Security Experts:

HP, Dell Halt BIOS Updates Over Buggy CPU Patches

Dell, HP and other system manufacturers have advised customers not to install the recent BIOS updates designed to address the Spectre and Meltdown CPU vulnerabilities due to unstable code delivered by Intel.

The Spectre and Meltdown vulnerabilities, which allow malicious applications to bypass memory isolation mechanisms and access sensitive data, were disclosed on January 3, one week before initially planned. As a result, vendors rushed to roll out patches and many of them turned out to be unstable.

Both software and firmware patches have caused problems. On Monday, Intel told users to stop deploying microcode updates that fix Spectre and Meltdown until it addresses issues that led to reboots and other unpredictable system behavior.

Intel initially said only systems running Broadwell and Haswell CPUs experienced more frequent reboots, but similar behavior was later observed on Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms as well.

The company now says it has identified the root cause of the reboot issue and is “making good progress in developing a solution to address it.” In the meantime, it has advised OEMs, system manufacturers, software vendors, and cloud service providers to stop deploying current versions.

Following Intel’s announcement, Dell told customers not to deploy the BIOS updates designed to address one of the Spectre vulnerabilities, specifically CVE-2017-5715, which is known as “Variant 2.”

“Dell is advising that all customers should not deploy the BIOS update for the Spectre (Variant 2) vulnerability at this time. We have removed the impacted BIOS updates from our support pages and are working with Intel on a new BIOS update that will include new microcode from Intel,” the company said.

Dell told users who have already deployed the BIOS updates to revert to a previous version until the issue has been resolved.

HP has also removed BIOS softpaqs from its website and expects to reissue updates with previous Intel microcode starting with January 25.

Lenovo informed customers that it has pulled UEFI firmware updates for systems with Intel Broadwell and Haswell processors.

VMware has also decided to delay new releases of microcode updates until Intel addresses these problems.

Some systems running Red Hat and Ubuntu operating systems failed to boot after Spectre and Meltdown patches were installed.

The Meltdown attack relies on one vulnerability, tracked as CVE-2017-5754, but there are two main variants of the Spectre attack, including CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2).

Meltdown and Variant 1 of Spectre can be patched efficiently with software updates, but Variant 2 requires microcode updates for a complete fix. While some software updates have also been known to cause problems, vendors have still advised users to deploy them in order to protect their systems against potential attacks.

“The current unstable code for the Spectre and Meltdown CPU patches leaves end users vulnerable with no available options other than to wait for a stable fix. In times like these, customers should be extra vigilant to ensure they have not been compromised. Network traffic analytics should be used to monitor their environment for anomalous traffic patterns and unusual behaviors,” Bob Noel, Director of Strategic Relationships and Marketing for Plixer, told SecurityWeek.

“The secondary problem this unstable patch code creates is a general hesitancy for end users to quickly apply future patches. Early adopters of these patches experienced hardware reboots and downtime, which is likely to leave them wary of becoming early adopters for future patches,” Noel added.

Related: Industry Reactions to Meltdown, Spectre Attacks

Related: Apple Adds Spectre Protections to Safari, WebKit

Related: Fake Meltdown/Spectre Patch Installs Malware

Related: Oracle Fixes Spectre, Meltdown Flaws With Critical Patch Update

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.