Intel says STOP installing firmware updates

Topic

New Reply

In another stunning announcement, Intel now says that you should NOT install firmware updates. No specific word on Surface devices yet, but I bet the
[See the full post at: Intel says STOP installing firmware updates]

11 users thanked author for this post.

chamekke, Microfix, SueW, ryegrass, JDeC, wdburt1, Sessh, rontpxz81, Elly, Tiernan, AJNorth

Reply | Quote

Replies

Just as I thought: we have no choice but to stay out of the Infield (and Duck & Cover in-place…).

Hot off the presses, here’s the Computerworld article by Da Boss: Belay that order: Intel says you should NOT install its Meltdown firmware fixes.

3 users thanked author for this post.

Tiernan, HiFlyer, JDeC

Reply | Quote

Hmm, I wonder whether all the computer manufacturers and their employees are or will get frothing at the mouth mad at Intel?

Reply | Quote

Yeah, but how do you stop the updates beyond 30 days in Windows 10? I own a surface 3 and a surface 4. While I’ve followed all of the advice I’ve read here and else where about delaying updates, there seems to be no way to thwart the process beyond 30 days.

If Microsoft denotes an update as “critical” (my word), even the metered connection tweak won’t prevent the auto-update.

Reply | Quote

I disable Windows update, Update orchestrator and BITS and when i able them again i check updates with Wushowhide and when i am done blocking i run Windows update.   at least this works for me, I don’t know about you.

Reply | Quote

Firmware updates have to be downloaded and installed, except on the Surface, which gets the updates from Windows Update.

3 users thanked author for this post.

Tiernan, HiFlyer

Reply | Quote

Speechless.

Reply | Quote

+1

Reply | Quote

Does this include microcode updates?

Reply | Quote

The Intel update relates to the Broadwell/Haswell reboot problem doesn’t it? On the Intel page you link to in the Computerworld article (and in the comments by someone else) the long list of affected processors is a part of the original statements and, scrolling down, the update of today (22nd January) specifically refers to Broadwell/Haswell processors.

At least that is how it reads to me.

2 users thanked author for this post.

HiFlyer, woody

Reply | Quote

Posted a few days ago:

Kirsty wrote:

The bad news: Intel has previously warned that the microcode update it issued to provide some processor-based mitigation for some kinds of Spectre attack was causing machines with Haswell and Broadwell processors to reboot. It turns out that the problems are more widespread than previously reported: the chip company is now saying that Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake systems are affected, too.

2 users thanked author for this post.

johnf, HiFlyer

Reply | Quote

Kirsty wrote:

Posted a few days ago:

…

the chip company is now saying that Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake systems are affected, too.

Well, at least that suggests that Ivy and Sandy are included as far as the updates go.  It was not long ago that it was only going to be Haswell and newer or something like that (from Intel; motherboard or PC makers could choose to be even more restrictive).

This situation is far too dynamic and far too risky to wade into at the moment.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

HiFlyer

Reply | Quote

It’s the old boot problem, but the advice is to avoid ANY firmware upgrades, on any platform.

Re-reading the supporting info, it isn’t clear (to me) if the halt has been called just for Broadwell and Haswell chips, or for all of Intel’s product line. Here’s what the official announcement says:

Updated Jan. 22

We have now identified the root cause of the reboot issue impacting Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Based on this, we are updating our guidance for customers and partners:

• We recommend that OEMs, Cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions on the below platforms, as they may introduce higher than expected reboots and other unpredictable system behavior.
• We also ask that our industry partners focus efforts on testing early versions of the updated solution for Broadwell and Haswell we started rolling out this weekend, so we can accelerate its release. We expect to share more details on timing later this week.
• For those concerned about system stability while we finalize the updated solutions, we are also working with our OEM partners on the option to utilize a previous version of microcode that does not display these issues, but removes the Variant 2 (Spectre) mitigations. This would be delivered via a BIOS update, and would not impact mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown).

We believe it is important for OEMs and our customers to follow this guidance for all of the specified platforms listed below, as they may demonstrate higher than expected  reboots and unpredictable system behavior.  The progress we have made in identifying a root cause for Haswell and Broadwell will help us address issues on other platforms. Please be assured we are working quickly to address these issues.

Then there’s a link to this list of Intel products, which includes Coffee Lake, Kaby Lake, Skylake, Broadwell, Haswell, Ivy Bridge and Sandy Bridge processors.

Clear as mud.

The problem extends beyond Haswell and Broadwell. As Intel said on Jan. 17:

we have determined that similar behavior occurs on other products in some configurations, including Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

So it isn’t clear if the “Belay that order” order applies just to Haswell and Broadwell, or to Haswell, Broadwell, Ivy Bridge, Sandy Bridge, Skylake and Kaby Lake as well.

4 users thanked author for this post.

ryegrass, flackcatcher, rontpxz81, HiFlyer

Reply | Quote

#161232
Da Boss is workin’ late.

 

1 user thanked author for this post.

woody

Reply | Quote

I haven’t updated squat since the December Group A rollup, MSRT and .NET, with the exception of manually updating Defender every week or so.

I have an Intel i5-3470 on a Gigabyte Z77 mobo, running Win 7.1 x64 Home Premium, with an Nvidia GPU card.

I’m guessing I should stay bunkered in, yes?

 

1 user thanked author for this post.

HiFlyer

Reply | Quote

Yes, you should continue to WAIT to install patches.

