Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Bug Intel Security

Intel's Chip Bug Fixes Have Bugs of Their Own (bleepingcomputer.com) 59

From a report: Intel said late Thursday it is investigating an issue with Broadwell and Haswell CPUs after customers reported higher system reboot rates when they installed firmware updates for fixing the Spectre flaw. The hardware vendor said these systems are both home computers and data center servers. "We are working quickly with these customers to understand, diagnose and address this reboot issue," said Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel Corporation. "If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue," Shenoy added. The Intel exec said users shouldn't feel discouraged by these snags and continue to install updates from OS makers and OEMs.
This discussion has been archived. No new comments can be posted.

Intel's Chip Bug Fixes Have Bugs of Their Own

Comments Filter:
  • I just got this update and this cool browser extension that makes fart sounds when you click on links stopped working with the message:

    TotallyNotAMeltdownExploit() has failed. Consider rebooting.

    They really gotta test this stuff before the push it out. ;)

  • Regression of new-bug risk is why many non-critical bugs go unfixed and why companies like IBM sometimes release patches only to those customers who complain and who are willing to accept a fix that hasn't been thoroughly tested.

    • Regression of new-bug risk

      should read

      Regression or new-bug risk

      The patch above is an "early-release" patch. It has not undergone rigorous testing. The reader assumes all implementation and other risks.

  • by Hal_Porter ( 817932 ) on Friday January 12, 2018 @02:57PM (#55916457)

    In both cases there was a lot of worry about the threat. An countermeasure was rushed out, and it seems like the countermeasure may have some side effects.

    https://en.wikipedia.org/wiki/... [wikipedia.org]

    You have to wonder in each case if there's an element of overreaction going on.

    In the Meltdown/Spectre case it the browser vendors are going to fuzz the timing functions to make side channel timing attacks harder to pull off

    E.g.

    http://news.softpedia.com/news... [softpedia.com]

    Just like Microsoft and Mozilla, Google Chrome 64 will disable SharedArrayBuffer by default and modify the behavior of performance.now() by reducing precision from 5us to 20us in order to block exploits attempting to take advantage of the security vulnerabilities.

    Also you can block third party scripts using uBlock Origin.

    https://github.com/gorhill/uBl... [github.com]

    • by sjames ( 1099 ) on Friday January 12, 2018 @05:38PM (#55917851) Homepage Journal

      It doesn't help that Intel spread some confusion. Meltdown is very serious and really does need a quick fix. Spectre needs addressing but isn't as urgent since it is quite hard to exploit successfully. Meltdown workarounds should NOT be deployed on AMD systems.

      As best as I can tell, the microcode updates (BIOS) are for spectre, not meltdown.

      • It doesn't help that Intel spread some confusion. Meltdown is very serious and really does need a quick fix. Spectre needs addressing but isn't as urgent since it is quite hard to exploit successfully. Meltdown workarounds should NOT be deployed on AMD systems.

        As best as I can tell, the microcode updates (BIOS) are for spectre, not meltdown.

        That depends on your definition of urgent. Spectre is the problem with legs and it's going to keep running. Fix meltdown once and it's fixed. But unlike meltdown, which is a poor target, because it's being addressed, Spectre presents thousands of targets on many platforms and there is no shortage of governments and criminals sharpening their attacks right now.

        There is a lot more to do to address Spectre and it involves some kind of magic where all the software engineers suddenly learn how to both develop ef

        • by sjames ( 1099 )

          Patching browsers will kill practically all vectors for the Spectre attack. Even that is a little less urgent than fixing meltdown simply because it will take longer to get from POC to practical exploit.

          • Patching browsers will kill practically all vectors for the Spectre attack. Even that is a little less urgent than fixing meltdown simply because it will take longer to get from POC to practical exploit.

            That was kind of my point. Meltdown is a short term attack with a short term fix. Spectre is a long term attack strategy which can be deployed in many contexts.

            Let's say you are an application developer in a popular application, but you have an evil streak. You could employ Spectre in a difficult to find way to attack one of the many other bits of software on a machine. This will go on and on an on. So there's a urgency to changing software development practices to adapt to this new reality.

