© Ralf Hirschberger / Global Look Press
Patches released by Intel Corp. to fix highly malicious Spectre and Meltdown vulnerabilities affecting its CPUs turned out to be faulty, the company admitted, urging customers to stop installing them until further notice.
Earlier this month, security researchers at Google Project Zero disclosed that data processed by the majority of modern CPUs, be they desktop computers or smartphones, could be vulnerable to critical exploits they called 'Spectre' and 'Meltdown.' Tech companies reportedly had months to prepare, and since the public announcement of the vulnerabilities, Intel released at least three patches - before discovering that their fix led some PCs to reboot unexpectedly.On Monday, Intel
announced that it "identified" the"root cause" of the problem and will soon send out another patch to fix the faulty fix. The technology giant also
provided a list of Intel-based platforms that are impacted by the issue.
"We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it," Intel Executive Vice President Navin Shenoy said in a blog post, adding that the company already provided the patch to its partners to check if the solution was
found. "We will make a final release available once that testing has been completed."
In the meantime, the company advised "OEMs, cloud service providers, system manufacturers, software vendors and end users" to stop using the available versions of the patch, "as they may introduce higher than expected reboots and other unpredictable system behavior."
The inability to properly fix the problem for weeks after the security researchers released documentation of critical vulnerabilities in modern processors used in practically every computer and smartphone around the world, has sparked major criticism in the high tech industry. Linus Torvalds, who pioneered the Linux family of operating systems, could not contain his anger. He believes Intel has not done enough to shield its users from Meltdown and Spectre hardware-based bugs that could potentially allow hackers to steal any data, including passwords, personal photos, and emails.
"As it is, the patches are COMPLETE AND UTTER GARBAGE," Torvalds said in a message posted to the Linux kernel mailing list on Sunday.
"All of this is pure garbage. Is Intel really planning on making this sh*t architectural?" he asked. "Has anybody talked to them and told them they are f*cking insane? Please, any Intel engineers here - talk to your managers."]Torvalds said that the best possible solutions for the company would be to recall two decades worth of products and to give everyone free CPUs. But instead, Intel is trying to avoid huge losses and further damage to its reputation, and intends to continue shipping flawed hardware with software protection which will be turned off by default, he explained.
"The whole IBRS_ALL feature to me very clearly says 'Intel is not serious about this, we'll have a ugly hack that will be so expensive that we don't want to enable it by default, because that would look bad in benchmarks,'" Torvalds wrote. "So instead they try to push the garbage down to us. And they are doing it entirely wrong, even from a technical standpoint."
Reader Comments
The problem with the other vulnerability (the one called Meltdown, easier to implement by "bad guys") is easier to solve in theory, but it involves recompilation of every software, which is impossible. The "fixes" are like a temporary solution, again, and they won't even work in all possible scenarios, meaning they are worthless. Plus the overhead cost (basically the major reason for speed gains in CPUs is being cancelled).
By the way, these fixes are actually being stopped from distribution right now, Intel advised on Monday against its own microcode update (lack of which makes you still unable to fully utilise the software update), because of serious side effects, which were "bigger than expected". Microsoft also doesn't push its update (which involves only systems from Win7 up, for comparison the patch against WannaCry malware from March 2017 was given even to Win XP and Vista, despite not being supported anymore, and that patch was trivial in comparison).
For example, to patch a type 1 hypervisor (usually a professional solution) you need to update: microcode (typically a BIOS patch, often unavailable or buggy), server firmware (often unavailable or untested), hypervisor software (likewise), operating system (mentioned earlier), and virtual machines themselves. It like, you need to update everything.
This fiasco is created by hunting for performance. The boundary between kernel space and user space was breached in branch prediction technology, just to make things speedier. Now this is being undone - and more.
The response (also a fiasco) is something deeper. It would require another article. The main reason for it is the rushed try to save the face of the cloud storage and procession business, which allowed such things like cashless society and total control of population. With these vulnerabilities, it is possible to gain access to data of other businesses (governments, people) using the same cloud facilities. This means loss of trust in such solutions. Which could mean their end, and return to decentralised processing... They already compare this possibility to the biggest economic crises.
And finally, a comparison. These vulnerabilities allow (amongst other things) for entities living in the Matrix (named virtualised environment = sandbox = containment system, or simply a guest) to affect and thus leave the Matrix (hypervisor, or a host). It like you captured a tiger in order to observe it and teach to perform tricks, but the tiger somehow escaped the cage and is now observing you. And is very angry. Who will perform tricks now?