10 users thanked author for this post.

abbodi86, Lori, SueW, HiFlyer, AlphaCharlie, AJNorth, woody, BobbyB, Bill C., JDeC

Reply | Quote

Yes interesting that I noticed Dell had pulled the version that its update app installed on my PC. Yet they now only show the previous, the kicker is that many are reporting issues trying to go back to a previous bios release. I myself tried to go back one version and got a notice the bios was unsupported and could not be installed. A few XPS 13 users also were complaining about this issue and Dell support told them they were working with Intel to resolve the issue. What a * mess is all I can say.

4 users thanked author for this post.

Noel Carboni, HiFlyer, woody, rontpxz81

Reply | Quote

I wonder if PC makes have been shipping PCs with the new firmware.

Reply | Quote

What an utter shambles, nothing more needs to be said really

2 users thanked author for this post.

Rock, Cybertooth

Reply | Quote

This is a total disaster at this point.  Woody, did you also see Microsoft’s guidance for installing these patches with Exchange server?  They pretty much said “don’t do it.”

Really starting to look like the industry really has no answer for all this, just some bad kludges that are meant to turn the negative press away.  Starting to become clear that the only “fix” is silicon redesign.

3 users thanked author for this post.

flackcatcher, HiFlyer, woody

Reply | Quote

johnf wrote:

Does this include microcode updates?

Yes as the Intel Microcode update is the basis of bios update the various MB makers create.

Using the Linux Microcode update and VMwares drivers to update the M_code Windows sees instead of a bios flash does make it a lot easier to undo.

Viper

1 user thanked author for this post.

woody

Reply | Quote

Redhat has refused to deliver any more firmware updates to their paying clients. They have informed them to contact their OEM for the fixes for Spectre. Ubuntu just followed suit. It appears they are fed up with Intel.

I read this on Martin Brinkman’s blog (ghacks) yesterday.

https://www.ghacks.net/2018/01/21/redhat-reverts-patches-to-mitigate-spectre-variant-2/

Reply | Quote

Unfortunately, Red Hat’s move does nothing to solve the Spectre problem and that’s not the kind of attitude that’s needed.

As I understand it the Linux way of updating the firmware is much more undoable than a BIOS update. If that’s true, why can’t Windows /Microsoft do firmware updates the same way so that if something heads south it’s easier to fix or undo?

Reply | Quote

DrBonzo wrote:

As I understand it the Linux way of updating the firmware is much more undoable than a BIOS update. If that’s true, why can’t Windows /Microsoft do firmware updates the same way so that if something heads south it’s easier to fix or undo?

Microsoft can, and does… or did, anyway.  I’ve seen several microcode updates in Windows Updates, but someone pointed out the other day that it has been quite a while since one of these has been issued, even though Intel (and perhaps AMD; I haven’t been following them) have been chugging right along with the updates themselves. Whether Microsoft will choose to do this in the near future is anyone’s guess, but they certainly are capable of offering the microcode updates in that manner.

Whether or not it is more undoable to have the microcode updates delivered by the OS depends on the restrictions the motherboard/PC maker has put in place.  Undoing a firmware update in Linux or Windows is as easy as uninstalling the update and rebooting (assuming you can get the thing booted in the first place).  Ideally, undoing the microcode update delivered via firmware would be as simple as flashing the previous firmware version when the new one fails to work adequately… but some OEMs won’t let you go backwards in version number, and you may have to bend over backwards (heh) to get it to happen. It is also possible that they would not offer the old firmware for download, so if you didn’t dump your existing firmware to a file before the update, you might not be able to.  Not sure how often that happens, but it’s at least a possibility to be aware of.

In my new laptop (not yet a month old), the firmware updates are delivered by the OEM (Dell) in the form of a single Windows .exe file.  I checked for and found a firmware update available as soon as I got it out of the box, and I installed it (pre-Meltdown) before I wiped Windows 10 and put Linux Mint on it.  I never tried to extract the firmware image from the .exe at that time (since I didn’t need to), so I don’t know how feasible this is.  If it isn’t possible, firmware updates are going to be an even bigger hassle.

Since all of my PCs except that Dell are older, it’s a near certainty that they’re not going to get any updates from the OEM.  If Intel releases the microcodes, I can plug them into the firmware version I am already using and flash that.  At least this makes the removal process easier, should it be necessary, since flashing to the same version that is in use now shouldn’t trip any alarms.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

DrBonzo

Reply | Quote

? says:

thank the stars above for ms-defcon 2

Mr. Torvalds says: “… a fun trip with pretty pictures.” (among other things that should not be repeated in pleasant company)

it is also nice to have a box of spare parts for this interesting January

Reply | Quote

I think the attitude (or more so business posture) that Redhat and Ubuntu has taken is appropriate. Their customers did not buy their hardware from Redhat and Ubuntu, they bought it from the OEMS. Spectre V2 requires a firmware update, not an OS update. It is also untrue that Redhat and Ubuntu have contributed nothing to dealing with Spectre. They are working on the variants that require their attention and will issue fixes when they are fully tested.

Intel has failed to deliver a reliable fix to the OEMs. If the fix is inadequate to either Windows or Linux systems, it makes no difference how easy it is to install. Yes, it is easier to back out a Linux firmware update, but Linux does not guarantee it will always be 100% successful. The same goes for a Windows system.

Reply | Quote

While I hasve seen many lists of affected CPUs, this one is a full list with all the model numbers by family. Given that it is Revsion 4.0, you may wish to bookmark the article.

