Endpoint Security

Device Manufacturers Working on BIOS Updates to Patch CPU Flaws

Acer, Asus, Dell, Fujitsu, HP, IBM, Lenovo, Panasonic, Toshiba and other device manufacturers have started releasing BIOS updates that should patch the recently disclosed Spectre and Meltdown vulnerabilities. The flaws exploited by the Meltdown and Spectre attacks[1], tracked as CVE-2017-5715, CVE-2017-5753and CVE-2017-5754, allow malicious applications to bypass memory isolation mechanisms and access sensitive data. Billions of PCs, servers, smartphones and tablets using processors from Intel, AMD, ARM, IBM and Qualcomm are affected.

Fortunately, tech companies have already started releasing patches and workarounds[2] designed to prevent attacks. Unfortunately, some of the mitigations can introduce significant performance penalties[3] for certain types of operations.

Intel has released patches[4], including microcode updates, for many of its processors, and AMD has promised[5] to do the same. Intel has provided the fixes to system manufacturers and they have already released or are in the process of releasing BIOS updates. Acer

Acer[6] has informed customers that the Spectre and Meltdown vulnerabilities affect many of its desktop, notebook and server products. It’s unclear when BIOS updates will become available for a majority of the impacted devices, but the company has set a target date of March 2018 for server updates. The list of impacted products includes Aspire, Extensa, Gateway, imd, Predator, Revo, ShangQi, Veriton and Wenxiang desktops; Aspire, Extensa, Gateway, Nitro, Packard Bell EasyNote, Spin, Swift, Switch, and TravelMate notebooks; and Altos, AR, AT, AW and Veriton servers.

Asus Asus[7] is also working on releasing BIOS updates. The company expects to release patches for affected laptops, desktops and mini PCs by the end of the month.

Asus has published a separate security advisory for motherboards[8] that support Intel processors vulnerable to Meltdown and Spectre attacks. Dell Dell[9] has already started releasing BIOS updates for affected Alienware, Inspiron, Edge Gateway, ChengMing, Enterprise Server, Latitude, OptiPlex, Precision, Vostro, Venue and XPS products.

The vendor expects many more updates to become available later this month. Dell has published a separate advisory for EMC products[10], including PowerEdge and Datacenter Scalable Solutions (DSS). Updates are available for many of the impacted systems.

Fujitsu Fujitsu[11] has informed customers that many of its OEM mainboards, Esprimo PCs, Celsius workstations, Futuro thin clients, Stylistic, Lifebook and Celsius notebooks, Celvin storage devices, Primergy and Primequest servers, Sparc servers, and retail products are affected. However, BIOS updates are available only for a handful of them.

Intel Intel[12] has started integrating the processor microcode fixes into BIOS updates for NUC, Compute Stick and Compute Card mini PCs. Updates are available for many of the products and more are expected to be released later this month.

The company is also working on updates[13] for Server Board and Visual Compute Accelerator products, but only two BIOS updates have been released to date. Intel has not provided an estimate on when more updates should become available. HP

HP has started releasing BIOS updates that patch the Meltdown and Spectre vulnerabilities for commercial workstations; commercial desktops, notebooks and retail PoS devices; and consumer desktops and notebooks. Updates for the remaining systems are expected to become available later this month or in early February. Lenovo

Lenovo[14] says many of its desktop, IdeaPad, ThinkStation, Converged and ThinkAgile, storage, Hyperscale, ThinkServer, ThinkSystem, System X, network switch, and server management products are affected. Lenovo has released BIOS updates for many of its solutions, and the company has also advised users to update their operating system and NVIDIA drivers to ensure that they are protected against Meltdown and Spectre attacks. Gigabyte and MSI motherboards

Gigabyte[15] has a long list of impacted motherboards, including the Z370, X299, B250, H110, Z270, H270, Q270, Z170, B150 and H170 families. The company has promised to start releasing BIOS updates in the next few days, with updates for a majority of systems expected to become available over the next few weeks. MSI[16] has released BIOS updates for Z370, Z270, H270, B250, Z170, H170, B150, H110, X299 and X99 motherboards.

Patches are expected to become available for other devices “very soon.” Others IBM has released firmware patches for some of its POWER processors.

Fixes for its AIX and IBM i operating systems are expected to become available in mid-February. Getac Technology[17], a Taiwan-based firm that makes rugged notebook, tablet and handheld computers, has promised to release BIOS updates by the end of this month. Toshiba[18] has published a list of affected Qosmio, Satellite, Portege, Tecra, Chromebook, Kirabook, AIO, Regza, Mini Notebook, Encore, Excite and dynaPad devices, but it has yet to release any updates.

