Following on the heels of Intel detailing its new “Security-First Pledge”, the company said it needs to review potential issues users have faced with the firmware patch against the Meltdown vulnerability.
Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel, said customers have reported issues with the Intel Meltdown patch on Broadwell and Haswell chipsets.
“We have received reports from a few customers of higher system reboots after applying firmware updates. Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center,” Shenoy wrote in a blog post. “We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue.”
Experts like Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said it was likely the reboot issues “weren’t caught due to the large number of different configurations Intel would have to test. These are non-trivial changes to make and small differences in systems can make a world of difference.”
Justin Jett, director of audit and compliance at Plixer International Inc., a network traffic analysis company based in Kennebunk, Maine, noted that Intel Meltdown patches have been promised for all CPUs by the end of January, which “seems to show that Intel is dedicated to resolving the issue in a reasonable timeframe.”
“While Meltdown and Spectre were disclosed about six months ago, the reboot issues may not have been caught in earlier testing because the environmental variables in the testing environment don’t match the environment that the few customers that experienced the issue had,” Jett told SearchSecurity. “It is fair to say that no vendor can test for every condition, and given that only a few of Intel’s customers are experiencing the reboot issue is a testimony to their quality assurance efforts.”
Williams claimed the industry as a whole likely wouldn’t be “willing to settle for slower processors that might be vulnerable unless there are proof of concept exploits available.”
“Let’s be transparent about what patches for these vulnerabilities mean,” Williams said. “They are patches that offer operating system and compiler developers the ability to write code that is secure against Meltdown and Spectre. In many cases, code will have to recompiled to be protected against these vulnerabilities. That’s not Intel’s problem, but ‘install these patches and you’ll be fine’ is disingenuous.”
Intel’s Security-First Pledge
Intel had been facing bad press following the initial speculation surrounding Meltdown and Spectre, as well as a disappointing CES keynote and class-action lawsuits being filed due to the CPU vulnerabilities.
The potential review of the Intel Meltdown patch comes soon after CEO Brian Krzanich announced the company’s “Security-First Pledge.” In the announcement of the pledge, Krzanich promised to work with customers to find vulnerabilities, prioritize patches and be transparent about progress and potential performance issues and.
Some customers, like Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company, said the issues with Intel’s Meltdown patches go beyond release timeframes because he is “not happy with Intel’s choice to sacrifice security for performance in the architecture of their chips.”
Jake Williamsfounder, Rendition InfoSec LLC
“The announcement of their ‘Security Pledge’ is an obvious attempt to handle the non-technical issues Intel is going to be struggling with. If the question becomes, ‘Is [the pledge] valuable or just brand management?’ the answer has to be that it’s both,” Wenzler told SearchSecurity. “Internal policy and procedure changes, especially in how Intel communicates to partners and customers must change, and the public acknowledgement of that will serve as a guidepost for internal decisions to support that. Hopefully, this nudges Intel back to a place where security is truly part and parcel of all their chip designs in all cases.”
Williams noted that for decades, “Intel’s primary concern has been performance rather than security.”
“The pledge is likely brand management more than a real thing that will markedly increase security. But I’ll say this: Intel is in a better position to find processor vulnerabilities than any external researcher,” Williams said. “If their internal teams start locating vulnerabilities before external teams like Google do, that will be proof the pledge is more than just hype.”