Update to Guidance for CPAs on Spectre & Meltdown
Last week we published a guide for CPAs to address the growing security concerns known as Spectre and Meltdown, but on Monday Intel and Dell issued updates on that guidance. Author Brian Tankersley, CPA addresses the matter based on his own experience.
In a blog post entitled “Root Cause of Reboot Issue Identified," Intel said: “We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions (of BIOS patches and updates) as they may introduce higher than expected reboots and other unpredictable system behavior.”
Dell also posted an update on Monday which included the following:
“Dell is advising that all customers and partners should not deploy the BIOS update for the Spectre vulnerability at this time due to Intel’s advisory acknowledging reboot issues and unpredictable system behavior. We have removed impacted BIOS updates from our support pages and are working with Intel on a new BIOS update that will address the Spectre vulnerability.”
While the computer hardware manufacturers usually get it right when they fix a problem, this time they made a big mess even worse, and that’s why Intel, Dell, and the other publishers have pulled the BIOS updates designed to fix your system BIOS for the Spectre vulnerability. After I personally installed the BIOS updates to my Dell Latitude E7270 laptop late last week, I had some “spontaneous reboots” when I used the updated machine over the last few days. These “reboots” – which are also known to techies as “blue screens of death” or “blue screen” errors where Windows just stopped working and then automatically rebooted, causing me to have to redo some work.
I went to the Dell Support website for my Latitude E7270 early on Wednesday, January 24th, and noted that the BIOS patch which I had applied to block the Spectre vulnerability (v. 1.18.5) was no longer available for download. I downloaded the most recent BIOS version (v 1.17.5) available from the Dell site, installed it, held my breath, and waited.
I restarted the system, and my mysterious reboots stopped – and as I write this on my once buggy laptop, I feel like I have a useful tool again. The system has run for two solid hours since the update and no reboots – so the update was clearly a problem.
Unfortunately, Steve Gibson’s Inspectre utility now tells me that I am again vulnerable to the Spectre vulnerability. (For those keeping score, I am now waiting for BIOS patches for my Dell server, my Dell Latitude E7270 laptop, my Lenovo Yoga 2 Pro laptop, and most of my Linux servers – so I think there will be additional updates to this guide as tested and approved firmware updates are made available.
This incident, where a big hardware manufacturer rushes out a security patch which creates new problems, while unusual, is not without precedent. Intel has apologized for the problems with the previous patch, and has said that they are “working around the clock” to vigorously test a new update, which they will release as soon as possible.
This incident also illustrates another challenge for technologists in this “always on” world – what are you supposed to do when the “fix” for a problem creates another issue which is even worse. Just like the rest of “adulating,” sometimes the choice is not between “right” and “wrong”, but instead the only options available are “bad” and “worse.”
As a reminder, the problem with the Intel, Dell, Lenovo, and other updates is ONLY related to the BIOS/UEFI patches required to patch your systems for Spectre. This pause while we wait for a proper BIOS fix means you should still install other software and driver updates to your systems for Meltdown and other issues.
A decision tree for evaluating Spectre/Meltdown patches appears below:
If you’d like to get the latest information as I see it released, you can watch the Intel, Dell, HP, and Lenovo websites, and you can follow me (@BFTCPA) on Twitter.
Brian Tankersley CPA CITP is a technology consultant, educator, writer and serves as Director of Strategic Relationships for K2 Enterprises, where he works with vendors serving the industry to understand their existing and new offerings.