Highlighted
djduncan
1 Nickel

BIOS updates to counter Meltdown/Spectre?

Hello! I have a 3 year old Alienware 14. Does Dell plan on issuing BIOS updates to mitigate vulnerability to Meltdown and Spectre?

35 Replies
7- Thorium

Re: BIOS updates to counter Meltdown/Spectre?

Read this.

Ron

   Forum Member since 2004
   I am not a Dell employee

0 Kudos
joe53
5 Osmium

Re: BIOS updates to counter Meltdown/Spectre?

Thanks for that link, Ron.

As I peruse Dell's response, I note that:
- BIOS updates for some operating systems and more recent Dell models have been released, or have future release dates listed.
- Some older models are not listed, including my Dell Latitude E5410 laptop, and XPS 8300 desktop (both running Win7). No BIOS updates for them so far.
- Dell is not pushing out these BIOS updates via their updater. My XPS 13 laptop has a latest Dell BIOS version 1.61 available for download (last updated 08 Jan. 2018) but my updater says I am "up-to-date" with my current 1.4.18 issued in June 2107. This suggests to me that Dell does not want to take responsibility for these BIOS updates, and possible secondary side effects.

To be honest, I am in no rush to "fix" these vulnerabilities with a BIOS flash. They have existed for decades, but have never been exploited. I just do not see the urgency. Of course , I could be wrong.

 

_________________________________________


Dell Forum Member since 2,000


 Use OpenDNS   MalwareBytes' Anti-Malware Free


Windows 7/sp1 (64- Bit): Malwarebytes 3.x Premium, Windows Firewall, WinPatrol PLUS, Emsisoft Emergency Kit Free and HitmanPro Free (on-demand scanners), OpenDNS, MVPS Hosts file, SpywareBlaster, Pale Moon web browser, Sandboxie, CCleaner Free.


Windows 10 Pro (64- Bit): Same protection plus Windows Defender AV.


"In the future, everyone will be anonymous for 15 minutes" - Banksy

0 Kudos
g33ksama
1 Nickel

Re: BIOS updates to counter Meltdown/Spectre?

@joe53 wrote:

Thanks for that link, Ron.

As I peruse Dell's response, I note that:
- BIOS updates for some operating systems and more recent Dell models have been released, or have future release dates listed.
- Some older models are not listed, including my Dell Latitude E5410 laptop, and XPS 8300 desktop (both running Win7). No BIOS updates for them so far.
- Dell is not pushing out these BIOS updates via their updater. My XPS 13 laptop has a latest Dell BIOS version 1.61 available for download (last updated 08 Jan. 2018) but my updater says I am "up-to-date" with my current 1.4.18 issued in June 2107. This suggests to me that Dell does not want to take responsibility for these BIOS updates, and possible secondary side effects.

To be honest, I am in no rush to "fix" these vulnerabilities with a BIOS flash. They have existed for decades, but have never been exploited. I just do not see the urgency. Of course , I could be wrong.

 


I think that it might not make sense to update to the latest BIOS in some cases eg. for low power processors like the Core M. The performance degradation is so immense that it makes more sense to compromise on security, which is troublesome. I have documented my benchmarks in a separate thread.

https://www.dell.com/community/Mobile-Devices/Dell-Venue-7140-crippled-by-latest-BIOS-A14-with-the-S...

0 Kudos
7- Thorium

Re: BIOS updates to counter Meltdown/Spectre?

It appears that BIOS updates may depend on CPU generation. My Core i3 Gen 3 lappy (~2013) got the Microsoft update for Win 10 via Windows Update to deal with Meltdown/Spectre, but there's no BIOS update for Core Gen 3 CPUs.

As I originally understood it, the BIOS updates were to fix the Intel Management Engine (ME) issue which was announced back in early Dec'17 and is entirely different from Meltdown/Spectre. The BIOS update is to update code stored on the chipset chip which is separate from the CPU. I believe the ME thing is an issue for chipsets used with Core Gen 6 and later CPUs. 

I've seen conflicting reports that some CPUs need both the Windows update and a BIOS update to deal with Meltdown/Spectre. So users have to stay aware of what's happening and decide what's best for them.

There have been a few posts where the BIOS update for ME caused a problem, but not a lot of them, and most or all the ones I saw were for XPS 8900 systems. I know Dell captured a couple of those systems for examination, but I don't know how many or how they're handling the problem for customer's whose PCs crashed after installing that update...

In other words, Intel created royal mess ...