Some of the fixes are expected later this month. Data center hardware provider QCT[19] says it has integrated the microcode patches into a majority of its recent products. Super Micro[20] has also issued fixes for many of its single, dual and multi-processor systems; SuperBlade, MicroBlade and MicroCloud products; and embedded, workstation and desktop systems. Computing and storage solutions provider Wiwynn[21] has released BIOS updates for its SV300G3, SV7200G3, SV5100G3 and SV5200G3 products, and more are expected to become available over the next few weeks.

Panasonic[22] hopes to release updates for its laptops and tablets over the next few months. Related: ICS Vendors Assessing Impact of Meltdown, Spectre Flaws[23] Related: Lawsuits Filed Against Intel Over CPU Vulnerabilities[24]

Related: Industry Reactions to Meltdown, Spectre Attacks[25]

References

  1. ^ Meltdown and Spectre attacks (www.securityweek.com)
  2. ^ patches and workarounds (www.securityweek.com)
  3. ^ performance penalties (www.securityweek.com)
  4. ^ patches (www.securityweek.com)
  5. ^ promised (www.securityweek.com)
  6. ^ Acer (us.answers.acer.com)
  7. ^ Asus (www.asus.com)
  8. ^ motherboards (www.asus.com)
  9. ^ Dell (www.dell.com)
  10. ^ EMC products (www.dell.com)
  11. ^ Fujitsu (sp.ts.fujitsu.com)
  12. ^ Intel (www.intel.com)
  13. ^ updates (www.intel.com)
  14. ^ Lenovo (support.lenovo.com)
  15. ^ Gigabyte (www.gigabyte.com)
  16. ^ MSI (www.msi.com)
  17. ^ Getac Technology (intl.getac.com)
  18. ^ Toshiba (support.toshiba.com)
  19. ^ QCT (www.qct.io)
  20. ^ Super Micro (www.supermicro.com)
  21. ^ Wiwynn (www.wiwynn.com)
  22. ^ Panasonic (pc-dl.panasonic.co.jp)
  23. ^ ICS Vendors Assessing Impact of Meltdown, Spectre Flaws (www.securityweek.com)
  24. ^ Lawsuits Filed Against Intel Over CPU Vulnerabilities (www.securityweek.com)
  25. ^ Industry Reactions to Meltdown, Spectre Attacks (www.securityweek.com)

AMD Working on Microcode Updates to Mitigate Spectre Attack

AMD has informed customers that it will soon release processor microcode updates that should mitigate one of the recently disclosed Spectre vulnerabilities, and Microsoft has resumed delivering security updates to devices with AMD CPUs. Shortly after researchers revealed the Spectre and Meltdown[1] attack methods, which allow malicious actors to bypass memory isolation mechanisms and access sensitive data, AMD announced that the risk of attacks against its products was "near zero." The company has now provided additional information on the matter, but maintains that the risk of attacks is low.

According to AMD, its processors are not vulnerable to Meltdown attacks thanks to their architecture. They are, however, vulnerable to Spectre attacks. Spectre attacks are made possible by two vulnerabilities: CVE-2017-5753 and CVE-2017-5715.

The former does impact AMD processors, but the chipmaker is confident that operating system patches are sufficient to mitigate any potential attacks. Microsoft announced a few days ago that it had suspended[2] the delivery of security updates to devices with AMD processors due to some compatibility issues. AMD said the problem affected some older processors, including Opteron, Athlon and Turion families.

Microsoft said on Thursday that it had resumed the delivery of updates to a majority of AMD devices, expect for a "small subset" of older processors. AMD told customers it expects the issue to be corrected for the remaining processors by next week. As for the second Spectre vulnerability, AMD believes it is difficult to exploit against its products.

Nevertheless, the company has been working with operating system vendors to develop patches, and it has also promised to provide optional microcode updates. The microcode updates should become available for Ryzen and EPYC processors in the next days, and for previous generation products sometime over the coming weeks. The updates will be available from system manufacturers and OS vendors.

AMD claims its GPUs are not impacted by the vulnerabilities. NVIDIA[3] also says its GPUs are immune, but the company has still provided some display driver updates to help mitigate the CPU flaws. Intel has already released patches[4], including processor microcode updates, for many of its processors. Linux users can install the microcode updates through the operating system's built-in mechanism.

The fixes for the Spectre and Meltdown vulnerabilities appear to cause problems on some systems. Ubuntu users complained that their devices failed to boot[5] after installing updates, forcing Canonical to release a new kernel update to address the issue. Intel has also become aware of reports that systems with Broadwell and Haswell CPUs reboot more often as a result of the patches.

