Dell and HP Advise All Their Customers To Not Install Spectre BIOS Updates

An anonymous reader writes: The Spectre and Meltdown mess continues with Dell now recommending their customers to not install the BIOS updates that are supposed to resolve the Spectre (Variant 2) vulnerabilities. These updates have been causing numerous problems for users including performance issues, boot issues, reboot issues, and general system stability. Due to this, Dell EMC has updated its knowledgebase article with a statement advising customers to not install the BIOS update and to potentially rollback to the previous BIOS if their computers are exhibiting "unpredictable system behavior". ZDNet reports that HP too has issued a similar advisory. The computer manufacturer pulled its softpaqs BIOS updates with Intel's patches from its website, and said it would be releasing a BIOS update with a previous version of Intel's microcode on Thursday.

Spectre cannot be even practically exploited.

[blind+biker]

People still haven't gotten the point - this is testament to Intel's PR efforts to obfuscate the facts. It seems the majority of people believe that Spectre (affects Intel, AMD and ARM) is just as dangerous as Meltdown (affects only Intel CPUs). Un-fucking-believable. We truly live in the epoch of idiocracy.

Re:Spectre cannot be even practically exploited.

Really?
While Meltdown is more awful, its mitigation is pretty much done with KAISER type patches to kernels. This is not a fix but is good enough for now. The same was done in Linux kernels for ARM.

Spectre is more tricky when it comes to making sure either of its variants cannot be used. And more vulnerabilities of the same type are likely to be found. Work on making things less vulnerable to it is still underway.

I get it that it's popular to bash Intel at this point and while they have done a lot to deserve this, this issue is really not why. Meltdown also affects Power and ARM core (or a few).

Now, these broken Intel updates are meant for Spectre (variant 2) mitigation. Along with the Linux kernel patches Linus lambasted (reading further into the thread, there do seem to be reasons why patches were written the way they were).

Now, PR?
ARM is probably the only one of the chipmakers doing the right thing here. Information is quick, public, to the point and fixes are deployed as soon as they are done. There are performance issues with ARM patches but they are taken as necessary.
Intel is doing its best to obfuscate things as you said.
AMD is just ignoring it altogether until they no longer can. Regarding Spectre: near zero chance > microcode and software updates are coming, this you can read in statement on their page. Initial PR was even for Spectre that they are not affected. Have you seen AMD firmware of software patches yet? Couple of sites have tried to find out about them and have found nothing.

Re:Meltdown is Intel only

Thanks for the scoop! I don't think Meltdown being an Intel only problem has ever been mentioned before.

Spectre Variant 2 - CPU specific too.

[DrYak]

Spectre Variant 2 is also heavily CPU specific.
The exploit needs to know how the predictor used for indirect branches works (i.e. jumps where the destination isn't know yet, like jump tables (ways to do a C/C++ switch) or calling overloaded virtual C++ members in an array of object) in order too fool it and force it to guess wrong and jump to a completely wrong destination.

It's been demonstrated on Intel CPU.

ARM reports that the few Cortex cores that do speculative execution are affected.
(But, no ARM-specific exploit code is mentioned).

AMD knows that the Intel-specific code won't work (duh... obviously), but they cannot exclude that there won't be any way to exploit their indirect branch speculation ("near zero", not "zero" chance). Currently they recommend to apply patche, while they try to work out if there are possible viable exploitable to be made against their indirect branch prediction.

PowerPC G3 and G4 are not exploitable, I've read. They *do* speculative execution. But they either don't speculate around indirect jumps, or don't speculate far enough to be actually exploitable in practice.