  • by Gravis Zero ( 934156 ) on Friday January 12, 2018 @03:01PM (#55916493)

    Use AMD chips because they actually are immune to Meltdown and have already mitigated Spectre at the Microcode and OS level with a negligible impact on performance. Intel has yet to get their shit together and it's performance impact is growing with every new patch.

    • Of course, Windows bricks AMD systems now. https://www.gamespot.com/artic... [gamespot.com]
      • by hey! ( 33014 )

        And your point would be?

        • by Anonymous Coward

          It's very, very hard not to see a pattern where these "fixes" are used to screw over AMD. We see the same pattern over and over again, from ranging from the initial Linux patch for Meltdown which treated all x86 cpus as "insecure" without any exceptions, to Microsoft outright bricking AMD based computers.

          We will see much more of this. Intel is big and has tentacles going deep into both the proprietary and free software world, and apparently there is plenty of people without any kind of morals in both worlds

      • by green1 ( 322787 )

        it's not called "Wintel" for nothing....

    • Define "better". Personally I define "better" as the option that doesn't require a new motherboard, CPU and RAM.

      • Define "better".

        A superior outcome.

        • So not spending loads of money for something that can be fixed with a software update.
          Thanks for clarifying.

          • If this were about money then you wouldn't have bought Intel shit to start with. -_-
            This is obviously about superior performance.

            • If this were about money then you wouldn't have bought Intel shit to start with. -_-
              This is obviously about superior performance.

              You presume to know *when* I bought my system. For a longest time Intel was the only option when it came to performance. AMD was the choice of idealism and if you were looking for something performing worse than a Celeron. It is only recently that AMD has once again become a viable contender.

          • by HiThere ( 15173 )

            I haven't heard anything convincing that says Spectre can be fixed with a software update. Even Meltdown can only be ameliorated, not fixed, with a software update. I'll admit I don't know how much could be done with a microcode update, but my guess is that the only fix to Spectre that you could get with a microcode update would be disabling of speculative execution entirely.

            • I haven't heard anything convincing that says Spectre can be fixed with a software update.

              There's two variants of Spectre:
              Variant 1 is fixed in the kernel OR on recent processors with a microcode update. Both rely on the LFENCE opcode.

              Variant 2 is fixed in the kernel with IBRS AND a microcode update (no performance on Skylake and more recent processors). It can also be mitigated in software using retpoline in the software + kernel support (no performance hit, but relies on individual programs being updated).

              And for comlpeteness sake Meltdown is fixed in the kernel with KPTI.

              Interestingly enough

    • Use AMD chips because they actually are immune to Meltdown and have already mitigated Spectre at the Microcode and OS level with a negligible impact on performance. Intel has yet to get their shit together and it's performance impact is growing with every new patch.

      Cutting to the chase, use AMD as the fix for Intel.

  • by Anonymous Coward

    QA and QC have been outsourced to the user now, showing a dramatic cost savings for the corporations. One could be fooled into thinking that this is a bad thing for the corporations as users might decide to pay more for a product that just works, but observing the modern economy shows that society is full of a bunch of masochists who want to pay even less for the new and shiny even if it comes broken from the get go as long as the corporations promise to fix it in software later on.

  • Intel Broadwell and Haswell CPUs Experiencing Reboots After Firmware Updates

    Let's call it what it is. There's a difference between a reboot and a crash. It sounds to me like users are experiencing the latter.

  • The Intel exec said users shouldn't feel discouraged by these snags and continue to install updates from OS makers and OEMs.

    Yo Brian, It takes courage to put bugs in your bugs.

    • by tomxor ( 2379126 )

      Yo Brian, It takes courage to put bugs in your bugs.

      Clearly putting a CPU in their CPU wasn't enough.

      ...Yes i'm replying to my own comment, it's not weird, i'll be here all week.

  • by corychristison ( 951993 ) on Friday January 12, 2018 @08:43PM (#55919091)

    99 little bugs in the code
    Take one down and patch it around
    127 little bugs in the code.

Karl's version of Parkinson's Law: Work expands to exceed the time alloted it.

Working...