At the https://www.techarp.com homepage, under Guides

The Complete List Of CPUs Vulnerable To Meltdown / Spectre Rev. 4.0

Intel Desktop CPUs Vulnerable To Meltdown + Spectre
https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/5/

Intel Mobile CPUs Vulnerable To Meltdown + Spectre
https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/6/

Use Piriform Speccy or CPU-ID for identifying your exact CPU number. You can also use the Intel Processor ID Utility available on the Intel website.

14 users thanked author for this post.

Noel Carboni, Lori, T, HiFlyer, SueW, Tiernan, OscarCP, Karlston, AlphaCharlie, AJNorth, MrBrian, woody, MikeFromMarkham, Cybertooth

Reply | Quote

Thanks, there could be a plethora of AMD APU models added to that list.

Reply | Quote

That indeed lists all of them but i’m curious why intel’s site only lists the CPUs going back to the second generation and not before. There is no 1st generation listed, unless they are included in the (45nm and 32nm) categories. You’d think they’d be a bit more thorough with listing EXACTLY the CPUs affected.

Reply | Quote

I never intended (or will) in getting bios or firmware update, at all
and i actually disabled the “mitigation” fixes in Windows

this whole Meltdown / Spectre fuss represent zero interest for me 😀

9 users thanked author for this post.

Noel Carboni, Cousinjack, SueW, grayslady, David F, AJNorth, Sessh, PKCano, woody

Reply | Quote

Question (a real one) – Just how dangerous are Meltdown, Spectre, etc. to SOHO user who does not game? The almost daily changes in advice make it difficult to be sure what to do other than sit tight.

Reply | Quote

lurks about wrote:

Just how dangerous are Meltdown, Spectre, etc. to SOHO user who does not game?

Very little – although someday, somebody may come up with a working exploit. I still think the most likely attack vector is through a browser.

If you’re running a server with sensitive information and multiple concurrent users, the exposure is much greater. But, to date, no known exploits.

14 users thanked author for this post.

abbodi86, wdburt1, BobbyB, lurks about, Cascadian, AlexEiffel, SueW, Heavenly, Pepsiboy, GoneToPlaid, ryegrass, Noel Carboni, AJNorth, Sessh

Reply | Quote

Check these out:

https://nvd.nist.gov/vuln/detail/CVE-2017-5754

https://nvd.nist.gov/vuln/detail/CVE-2017-5753

Hope it helps.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

I personally don’t think they’re very dangerous at all – if you’re already careful.

Just don’t blithely run downloaded software without vetting it, take steps to protect your system from downloading it and from visiting bad websites, make backups that you can restore if something DOES go wrong, and pay attention to available BROWSER updates. I suspect you’ll be fine.

As noted by the headline on this thread (and Woody’s MS-DEFCON 2 setting), “sitting tight” is exactly the right thing to do until this particularly nasty dust settles.

-Noel

P.S., I never presume that just because an application is running non-privileged that the system is protected from it. I believe that thinking is naive, and these exploits serve only to prove that point. I don’t believe in UAC nor have I ever been infected with anything digital in 42 years of computer usage. It IS possible to survive without protecting your computer from within, if you take good steps to protect it from without.

11 users thanked author for this post.

wdburt1, lurks about, HiFlyer, Cousinjack, SueW, David F, Karlston, AlphaCharlie, AJNorth, Sessh

Reply | Quote

I have a HP laptop (dv-5203tu) that I bought in 2006 with an Intel 2050 @ 1.60GHz that Inspectre says is vulnerable to Meltdown and Spectre.

Still running extremely well after all these years – came with a 60GB hard drive, 512MB RAM and Windows XP Professional. Been running Windows 7 Home Premium on a Samsung SSD and 2GB RAM for quite a few years now without issue apart from the occasional format and reinstall of Windows 7.

Guess I won’t be seeing any sort of BIOS update for this machine but I am going to keep on using it until it dies. I use Pale Moon with NoScript and uBlock Origin when I’m online with it.

Reply | Quote

I  use Adblocker Ultimate.

Reply | Quote

Woody, when you said you can’t uninstall the BIOS updates in your article, did you just mean that it’s not a practical endeavor for a lay user? Because you should be able to reflash a pre-Meltdown/Spectre version of the BIOS in many cases. Sometimes manufacturers make it to where you can’t downgrade BIOS version though.

Even if you can’t downgrade BIOS, sometimes you can work around it by making a custom BIOS using UBU to change the CPU microcode to the version of your choosing. If you are willing to make a little extra effort and assume a little more risk, that is.

Reply | Quote

“By implication, that means the Meltdown/Spectre firmware updates you’ve installed from Lenovo or HP or Dell are officially trash.”
Isn’t it a bit over-generalized conclusion?
Here is a list of Intel-based impacted platforms:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

Intel® Core™ i5 processor (45nm and 32nm)
Intel® Core™ i7 processor (45nm and 32nm)

So would you call the new firmware as a “trash” in case of running some newer CPUs, e.g. i5-4590 (22nm)
https://ark.intel.com/products/97185/Intel-Core-i7-7700HQ-Processor-6M-Cache-up-to-3_80-GHz
or i7-7700 (14nm):
https://ark.intel.com/products/80815/Intel-Core-i5-4590-Processor-6M-Cache-up-to-3_70-GHz

Reply | Quote

Dell Update updated my BIOS about 3 or 4 days ago and after running Gibson’s scanner, it still says that I’m not protected on Spectre but I’m alright on Meltdown which is the same results I had before the update. It leaves me wondering if the update I got had anything to do with Meltdown/Spectre or if it was just one of their regularly scheduled updates. This whole thing has gotten completely blown out of proportion and some of these tech companies, I feel, are crying wolf. I don’t doubt there is some truth to it, but really, just how serious is this to cause concern, confusion and panic among people who wouldn’t know how to deal with the scope of the matter anyway? I have not noticed any problem with the update yet. (Knock on wood)

Reply | Quote

Guys, what are people doing who are in the market for new hardware … wait and see? How long though?

