January 12, 2018 // 11:05 a.m.
Intel has confirmed a bug in its fix for the Meltdown and Spectre vulnerabilities which can cause random reboots, on top of the performance impact which has seen some server workloads seriously impacted.
Designed to address flaws in the speculative execution implementation in Intel's processors, most of which are shared with chips from its rivals including AMD and Arm, Intel's patches aim to close the Spectre and Meltdown vulnerabilities which allow unprivileged code to access supposedly-protected memory to steal confidential data including passwords. Sadly, the company has been forced to confirm a flaw in the fix for the flaw which is causing systems based on the company's older Haswell and Broadwell microarchitectures to randomly reboot.
'We have received reports from a few customers of higher system reboots after applying firmware updates,' explains Intel's Navin Shenoy in a security update. 'Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data centre. We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data centre customers to discuss the issue.'
The company's announcement, however, only came after the Wall Street Journal reported the company was privately telling its biggest data centre customers to delay installing the patches until it could resolve the reboot flaw while publicly proclaiming that all its customers should update as soon as possible in order to be protected from exploitation.
At the same time, Intel chief executive Brian Krzanich - the focus of an investigation into possible insider trading following the sale of the maximum number of Intel shares permissible by law after the company found out about the Spectre and Meltdown vulnerabilities but before said vulnerabilities were public knowledge - published an open letter on the subject pledging a tighter security focus and increased transparency in the future. 'Our customers' security is an ongoing priority, not a one-time event. To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.'