Dell, HP And Lenovo Work Toward Rolling Back Firmware Versions After Intel Nixes Spectre Patch

PC makers are working to get rid of buggy Intel patches for the Spectre vulnerability, with the three largest Windows PC vendors disclosing plans to return users to previous firmware versions.

Dell, HP and Lenovo have each issued security advisories explaining what they intend to do for any PCs that were updated to their latest versions of BIOS firmware. Those latest firmware versions are no longer desirable as a result of the now-disavowed Intel microcode patches, which have created reboot issues as well as "other unpredictable system behavior," according to Intel.

[Related: Solution Providers: It's Time To Restart The Clock On Spectre, Meltdown Patch Rollout Time Line]

Dell, HP and Lenovo have all withdrawn the latest versions of BIOS firmware so that users can no longer apply the microcode patches.

Dell is the first to offer a method for enterprise users to return to the previous BIOS version: "If you have already deployed the BIOS update, in order to avoid unpredictable system behavior, you can revert back to a previous BIOS version." For consumers that have applied the latest BIOS updates, Dell is recommending a different approach: "please wait for further information and an updated BIOS release, no other action is recommended at this point."

For HP users, the ability to roll back to a previous firmware version will be possible starting on Thursday. "HP will be reissuing HP BIOS softpaqs with previous Intel microcode starting January 25, 2018," the company said in its advisory.

At Lenovo, meanwhile, work is underway on making a previous firmware version available, but a release date hasn't been disclosed. Lenovo isn't suggesting that all users roll back to the earlier version, however—only those that have been having issues with the latest BIOS.

"If you are not experiencing system stability difficulties, you may decide to remain on the BIOS/UEFI level you have installed currently," Lenovo said in its advisory. "For others, Lenovo is currently working with Intel to make available BIOS/UEFI updates to revert to an earlier, known stable microcode level."

David Felton, founder of Norwalk, Conn.-based Canaan Technology, said the confusion over Spectre and Meltdown, another processor vulnerability that was uncovered at the same time, has been cause to focus on security fundamentals.

"There has not been a clear direction from the vendors as to what to do," Felton said. "Our position has been that our clients have to deploy multi-level network security, that starts at the gateway and goes down to the desktops, and that it should be proactively monitored. That's the best recourse, whether because of vulnerabilities like this or just day-to-day computing."

Intel's request on Monday that OEMs cease deployment of its patches stemmed explicitly from issues with Intel's Broadwell and Haswell chips. Solution providers told CRN there is no clear timeline for the resolution of the Spectre and Meltdown exploits as a result of Intel halting deployment of the latest patches.