Reply | Quote

I wonder if Microsoft, the champion of the “updates-must-be applied-within-nanoseconds-of-release-or-the-universe-will-end” madness, have updated all their servers/workstations/etc?

Part of me sincerely hopes so… 🙂 perhaps it will teach them a lesson, though I doubt it, their stamina in persisting with clearly failed methodologies would make a marathon runner green with envy…

Hanlon's Razor: Never attribute to malice that which can be adequately explained by stupidity.

6 users thanked author for this post.

Jan K., Cousinjack, Tiernan, Sessh, Noel Carboni, HiFlyer

Reply | Quote

johnf wrote:

Does this include microcode updates?

That is exactly what this is about.

1 user thanked author for this post.

johnf

Reply | Quote

https://www.theregister.co.uk/2018/01/22/intel_spectre_fix_linux/

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

From comments below this article:

A business decision, not technical

 “Torvalds observed that the cost of using IBRS on existing hardware is so significant that no one will set the hardware capability bits”.And that is exactly the point, as a “business” mind sees it.

This way, it will be the user who becomes responsible for insecurity as he failed to turn on the protection bit.

Or he can turn it on and suffer with the resulting low performance – and that, too, will be his responsibility.

Reply | Quote

To address Woody’s update question, I interpret Intel’s announcement as applying to all those Intel products “listed below”, that is all those in their list (which is linked in the article and summarised) and not just the Broadwell and Haswell ones.

However, the BBC is today reporting the announcement in terms that all Intel updates should be suspended, in effect until Intel know what they’re doing. That seems to me to be the safest course of action.

http://www.bbc.co.uk/news/technology-42788169

1 user thanked author for this post.

Noel Carboni

Reply | Quote

They also said: “The progress we have made in identifying a root cause for Haswell and Broadwell will help us address issues on other platforms.”

I think, I’ll do a little write-up of the (more and more) advantages of being in Group L… as with all the recent issues and problems, this one too left us completely untouched and unaffected…

Reply | Quote

Linus Torvalds declares Intel fix for Meltdown/Spectre ‘COMPLETE AND UTTER GARBAGE’

https://techcrunch.com/2018/01/22/linus-torvalds-declares-intel-fix-for-meltdown-spectre-complete-and-utter-garbage/

The next day, my Ubuntu 16.04 LTS Linux kernels 4.4.x and 4.13.x get new kernel updates.

Microcode patches are still installed. Firmware update which was performed is still in place. Intel NUC with core-i5 Skylake processor.

More granular CLI methods of testing for Meltdown and Spectre vulnerabilities report Meltdown not vulnerable, Spectre#1 not vulnerable, Spectre#2 and Spectre#3 vulnerable. Changes in this status since the original firmware patch Jan. 10th have occurred with each new Linux kernel released.

Still waiting to see what all the fuss is about. The NUC is running fine, thank you.

I did have to download and run a Synaptics graphical package installer to cleanup all the extra kernels this mess has left in my GRUB2 Boot Menu, but that’s a trivial side-effect.

So what’s all the fuss about (other than Haswell and Broadwell chips) ?

We have a long, bumpy road ahead of us, folks!

 

-- rc primak

5 users thanked author for this post.

Sessh, HiFlyer, Jan K., OscarCP, MrBrian

Reply | Quote

Nice, thanks.

Have you done any performance tests? Or can you tell any difference?

Reply | Quote

I am not a very technical person. So no, I haven’t benchmarked or stress-tested my Linux performance. Mostly I do mundane everyday tasks, like Web browsing, email, and managing simple spreadsheets. So I may not be doing the sorts of things which would reveal any performance issues.  On the other hand, I suspect most non-technical users would be getting similar results if their systems aren’t being impacted much.

My main point is that blue screens are not happening, so in my setup the Skylake core-i5 chip appears to be safe with the Intel firmware update(s). And the Linux kernel updates. YMMV.

-- rc primak

1 user thanked author for this post.

Jan K.

Reply | Quote

Thank you so very much, BillC for posting those links to the “techarp” site, and to those at “techarp” for going to all the trouble of creating such a comprehensive and easy to use list of potentially afflicted Intel CPUs (where I can see that my very own, by now ancient “Sandy Bridge” is included).

Making that list, with a promise to keep it up to date (the one in the links is from several days ago) , is no trivial endeavor, considering that Intel has created, by now, about one Gillion Zillion Googolplex variants of the multi-core processor!

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I am running a Haswell I7 4770K CPU in an Asus MOBO with the Z87 chipset. I would be surpised if Asus ever releases a BIOS/microcode update for Spectre for this chipset even though the hardware is under 4 years old. I think many folks will be left in a similar position and will just need to run somewhat exposed as their hardware is still fully capable from a performance standpoint. This has become more than a major distraction for many people.

Reply | Quote

Jeez, disappointment from MS now this..looks like the intel sillycon is exposed!

Certainly makes me think that ‘moore’s law’ was nothing more than a PR exercise.

Windows - commercial by definition and now function...

