54 · Score: 1
  
  If this were about money then you wouldn't have bought Intel shit to start with. -_-
  This is obviously about superior performance.
  
  --
  Anons need not reply. Questions end with a question mark.
17. Re:There is a better fix available. by HiThere · 2018-01-12 12:39 · Score: 1
  
  You are, at least partially, correct. Bricked is the wrong term. It was, however, described that way in some news stories.
  OTOH, and IIUC, you had to revert the patch to fix the problem, and I'm not sure that MSWindows lets you do that, even though Ubuntu did.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
18. Re:There is a better fix available. by HiThere · 2018-01-12 12:42 · Score: 1
  
  I haven't heard anything convincing that says Spectre can be fixed with a software update. Even Meltdown can only be ameliorated, not fixed, with a software update. I'll admit I don't know how much could be done with a microcode update, but my guess is that the only fix to Spectre that you could get with a microcode update would be disabling of speculative execution entirely.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
19. Re:There is a better fix available. by Anonymous Coward · 2018-01-12 15:06 · Score: 0
  
  AMD bricked AMD systems before by putting AMD hardware in them. Don't need to point the finger elsewhere.
20. Re:There is a better fix available. by Anonymous Coward · 2018-01-12 15:41 · Score: 0
  
  and I'm not sure that MSWindows lets you do that
  Out of the 8 AMD systems with the affected processor at work:
  5 shows the patch available, but not applied yet;
  2 already applied the patch, but a system restore (even though Windows said the restore failed) fixed it;
  1 already applied the patch, but could not system restore or dism /revert. A reinstall was required.
21. Re:There is a better fix available. by PingPongBoy · 2018-01-12 20:48 · Score: 1
  
  Use AMD chips because they actually are immune to Meltdown and have already mitigated Spectre at the Microcode and OS level with a negligible impact on performance. Intel has yet to get their shit together and it's performance impact is growing with every new patch.
  Cutting to the chase, use AMD as the fix for Intel.
  
  --
  Know your pads. One time pad: good for cryptography. Two timing pad: where to take your mistress.
22. Re:There is a better fix available. by thegarbz · 2018-01-12 21:36 · Score: 1
  
  If this were about money then you wouldn't have bought Intel shit to start with. -_-
  This is obviously about superior performance.
  You presume to know *when* I bought my system. For a longest time Intel was the only option when it came to performance. AMD was the choice of idealism and if you were looking for something performing worse than a Celeron. It is only recently that AMD has once again become a viable contender.
23. Re:There is a better fix available. by thegarbz · 2018-01-12 22:11 · Score: 1
  
  I haven't heard anything convincing that says Spectre can be fixed with a software update.
  There's two variants of Spectre:
  Variant 1 is fixed in the kernel OR on recent processors with a microcode update. Both rely on the LFENCE opcode.
  Variant 2 is fixed in the kernel with IBRS AND a microcode update (no performance on Skylake and more recent processors). It can also be mitigated in software using retpoline in the software + kernel support (no performance hit, but relies on individual programs being updated).
  And for comlpeteness sake Meltdown is fixed in the kernel with KPTI.
  Interestingly enough Windows rolled out a fix to variant 1 straight away, where Linux vendors focused on variant 2.
24. Re:There is a better fix available. by Anonymous Coward · 2018-01-12 23:13 · Score: 0
  
  "Worse than a Celeron", you know what? If you want people to take you seriously, you need to reign in your hyperbole. I mean, we all know you're not that smart to begin with, no need to push your credibility from zero into the negative.
25. Re:There is a better fix available. by Anonymous Coward · 2018-01-13 03:52 · Score: 0
  
  Try again later....
  The regression in the '108' kernel was fixed in the '109' kernel within about 24 hours.
26. Re:There is a better fix available. by Gravis+Zero · 2018-01-14 10:21 · Score: 1
  
  Then it's time to upgrade to AMD.
  
