System OEMs Recall Meltdown/Spectre Patches

In light of the revised recommended action from Intel, major system OEMs are recalling their previously issued patches for the Meltdown/Spectre vulnerabilities. Acer, Asrock, Dell, HP, and Lenovo have all made updates on their websites notifying customers that their existing patches are defective. Dell, HP, and Lenovo also withdrew their existing patches.

Dell’s updated advisory is interesting, because it said that its withdrawn patches were to solve Spectre Variant 2 only. The company maintains that Spectre variant 1 and Meltdown were fixed with OS patches. Dell said in its advisory:

As a reminder, the Operating System patches are not impacted and still provide mitigations to Spectre (Variant 1) and Meltdown (Variant 3). The microcode update is only required for Spectre (Variant 2), CVE-2017-5715.

This aligns with our previous understanding, which was that Intel’s patch was only to fix Spectre Variant 2. This assumption was based on information initially released by major tech firms like Google and Microsoft. However, this is counter to Intel’s updated advisory, which states that fixing Spectre Variant 2 was only a portion of its patch.

For those concerned about system stability while we finalize the updated solutions, we are also working with our OEM partners on the option to utilize a previous version of microcode that does not display these issues, but removes the Variant 2 (Spectre) mitigations. This would be delivered via a BIOS update, and would not impact mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown).

Evidently, either Intel has even more versions of its patch for different OEMs, or contradictory information on the patches is being communicated to OEMs and consumers. Linux founder Linus Torvalds recently lambasted Intel’s patch in a public email, saying that they did “things that do not make sense” for “unclear reasons.”

For those not caught up on the issue, the Meltdown/Spectre vulnerabilities affect CPUs from AMD, Intel, ARM, and others, to varying degrees. Intel CPUs are heavily affected by the issue--they refer to it as SA-00088--and require a low-level software patch to fix. Intel created a patch, but it can’t be applied in a universal method (i.e., through a driver update). It’s up to system OEMs to distribute the patch to their systems on a product-by-product basis.

The original patch that Intel issued to system OEMs was discovered to be defective, but system OEMs had already begun distributing the patch. The recall advisories mentioned above are a result of that. If you already installed a patch from your system OEM, then you’ll have to sit tight. Intel is currently working to have a new patch distributed to system OEMs, which should then make its way to consumers soon thereafter.

  • Myrmidonas
    "Evidently, either Intel has even more versions of its patch for different OEMs, or contradictory information on the patches is being communicated to OEMs and consumers. "

    What's wrong with people working on intel?
    Reply
  • bugnguts
    Hubris
    Reply
  • DerekA_C
    Intel is opening up the hole to sink their ship faster this is really going to hurt Intel for the first time Intel could face financial troubles.
    Reply
  • targetdrone
    So this product by product bases means those of us running hardware more than 2 years old are bone like we are when it comes to Android updates.
    Reply
  • Myrmidonas
    20632129 said:
    So this product by product bases means those of us running hardware more than 2 years old are bone like we are when it comes to Android updates.

    It is a nice opportunity to observe the after sales support of every company involved and see who is going to support the as much older ones and decide who will be your next ventor....:evil:
    Reply
  • aleunge22
    20632653 said:

    It is a nice opportunity to observe the after sales support of every company involved and see who is going to support the as much older ones and decide who will be your next ventor....:evil:

    Absolutely this. For example, HP has been quite transparent and provides updates/timelines throughout all of this. We have high hopes our older Elitebooks will be updated. Our Surface Pros are in the clear too. ASUS, on the other hand, has support going in circles telling us contradicting info, with still no confirmation if our workstations will be patched or not. Do they not understand consumers and businesses alike need to plan ahead?

    Definitely a good test to see which systems will be better supported, especially with older hardware. :evil:
    Reply