Reply | Quote

I can confirm that manufacturer pushed updates are causing issues:

Got 2 calls this week for Dell laptops that had a Dell popup “updates available”
This was from Dells bundled Update software, not Windows.
In both cases User’s reported no option to delay or stop the update.
In both cases laptops now will not boot Windows 10 at all.
Not from internal existing hard drive.
Not from brand new (created 1-22-18) 1709  install media.
BSOD’s memory control and paging in unpaged area.
In both cases Dell has no Bios available on the support site (they pulled it).
Cannot rollback Bios, already tried.
Called support, answer was “be patient, we might have a new Bios sometime soon…”
Both laptops boot and run Linux fine, also ran Win 7 in VMware on Linux host fine…

2 users thanked author for this post.

MrBrian, woody

Reply | Quote

OUCH.

You should be able to return those laptops to Dell.

Any idea which models? Folks should be warned….

Reply | Quote

So I am still on my I7-4790K from 2013.  I had plans to upgrade eventually, as soon as I saw the final future for WIN10 and all it’s various iterations and issues with user data etc.

But at this point with all this I’m wondering if even that is worth it.

Q. Will these Intel patches eventually make it into new silicon?  Any word on Intel making a permanent manufacturing fix to future processors in any known time frame?

Reply | Quote

I sit here with an Intel DX58SO2 Extreme MB and an Intel i7-960 Bloomfield 45nm process CPU in a homebuilt PC and Intel is my OEM. Lets see if THIS OEM gets out a patch.

Waiting patiently… 🙂

Reply | Quote

This makes it crystal clear:

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf

(A) Haswell and Broadwell CPU’s definitely had a random reboot issue and Intel has Identified the problem code.

(B) Skylake and Kaby Lake CPU’s may have also been efffected. (Note Asrock has now pulled ALL new January 2018 bios updates for all Sky and Kaby Lake MB’s,  No MB’s before these had bios updates finished / tested yet)

(C) The references to SandyBridge and IvyBridge CPU was a red herring “opps” all the way. Intel had not released any microcode updates, even beta, for these CPU’s yet.  (Probably simply hadn’t got that far down the effected CPU list yet)

Viper

2 users thanked author for this post.

woody, MrBrian

Reply | Quote

Any way to “reverse” a bad BIOS update?

If folks can install an older BIOS, how would they find the right one? MCU version IDs are nice, but how do they translate into real, downloadable firmware updates?

I have a sneaky suspicion that this is going to turn into a massive hunt for vendors’ (Lenovo, HP, Dell) support pages.

Reply | Quote

Perhaps MC Extractor can find the microcode version in a BIOS update file. (I have not tried MC Extractor.)

Reply | Quote

I am not aware of an easy BIOS “reversal” per se. When I was doing updates a few years ago to my machine after the build (it is a BIOS machine and not UEFI), the official line was flashing an older BIOS over a problematic newer version was “not supported”.

I did research before doing any updates and found that it could be done on some boards, with risk, as long as you used bootable media and not an installer. Even so it might not take and if there was a microcode issue to fix a specific problem on a specific motherboard or peripheral, regression might undo the fix, or might not.

Also, in the production life of a popular motherboard, there may be versions of the same board, with changes of certain board components that initially proved problematic or unreliable. If the later versions shipped with BIOS 3, trying to use an earlier BIOS may not work due to the changes, yet will work on an earlier version.

Basically, my takeaway was if you brick your board with an attempt at reversal, it sounded like getting an RMA was going to be hard. I never tried it myself and would probably do so only if my issue was severe and the board was out of warranty and I had a backup PC.

This is why reading the support forums, the support documents and other research before acting is the best advice, and when a person says this or that can be done on this or that motherboard, watch that discussion and make sure it is EXACTLY the one you have before you act. It is also why every BIOS I have ever flashed had a readme file and change log saying the manufacturer did NOT recommend flashing the BIOS unless you were experiencing the issues the new version was fixing.

I also know some gaming boards are dual BIOS or UEFI, one for pedal to the metal overclocks and a second for normal use. Not sure of what that could entail with all this.

All I know is everytime I have updated the UEFI BIOS on my Lenovo laptop is has been easy and quick using the Lenovo Updater. However, I still sat there on pins and needles. I have a pending UEFI update released October 2017 for the laptop, but had not installed it because it is very strongly worded that the install is NOT reversable and the issues it was fixing were not real specific. I now wonder if it was related in some way to this current problem. I think I will just be patient and wait and watch.

1 user thanked author for this post.

SueW

Reply | Quote

MrBrian wrote:

Perhaps MC Extractor can find the microcode version in a BIOS update file. (I have not tried MC Extractor.)

Don;t need to.  07/07/2017 was the last Microcode Intel released for it’s CPU’s before the buggy 01/08/2018 “oops” release.

 

07/07/2017 Microcode here:

https://downloadcenter.intel.com/download/26925/Linux-Processor-Microcode-Data-File

Viper

 

1 user thanked author for this post.

SueW

Reply | Quote

woody wrote:

Any way to “reverse” a bad BIOS update?

If you have a desktop type system the answer is an absolutely, positively ……. MAYBE!!!

If you built (or had built) your system using a major brand MB make like Asrock, Asus, Gigabyte, MSI, etc then you can go to their website and get the previous bios (last one before 2018) for your exact MB model (open the case and look at the MB sticker if ya need to).  Most modern MB’s with UEFI firmware (roughly Nehalem MB’s and later have built in flash tools (press F6 during / just after post) that make it pretty easy.  They will not let you flash an incorrect image (well at least  they shouldn’t if they meet full UEFI spec).  In most cases back flashing is allowed but there are exceptions where once ya “jump the broom” it is really “till death do you part”.  That would be very unlikely here though as that typically occurs when an early gen / revision MB is updated to take a newer CPU than the original bios was coded for.  Adding Kaby Lake CPU support to an earlier Skylake only (at the time) MB is a prime example of “no backies”.

