Intel Cans Spectre, Meltdown Patches: What You Need to Know
In a stunning about-face, Intel yesterday (Jan. 23) yanked all its CPU firmware patches for the Meltdown and Spectre security flaws because the patches are causing problems for most chips.
"We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior," wrote Intel executive vice president Navin Shenoy in a company blog posting.
The affected chipsets include those using the Coffee Lake, Kaby Lake, Skylake, Broadwell, Haswell, Ivy Bridge and Sandy Bridge architectures. This encompasses most Intel CPUs dating back to 2011, including second-generation Core CPUs and later and many recent Celeron and Pentium chips. A full list of affected processors is here.
However, most end users are not directly affected, as they would receive these updates as part of firmware updates bundles from the makers of their PCs.
You really only need to worry about this immediately if you're in the habit of applying CPU firmware patches yourself instead of waiting for Dell, HP, Apple, Lenovo and the like to push them out.
The Meltdown and Spectre software updates pushed out by Microsoft, Apple and Google earlier this month should not be affected by the availability of these Intel firmware patches.
What's up with the Spectre CPU patch?
Intel recalled its patches after multiple reports of frequent rebooting by systems that had installed its firmware patches. Just this morning, Dell advised its customers not to install its Spectre-fixing update.
The problem has to do with the patch that prevents one of the two Spectre attacks. The Meltdown flaw and the other Spectre attack are less problematic, but all three fixes are bundled into one Intel firmware update.
If you've already installed a Meltdown/Spectre firmware patch from your PC maker or directly from Intel itself, you may have to live with system instability for some time.
Intel says it is working on a better patch that removes the problematic Spectre patch, and that its OEMs are testing the new patch. But as for when that might be ready, Shenoy's blog posting promised only that "we expect to share more details on timing later this week."
Why this is so difficult to fix
The Spectre and Meltdown flaws are related to the way in which chips handle logical processes pertaining to operations by operating-system kernels and individual applications.
Beginning around 1995, Intel and some other chipmakers sped up their CPUs using a process called speculative execution. The CPU would guess what a kernel or application would want next, and go ahead and execute the relevant step without waiting for the actual command. Because those guesses were usually right, speculative execution saved CPUs a lot of time by essentially taking shortcuts to get ahead of the race.
But now it turns out that Intel's speculative execution exposes kernel processes to applications, resulting in the Meltdown flaw, which also affects Apple's iPhone CPUs. Speculative execution on Intel, AMD, ARM and other chips exposes application processes to each other, resulting in both Spectre flaws.
The end result is that malicious applications could read all kernel processes (Meltdown) or all processes involving other applications (Spectre). One of the Spectre attacks can even be remotely exploited by a malicious code running in a web page.
Most major OS makers have patched their software against both flaws, and most major browser makers have updated their products to defeat the relevant Spectre attack.
But changing chip design to fully solve the Spectre flaw will take years. Intel's current Spectre patches are basically a workaround, and one of them creates a toggle switch that lets computer makers opt in or out of enabling it. The chip will then flag the operating system as to whether the firmware patch is enabled, and, if not, demand that the OS turn on its own Spectre mitigation.
Linux lead developer Linus Torvalds blasted this decision by Intel in a forum posting Sunday (Jan. 21), calling it "pure garbage," "f***ing insane," "completely unacceptable."
The patches "do literally insane things. They do things that do not make sense," Torvalds wrote. "The whole hardware interface is literally mis-designed by morons."