Patches released by Intel Corp. to fix highly malicious Spectre and Meltdown vulnerabilities affecting its CPUs turned out to be faulty, the company admitted, urging customers to stop installing them until further notice.
Earlier this month, security researchers at Google Project Zero disclosed that data processed by the majority of modern CPUs, be they desktop computers or smartphones, could be vulnerable to critical exploits they called ‘Spectre’ and ‘Meltdown.’ Tech companies reportedly had months to prepare, and since the public announcement of the vulnerabilities, Intel released at least three patches – before discovering that their fix led some PCs to reboot unexpectedly.
On Monday, Intel announced that it “identified” the “root cause” of the problem and will soon send out another patch to fix the faulty fix. The technology giant also provided a list of Intel-based platforms that are impacted by the issue.
“We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it,” Intel Executive Vice President Navin Shenoy said in a blog post, adding that the company already provided the patch to its partners to check if the solution was found. “We will make a final release available once that testing has been completed.”
In the meantime, the company advised “OEMs, cloud service providers, system manufacturers, software vendors and end users” to stop using the available versions of the patch, “as they may introduce higher than expected reboots and other unpredictable system behavior.”
The inability to properly fix the problem for weeks after the security researchers released documentation of critical vulnerabilities in modern processors used in practically every computer and smartphone around the world, has sparked major criticism in the high tech industry. Linus Torvalds, who pioneered the Linux family of operating systems, could not contain his anger. He believes Intel has not done enough to shield its users from Meltdown and Spectre hardware-based bugs that could potentially allow hackers to steal any data, including passwords, personal photos, and emails.
“As it is, the patches are COMPLETE AND UTTER GARBAGE,” Torvalds said in a message posted to the Linux kernel mailing list on Sunday.
“All of this is pure garbage. Is Intel really planning on making this sh*t architectural?” he asked. “Has anybody talked to them and told them they are f*cking insane? Please, any Intel engineers here – talk to your managers.”]
Torvalds said that the best possible solutions for the company would be to recall two decades worth of products and to give everyone free CPUs. But instead, Intel is trying to avoid huge losses and further damage to its reputation, and intends to continue shipping flawed hardware with software protection which will be turned off by default, he explained.
“The whole IBRS_ALL feature to me very clearly says ‘Intel is not serious about this, we’ll have a ugly hack that will be so expensive that we don’t want to enable it by default, because that would look bad in benchmarks,’” Torvalds wrote. “So instead they try to push the garbage down to us. And they are doing it entirely wrong, even from a technical standpoint.”