Now if you got your desktop rig from a big OEM builder like Dell, HP, Lenovo, etc it gets harder.  Their OEM style MB’s are typically designed to keep the user out of the firmware/bios “guts”.  All you can do is look around their support sites for info on your rig.  A good place to start would be the manual that came with your rig.  It should at least have a support URL (hopefully still working) listed in it.

Smaller and boutique OEM box builders like MainGear (and the umpteen oodles of others) often use major brand MB’s (sometimes  relabeled) so crack the case and have a look see.

There is no need to even talk about pre-UEFI firmware boxes (pure Bios systems) as nothing that old has even smelled a Microcode update in years

Now if ya got a Notebook / Tablet …. Well I wish good luck. They are not my bag at all.

Viper

4 users thanked author for this post.

SueW, HiFlyer, AJNorth, BobbyB

Reply | Quote

anonymous wrote:

Guys, what are people doing who are in the market for new hardware … wait and see? How long though?

Advising my clients to sit tight for a while but if they need a machine now to go with Skylake or above or AMD.

About all you can do at this point.

Reply | Quote

Intel has now pulled the 01/08/2018 Microcode Data File from the Download Center.  The latest version available now is 20171117 – 11/17/2017.

Viper

1 user thanked author for this post.

MrBrian

Reply | Quote

Hi everyone,

The following initially discusses the potential pitfalls of trying to revert to earlier BIOS versions. Far more important, and for your consideration, is what follows after my discussion about reverting to earlier BIOS versions.

I have managed to revert to a earlier versions of a BIOS on two of my home built desktop computers. Yet I never tried to undo a BIOS update which included new microcode. Reverting to an earlier BIOS version which contains no microcode most likely will be either problematic or will fail altogether, if your current BIOS is using newer microcode, since the BIOS code itself may have been tweaked to only work properly for the newer microcode. Moreover, something called a M-Flash module in BIOS usually gets updated when new microcode is incorporated into the BIOS update.

When reverting to an earlier BIOS version, I did so from bootable media, and I only did so after FIRST RESETTING the current BIOS to its default settings. I say default settings — not optimized settings. One must also make sure that any Fast Boot and Go To BIOS options are also turned off. And one must also make sure to remove all BIOS passwords for either accessing the BIOS or for allowing the computer to access drive C in order to continue to boot up. If you are really paranoid, and you should be if you are trying to revert to an older BIOS version, you should remove installed graphics cards and unplug all USB devices. In other words, your computer monitor should then be hooked up to the motherboard’s built-in VGA or DVI port — whichever is the default port for the BIOS, before you attempt to revert to an older BIOS. It is possible that you might also need to disable UEFI and ME in BIOS before you attempt to revert to an older BIOS, and then re-enable UEFI after you have successfully reflashed the BIOS.

The only way which one “might” be able to revert to an earlier BIOS and older microcode is perhaps to revert to an earlier BIOS which also had an older incorporated microcode update. If that does actually work and does not brick your computer’s motherboard or cause other issues, then one would have to upgrade the BIOS to whatever the latest BIOS is which does not have Intel’s new January microcode.

In any event, trying to revert to an earlier BIOS using the OEM’s Windows utilities probably is not a good idea. The way that I did it was from within BIOS. My computer’s BIOS has a feature which could read the .bin file from a flash drive.

I am no expert. I have merely endeavored to point out the potential risks of flashing earlier BIOS versions — especially if your present BIOS includes newer microcode in comparison to what previous BIOS versions expected to be present in your BIOS.

On a final note, I do recall that in April 2017 Microsoft pushed CPU microcode updates down the Windows Update chute, and that this caused issues on some computers. This caused quite a stink in terms of who should roll out microcode updates — the OEMs or Microsoft. Needless to say, those MS distributed microcode updates were all about providing compatibility for MS’s favorite operating system. You know, the OS which everyone is supposed to use since it is perfect, and is continually being made more perfect — as if there is something beyond perfect.

The upshots are, in my humble opinion:

1. Do not install, at least for the time being, any post December BIOS updates which OEMs are offering for your laptop or motherboard. I have been monitoring a couple of gamer forums. Apparently some gamers are brighter than Intel’s enginners since they have been actively stress testing Intel’s new January microcode which is supposed to mitigate Spectre. Tests showed that even at stock CPU speeds, the tested CPUs were throwing numerous corrected errors over time, whereas pre-microcode update the same CPUs were throwing zero errors. Over 300 corrected CPU errors versus zero errors during a few hours of testing really got my attention. The situation got worse when the CPUs were overclocked. Obviously just 1 uncorrected CPU error will cause the computer to suddenly reboot. That is the way that CPUs work.

2. You might want to turn off any OEM utility which will automatically install updates for your laptop or desktop computer — or your computer could become bricked the next time it tries to boot.

3. The Meltdown vulnerability can allow ALL computer memory to be read. All computer memory, versus Spectre which basically can only “see” what is in cached memory pages, seems to be the greatest risk. Given that Meltdown can allow all computer memory to be read, everyone must make sure that they are running updated web browsers which prevent Meltdown from within the web browser.

