Intel Warns Its Patches for Chip Flaws Are Buggy
Intel is quietly advising some customers to hold off installing patches that address new security flaws affecting virtually all of its processors. It turns out the patches had bugs of their own.
The glitch underscores the complexity of Intel's challenge as it scrambles to fix the unprecedented vulnerabilities, which were disclosed more than a week ago.
In a confidential document shared with some customers Wednesday and reviewed by The Wall Street Journal, Intel said it identified three issues in updates released over the past week for "microcode," or firmware -- software that is installed directly on the processor. The updates are separate from patches produced by operating system companies such as Microsoft Corp.
Intel advises customers to "delay additional deployments of these microcode updates," the company said in a technical advisory. "Intel will provide frequent updates."
The document is being shared with computer makers and large cloud providers after a few reports that the updates appeared to cause some computers to reboot, said Stephen Smith, general manager of Intel's data-center group.
The bugs are "unrelated to security," he said, adding they affect a range of Intel's older PC and server chips, including Broadwell processors introduced in 2015 and Haswell chips that date back to 2013.
Intel advises consumers to use firmware updates available from their computer makers, but is advising computer makers and cloud providers to hold off from using the Intel firmware updates, Mr. Smith said.
Given Intel's chips are used so widely, some customers likely are using the chips in ways Intel didn't anticipate in testing its patches, said Paul Kocher, an independent security researcher who discovered some of the major Intel security flaws reported last week. "It doesn't surprise me a lot that there would be some hiccups," he said.
One Intel partner familiar with the document said it is problematic the company is only notifying select customers they should hold off on the patches. The public has "been given the microcode update but has not been given the important technical information that Intel recommends that you don't use this," the partner said.
Mr. Smith said that Intel plans to provide an update on the issue to the company's website.
The major security flaws disclosed last week, called Meltdown and Spectre, give hackers a way to steal secrets such as passwords or other sensitive information from many of the world's computer systems. The flaws ensnared many chip companies, including SoftBank Group Corp.'s ARM Holdings, Advanced Micro Devices Inc. and Nvidia Corp.
Intel, which dominates the market for PC and server chips, said last week it expected to soon have microcode updates issued for 90% of the processors it produced during the past five years.
The fixes for these problems, however, have caused some performance slowdowns, particularly on older Intel systems. "With Windows 8 and Windows 7 on older silicon...we expect most users to notice a decrease in system performance," Microsoft said Tuesday in a blog post.
Due to the deep nature of the flaws, tech giants' updates haven't always gone as planned. On Tuesday, Microsoft temporarily paused sending software updates to some devices with AMD processors after discovering some machines were rendered unusable. Some Ubuntu Linux users reported problems Wednesday with an update to their operating system.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
January 11, 2018 19:27 ET (00:27 GMT)