"We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue," the company stated[6].

Related: IBM Starts Patching Spectre, Meltdown Vulnerabilities[7] Related: Microsoft, Intel Share Data on Performance Impact of CPU Flaw Patches[8] Related: Lawsuits Filed Against Intel Over CPU Vulnerabilities[9]

Related: Industry Reactions to Meltdown, Spectre Attacks[10]

References

  1. ^ Spectre and Meltdown (www.securityweek.com)
  2. ^ suspended (www.securityweek.com)
  3. ^ NVIDIA (www.securityweek.com)
  4. ^ patches (www.securityweek.com)
  5. ^ failed to boot (www.securityweek.com)
  6. ^ stated (newsroom.intel.com)
  7. ^ IBM Starts Patching Spectre, Meltdown Vulnerabilities (www.securityweek.com)
  8. ^ Microsoft, Intel Share Data on Performance Impact of CPU Flaw Patches (www.securityweek.com)
  9. ^ Lawsuits Filed Against Intel Over CPU Vulnerabilities (www.securityweek.com)
  10. ^ Industry Reactions to Meltdown, Spectre Attacks (www.securityweek.com)

AMD Working on Microcode Updates to Mitigate Spectre Attack

AMD has informed customers that it will soon release processor microcode updates that should mitigate one of the recently disclosed Spectre vulnerabilities, and Microsoft has resumed delivering security updates to devices with AMD CPUs. Shortly after researchers revealed the Spectre and Meltdown[1] attack methods, which allow malicious actors to bypass memory isolation mechanisms and access sensitive data, AMD announced that the risk of attacks against its products was “near zero.” The company has now provided additional information on the matter, but maintains that the risk of attacks is low.

According to AMD, its processors are not vulnerable to Meltdown attacks thanks to their architecture. They are, however, vulnerable to Spectre attacks. Spectre attacks are made possible by two vulnerabilities: CVE-2017-5753 and CVE-2017-5715.

The former does impact AMD processors, but the chipmaker is confident that operating system patches are sufficient to mitigate any potential attacks. Microsoft announced a few days ago that it had suspended[2] the delivery of security updates to devices with AMD processors due to some compatibility issues. AMD said the problem affected some older processors, including Opteron, Athlon and Turion families.

Microsoft said on Thursday that it had resumed the delivery of updates to a majority of AMD devices, expect for a “small subset” of older processors. AMD told customers it expects the issue to be corrected for the remaining processors by next week. As for the second Spectre vulnerability, AMD believes it is difficult to exploit against its products.

Nevertheless, the company has been working with operating system vendors to develop patches, and it has also promised to provide optional microcode updates. The microcode updates should become available for Ryzen and EPYC processors in the next days, and for previous generation products sometime over the coming weeks. The updates will be available from system manufacturers and OS vendors.

AMD claims its GPUs are not impacted by the vulnerabilities. NVIDIA[3] also says its GPUs are immune, but the company has still provided some display driver updates to help mitigate the CPU flaws. Intel has already released patches[4], including processor microcode updates, for many of its processors. Linux users can install the microcode updates through the operating system’s built-in mechanism.

The fixes for the Spectre and Meltdown vulnerabilities appear to cause problems on some systems. Ubuntu users complained that their devices failed to boot[5] after installing updates, forcing Canonical to release a new kernel update to address the issue. Intel has also become aware of reports that systems with Broadwell and Haswell CPUs reboot more often as a result of the patches.

“We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue,” the company stated[6].

Related: IBM Starts Patching Spectre, Meltdown Vulnerabilities[7] Related: Microsoft, Intel Share Data on Performance Impact of CPU Flaw Patches[8] Related: Lawsuits Filed Against Intel Over CPU Vulnerabilities[9]

Related: Industry Reactions to Meltdown, Spectre Attacks[10]

References

  1. ^ Spectre and Meltdown (www.securityweek.com)
  2. ^ suspended (www.securityweek.com)
  3. ^ NVIDIA (www.securityweek.com)
  4. ^ patches (www.securityweek.com)
  5. ^ failed to boot (www.securityweek.com)
  6. ^ stated (newsroom.intel.com)
  7. ^ IBM Starts Patching Spectre, Meltdown Vulnerabilities (www.securityweek.com)
  8. ^ Microsoft, Intel Share Data on Performance Impact of CPU Flaw Patches (www.securityweek.com)
  9. ^ Lawsuits Filed Against Intel Over CPU Vulnerabilities (www.securityweek.com)
  10. ^ Industry Reactions to Meltdown, Spectre Attacks (www.securityweek.com)