4. Microsoft’s January update supposedly either mitigates or prevents Meltdown. I have been testing MS’s January Security Only update for a week and a half on my Intel machines, and for five days on my AMD machine. No issues so far, and only slight slowdowns in specific circumstances have been observed. Do not install MS’s January updates unless you have created a System Repair disk, you have already read here about how to remove the January update by using the System Repair disk and command lines to do so, and you have uninstalled all other AV software other than the primary AV software which you use to protect your computer. It is insanely stupid that Microsoft has set just ONE registry key for ALL antivirus vendors to use, in order to indicate whether or not their AV product is compatible. Does Microsoft not realize that many users have more than one AV product installed — whether or not any additional AV products are set to run in real time? The issue, even if the additionally installed AV products do not run in real time, is that their underlying I/O drivers may well run in real time, with the possible result of blue screens when booting into Windows. Oops! I seem to recall that Microsoft has been plugging their Windows Defender as being totally compatible, with the in-between lines which imply that third party AV products obviously are not up to speed.

5. nVidia has recently released updated video drivers which, out of an abundance of caution, are supposed to prevent Meltdown via their drivers. I have installed and tested their latest drivers, and I have not encountered any issues so far. This is on four computers with substantially different hardware. Thus I recommend that users update their nVidia drivers since low level drivers are reported to be a potential attack method.

And now, the really scary part:

You all didn’t want to hear the word “scary,” did you? Well, here it is…

Are you all aware of LoJack for Laptops? If not, Google it. Its technology is patented, yet many researchers classify LoJack as malware. LoJack is also known as Computrace. Google that. LoJack is installed in BIOS on many OEM laptops. Some vendors ship their laptops with LoJack already enabled. In late 2011, I bought an Acer laptop which had LoJack in BIOS, yet LoJack was not enabled. LoJack became enabled in BIOS after I signed up for a subscription to LoJack’s anti-theft services. Over a year ago, I discontinued that subscription. But guess what? Even after repeated contacts to LoJack, they would not disable LoJack in my laptop computer’s BIOS!

Why is the above important? Because LoJack, when enabled in BIOS, creates files called rpcnetp.exe in the Win7 System32 and SysWOW64 folders on my laptop. Earlier versions of LoJack created different files. These processes, injected on bootup and directly from my laptop’s BIOS, in turn launch HIDDEN instances of Internet Explorer. You might be able to use your AV program to block all instances of rpcnetp.exe from running, but guess what? LoJack will then instead inject unidentified processes into ntdll.dll. In other words, LoJack (Computrace) is pure malware and in every sense of the word since LoJack, as of what was reported just a couple of years ago, doesn’t even verify the identity of the servers which it contacts. That is somewhat scary.

The really scary thing are those running yet hidden instances of Internet Explorer. You can kill them in Task Manager, yet those hidden instances of IE will magically come back. Now that is really scary since Microsoft, in its infinitely wise and shrewd wisdom, deliberately decided to remove IE security updates from its Security Only updates. Oh yeah, those IE security updates are included in Microsoft’s monthly Quality rollups, but not in the monthly Security Only updates. Instead, users who only install Microsoft’s Security Only updates must separately find and install Microsoft’s security updates for IE in order for the IE web browser to be protected against Meltdown.

Best regards,

–GTP

 

11 users thanked author for this post.

Bill C., Cascadian, SueW, amraybt, Cybertooth, Sessh, AJNorth, johnf, HiFlyer, Noel Carboni, MrBrian

Reply | Quote

Basically all we can do is take preventative measures like updated browsers, blocking scripts (NoScript), (or at least installing an adblocker), not installing software without a lot of research (it might call home through IE or other browsers for updates, etc.), up to date AV and so on and so on and so on…

Pretty well everyone is exposed to all this for some time. It is as far as we know proof of concept for the time being, and we sure will hear about it when it isn’t! Outside browser exploits it might take some skill to exploit. There’s also ME engine and we can scare ourselves or just take good measures like putting all our stuff on offline external drives or another offline computer if you have one, and if you know how, doing banking or shopping with a live DVD live linux distro which you use then shutdown computer each time. How many other exploits like this are out there which are yet to be discovered? Apparently these were potential all this time…

By all means update IE with either security only or rollup updates, we can only do what we can do…Obviously all the patches to date are being rushed out and shouldn’t be installed just yet. Many or most will either not fully know or never know or be able to patch against this stuff, and that’s not their fault either. With all the holds on installing MS updates it might be time to wonder when if ever people are going to be updating their Windows computers?

Reply | Quote

GoneToPlaid wrote:

LoJack became enabled in BIOS after I signed up for a subscription to LoJack’s anti-theft services. Over a year ago, I discontinued that subscription. But guess what? Even after repeated contacts to LoJack, they would not disable LoJack in my laptop computer’s BIOS!

Wait… how does this happen?  How can anyone remotely enable or disable things in your system’s firmware?  Your PC should not be phoning home to any server to find out if the service is enabled or not without you telling it to first!  To $bad_place with LoJack; what about Acer? I would consider the laptop defective and unfit for purpose if it has a defect like you describe.

My new laptop has an option in firmware for Computrace, but it is one of many options I can turn on or off.  As that PC no longer runs Windows, I am not sure if it would work even if I wanted it to.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

It happened when I installed LoJack’s tracking software. The software enabled Computrace in my laptop’s BIOS. Some versions of Computrace, once enabled in BIOS, can not later be disabled in BIOS. It is like turning on a light switch, only to discover that it is impossible to turn the light switch back off. One intrepid person managed to hack a BIOS image of his comptuer’s BIOS. He found the Computrace program block, removed it, and reflashed his BIOS. Needless to say, he knew exactly what he was doing, and of course risked bricking his laptop’s motherboard. I suggest that you do not toggle the Computrace setting in your laptop’s BIOS. If you do, you most likely will find that you can not reverse the setting.