  --
  Anons need not reply. Questions end with a question mark.
patch for post above by davidwr · 2018-01-12 07:02 · Score: 1

Regression of new-bug risk
should read

Regression or new-bug risk
The patch above is an "early-release" patch. It has not undergone rigorous testing. The reader assumes all implementation and other risks.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
manage engine by Anonymous Coward · 2018-01-12 07:34 · Score: 0

That is the problem. Intel shouldn't built the back door in. The solution to disable it, as in not make it work. The old form of firmware update worked just fine; you had to be there with a floppy, CD or usb drive. This back door that can turn your computer on, scan it's disks is a tool for spying and nothing more. Curious, that is how it is being used too.
Probably how the Russian got into our campaign servers.
1. Re: manage engine by whodat54321c · 2018-01-12 08:34 · Score: 1
  
  Not really. The Russkies used far less sophisticated brute force attacks to break into the DNC and HRC's people. The whole meltdown/sceptre mess isn't one that has ever been spotted in the wild, and likely never will be. It was a product of a researcher, and got the press. I would not bother to patch M$ or microcode unless a variant represented a significant threat found in the wild.
2. Re: manage engine by DCFusor · 2018-01-12 10:09 · Score: 1
  
  Yeah, humint and maybe not Russian. Awan and Seth Rich come to mind. Awan arrested for all kinds of shenanigans with DNC and was IT support for nearly all D's. Seth died (was killed?) right after evidence of the DNC fixing the primaries to eliminate Bernie came out - perhaps through him. Neither guessing nor fake news - this is on police blotters and court records.
  
  --
  Why guess when you can know? Measure!
3. Re: manage engine by Anonymous Coward · 2018-01-12 10:13 · Score: 0
  
  But once the details are out there, black hats are going to start working on it
QA and QC have been outsourced by Anonymous Coward · 2018-01-12 07:35 · Score: 1

QA and QC have been outsourced to the user now, showing a dramatic cost savings for the corporations. One could be fooled into thinking that this is a bad thing for the corporations as users might decide to pay more for a product that just works, but observing the modern economy shows that society is full of a bunch of masochists who want to pay even less for the new and shiny even if it comes broken from the get go as long as the corporations promise to fix it in software later on.
1. Re:QA and QC have been outsourced by lucasnate1 · 2018-01-12 08:00 · Score: 1
  
  Also, dont forget that corporations act like a cartel, fucking up the consumers in complete unison.
  
  --
  Avantgarde Hebrew science fiction
"Experiencing reboots"? by nuckfuts · 2018-01-12 08:17 · Score: 1

Intel Broadwell and Haswell CPUs Experiencing Reboots After Firmware Updates
Let's call it what it is. There's a difference between a reboot and a crash. It sounds to me like users are experiencing the latter.
1. Re:"Experiencing reboots"? by Anonymous Coward · 2018-01-12 09:29 · Score: 0
  
  Are you sure it's only Haswell and Broadwell? If so, I think I just dodged a bullet. Today I installed the microcode patch on my Ivy Bridge CPU, and then my building had a sustained power outage that outlasted the UPS. Please tell me I don't have to be a guinea pig for these "reboots," because I've got work to do.
It takes courage by tomxor · 2018-01-12 08:23 · Score: 1

The Intel exec said users shouldn't feel discouraged by these snags and continue to install updates from OS makers and OEMs.
Yo Brian, It takes courage to put bugs in your bugs.
1. Re:It takes courage by tomxor · 2018-01-12 08:29 · Score: 2
  
  Yo Brian, It takes courage to put bugs in your bugs.
  Clearly putting a CPU in their CPU wasn't enough.
  ...Yes i'm replying to my own comment, it's not weird, i'll be here all week.
I'll vote for the later by Anonymous Coward · 2018-01-12 08:29 · Score: 0

Why is this news? Bad fixes to fix bad things is what's called "job security" in the software business. Either that, or all software programmers are stupid worthless idiots.
99 Little bugs in the code by corychristison · 2018-01-12 12:43 · Score: 2

99 little bugs in the code
Take one down and patch it around
127 little bugs in the code.
Re:but... but... but... by MoarSauce123 · 2018-01-13 00:30 · Score: 1

AMD doesn't have as much issues as the overpriced Intel junk. There are problems, but they are harder to abuse and, although harder to mitigate as well, fixed by now without any reboot issues or other new flaws. Intel used to be the go to vendor for performance CPUs, but with Ryzen the gap closed. Sure, they may be some odd cases where Intel still fares better, but not twice as much money better. The folks at Intel hang out too much with the morons from Apple.
Re:but... but... but... by JDeane · 2018-01-13 02:24 · Score: 1

I am regret... I built my skylake system shortly before Ryzen came out Skylake has its own bugs to add to these new ones.... But it will last me a while longer I plan on building a Ryzen 2 system when those launch. Will be the first AMD build for me although I have owned some AMD machines on the side my own personal rigs have always been Intel and I have been building since the P3 days. It was mostly a good run minus the whole Pentium 4 stuff but I can put up with slightly lower performance the show stopping bugs? Not so much and it feels like AMD is doing better than Intel right now at that.