Ron

   Forum Member since 2004
   I am not a Dell employee

0 Kudos
ky331
6 Indium

Re: BIOS updates to counter Meltdown/Spectre?

 

"In other words, Intel created royal mess ..."

I am not comfortable placing blame on Intel for these hardware "bypasses", any more than I am comfortable blaming Microsoft for the many creative exploits encountered within Windows/ Of-fice/&etc.

Computer coding (including BIOS firmware) is exceptionally complex.  For example, a person sets out to create a word processor, and seemingly succeeds in doing so.   A best-seller, in fact.   How could that person --- especially two decades ago --- have possibly envisioned how a hacker... with the ability to reverse-engineer the code... could somehow "creatively exploit" it in hindsight?   I don't believe there's any way humans could have predicted what modern hackers could twist apart.

Consider that these problems have allegedly existed --- and gone unnoticed/untouched --- for two decades... sure seemed like Intel had delivered a "solid" product.   Also consider that Spectre impacts not just Intel chips, but also AMD, ARM, and NVIDEA graphic drivers (among others).  

So I repeat --- my opinion --- that it's not fair to put (all) the blame on Intel for this mess.

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 7 Pro SP1 (64-bit), avast! v17 Free, MBAM3 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [IE set to WARN, FF set to BLOCK]), uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

7- Gold

Re: BIOS updates to counter Meltdown/Spectre?

General info:

Scroll down to the Dell links.

https://www.bleepingcomputer.com/news/software/list-of-links-bios-updates-for-the-meltdown-and-spect...

Regards,

Bugbatter


Windows Insider MVP 2016 -

Microsoft MVP - Consumer Security 2006-2016

Social Media and Community Professional
SpywareHammer

I am not a Microsoft or a Dell employee. I am a volunteer.

 

0 Kudos
Simbol
1 Nickel

Re: BIOS updates to counter Meltdown/Spectre?

We are having a lot of difficulties with these BIOS updates and patches in our organization.

We are an international company with over 10 offices around the world, we use Dell as our hardware provider and the majority of our desktops are Dell 7010 SF Optiplex machines, Dell stated on their Microprocessor Side-Channel Vulnerabilities notificationSmiley Sadhttp://www.dell.com/support/article/us/en/19/sln308587/microprocessor-side-channel-vulnerabilities-c...) that to address these vulnerabilities under Optiplex 7010 models we should install the BIOS A26, unfortunately the BIOS update indicated does not provide any microcode to fix the Spectre vulnerability.

Accordingly the Microsoft Get-SpeculationControlSettings command results are indicating that our hardware do not contains the required microcode updates to protect against CVE-2017-5715 (Spectre).

Example below:

We contacted Dell first line of support and their answer was that our Client Machines are out of warranty, then since we have several servers around the world with an active ProPlus Support we contacted our ProPlus Support account manager in the UK and it seems that they do have been unable to give me any answer or practical solution.

To make the situation worse we have many other Dell clients PCs and Laptops that are not even listed on the oficial MeltDown and Spectre Dell statement and neither Dell first line of support or our Dell support account manages have been able to confirm what will happen with all these equipment.

This is very frustrating to say the least, is there anybody at Dell that can actually help? or shall we conclude that we are now in a situation were we cannot patch any of our Dell equipment making all our users PCs unusable?

If we are struggling like this I cannot imagine how difficult it must be for many home users, year 2018 will be year where we will see the biggest data breaches in world history as it seems these vulnerabilities will be imposible to be locked down for many users around the world due to the lack of support from many manufactures or lack of understanding from the majority of users regarding the necessary steps to protect their devices.

Best Regards,

Raul Morales
Corporate Security and Network Administrator

0 Kudos
ky331
6 Indium

Re: BIOS updates to counter Meltdown/Spectre?

 

Mr. Morales:

Just to make sure you realize, this is a user-to-user forum.   Most people posting here are simply home users, either asking questions, or VOLUNTEERING their time to try to help others --- we don't work for DeLL (except for those who explicitly indicate they do).

I don't know where you should be posting, but presumably, there are some corporate channels which would be more appropriate.

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 7 Pro SP1 (64-bit), avast! v17 Free, MBAM3 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [IE set to WARN, FF set to BLOCK]), uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

0 Kudos
Simbol
1 Nickel

Re: BIOS updates to counter Meltdown/Spectre?

Hi Diamond,

Thanks for your note, I am just running out of options and I thought this was Dell forums.

Best Regards.

 

 

0 Kudos