Reply | Quote

That is absurd.  I realize there would have to be a way of preventing a thief or stolen-property-receiver from disabling the LoJack protection, like password protecting the BIOS/UEFI setup program or a dedicated password for turning off the LoJack, but to make turning it on irreversible (like my raincoat) is absurd.

I did some searching about this, and your reports of Absolute Software being unresponsive are apparently typical.  Persistence and rattling of cages does seem to work, though; I have seen a report of someone getting the issue (same as yours) resolved eventually by obtaining and spamming the email addresses of specific higher-ups in the organization with demands to disable it, or something like that.  It’s like they think that if they make it such a pain to remove the thing, you’ll just give in and pay them for the service (after having annoyed people to that point, it seems unlikely to work).  Otherwise, why not just allow its removal after reasonable steps to ensure the person requesting it is the legitimate possessor of the computer, preventing the angry messages on the net that could prevent other potential customers from ever buying?

I have no intention of turning the option on in my Dell’s UEFI, but from what I read, the way this thing works is to continually check and install certain Windows components at each boot, and it is those components running under Windows that do all the phoning home and such.  If you remove the files from Windows, the UEFI will just reinstall them.

Since my PC with the option for Computrace (the older name is still used even though the laptop was manufactured in 2017) has no Windows installation, it would not work.

I did see a report that one person managed to thwart the unwanted processes from running by setting the permissions to disallow read access to the LoJack files.  Apparently, the UEFI program will make sure the unwanted files are present and set to run, but it doesn’t check the run permissions.  If this works, it seems like a fairly trivial way for laptop thieves to bypass the protection too.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

It hijacks chkdsk.exe/autochk.exe by editing the ntfs filesystem at boot (before the OS loads). It then uses that to install the rest of it’s payload and phone home (it may also do something similar on Linux), it does this on every boot even after a clean install. chkdsk.exe may no longer work at boot also. Once enabled in the bios it usually cannot be disabled. (replacing the motherboard would disable it)

There are many ways that this could go horribly wrong. What if the filesystem is a little corrupt the “at boot edit” of the filesystem may not go well. Why would this happen? Well they disabled chkdsk to load their code at boot instead that wouldn’t help with the filesystem’s clean / dirty status.

(post may have ended up duplicated or under the wrong sub-thread — should be in lojack)

Reply | Quote

GoneToPlaid wrote:

Microsoft, in its infinitely wise and shrewd wisdom, deliberately decided to remove IE security updates from its Security Only updates. Oh yeah, those IE security updates are included in Microsoft’s monthly Quality rollups, but not in the monthly Security Only updates. Instead, users who only install Microsoft’s Security Only updates must separately find and install Microsoft’s security updates for IE in order for the IE web browser to be protected against Meltdown.

Isn’t that kind of the good part for those who wish to remain conservative and not install the OS patches (e.g., to avoid OS slowdown) but just keep the browser up to date?

It’s exactly what I’ve done.

-Noel

5 users thanked author for this post.

windows7wasthebest, AJNorth, johnf, Pepsiboy, The Surfing Pensioner

Reply | Quote

Perhaps. Yet don’t forget to update your graphics driver since unpatched low level drivers which run under the kernel are mentioned as being attack surfaces for Meltdown. As I mentioned, Nvidia has released updated drivers which supposedly prevent their drivers from being used to perform a Meltdown attack. I don’t know if AMD and Intel have done the same yet, or if they need to. Nvidia confirmed that their hardware is immune to Meltdown, but did confirm that their software needed patching — which they have now done.

Given the numerous low level I/O drivers on my computers which run under the kernels, I decided to install Microsoft’s January Security Only update which mitigates Meltdown.

1 user thanked author for this post.

Bill C.

Reply | Quote

Here is a comprehensive overview on the state of mitigations for Meltdown and Spectre (regularly updated):

A Clear Guide to Meltdown and Spectre Patches (Barkly Protects, Inc.)

https://blog.barkly.com/meltdown-spectre-patches-list-windows-update-help

3 users thanked author for this post.

satrow, SueW, MrBrian

Reply | Quote

I thought Microsoft had already removed IE updates from security-only patch last year.

Reply | Quote

They separated the security-only patch and the IE11 update in March 2017

Edit to correct year 2016 -> 2017

Reply | Quote

Ah. So at the end we just went the usual route to find the separate security update for IE in the update catalog.

Reply | Quote

The stand alone IE updates can also be conveniently downloaded from: AKB2000003: Ongoing list of “Group B” monthly updates for Win7 and Win8.1.

1 user thanked author for this post.

Jan K.

Reply | Quote

PKCano wrote:

They separated the security-only patch and the IE11 update in March 2016

2016? I think that might be 2017…? 🙂

2 users thanked author for this post.

PKCano, MrBrian

Reply | Quote

According to VMware, all currently supported Intel processor are vulnerable to spectre. They are waiting for a micro code update from the vendor. If you apply the original microcode update they recieved fron Intel, you can expect issues with random reboots, etc.

The only solution they have if you apply the microcode patch, prior to them pulling it, is to edit the hypervizor OS and remove speculative execution from the virtual hardware (CPUs). This prevents to guest operating system from having the ability to be exploited.

1 user thanked author for this post.

MrBrian

Reply | Quote