BIOS updates to counter Meltdown/Spectre?

Read this.

Thanks for that link, Ron.

As I peruse Dell's response, I note that:
- BIOS updates for some operating systems and more recent Dell models have been released, or have future release dates listed.
- Some older models are not listed, including my Dell Latitude E5410 laptop, and XPS 8300 desktop (both running Win7). No BIOS updates for them so far.
- Dell is not pushing out these BIOS updates via their updater. My XPS 13 laptop has a latest Dell BIOS version 1.61 available for download (last updated 08 Jan. 2018) but my updater says I am "up-to-date" with my current 1.4.18 issued in June 2107. This suggests to me that Dell does not want to take responsibility for these BIOS updates, and possible secondary side effects.

To be honest, I am in no rush to "fix" these vulnerabilities with a BIOS flash. They have existed for decades, but have never been exploited. I just do not see the urgency. Of course , I could be wrong.

@joe53 wrote:

Thanks for that link, Ron.

As I peruse Dell's response, I note that:
- BIOS updates for some operating systems and more recent Dell models have been released, or have future release dates listed.
- Some older models are not listed, including my Dell Latitude E5410 laptop, and XPS 8300 desktop (both running Win7). No BIOS updates for them so far.
- Dell is not pushing out these BIOS updates via their updater. My XPS 13 laptop has a latest Dell BIOS version 1.61 available for download (last updated 08 Jan. 2018) but my updater says I am "up-to-date" with my current 1.4.18 issued in June 2107. This suggests to me that Dell does not want to take responsibility for these BIOS updates, and possible secondary side effects.

To be honest, I am in no rush to "fix" these vulnerabilities with a BIOS flash. They have existed for decades, but have never been exploited. I just do not see the urgency. Of course , I could be wrong.

 

---

I think that it might not make sense to update to the latest BIOS in some cases eg. for low power processors like the Core M. The performance degradation is so immense that it makes more sense to compromise on security, which is troublesome. I have documented my benchmarks in a separate thread.

https://www.dell.com/community/Mobile-Devices/Dell-Venue-7140-crippled-by-latest-BIOS-A14-with-the-Spectre/td-p/5650102/jump-to/first-unread-message

It appears that BIOS updates may depend on CPU generation. My Core i3 Gen 3 lappy (~2013) got the Microsoft update for Win 10 via Windows Update to deal with Meltdown/Spectre, but there's no BIOS update for Core Gen 3 CPUs.

As I originally understood it, the BIOS updates were to fix the Intel Management Engine (ME) issue which was announced back in early Dec'17 and is entirely different from Meltdown/Spectre. The BIOS update is to update code stored on the chipset chip which is separate from the CPU. I believe the ME thing is an issue for chipsets used with Core Gen 6 and later CPUs. 

I've seen conflicting reports that some CPUs need both the Windows update and a BIOS update to deal with Meltdown/Spectre. So users have to stay aware of what's happening and decide what's best for them.

There have been a few posts where the BIOS update for ME caused a problem, but not a lot of them, and most or all the ones I saw were for XPS 8900 systems. I know Dell captured a couple of those systems for examination, but I don't know how many or how they're handling the problem for customer's whose PCs crashed after installing that update...

In other words, Intel created royal mess ...

"In other words, Intel created royal mess ..."

I am not comfortable placing blame on Intel for these hardware "bypasses", any more than I am comfortable blaming Microsoft for the many creative exploits encountered within Windows/ Of-fice/&etc.

Computer coding (including BIOS firmware) is exceptionally complex.  For example, a person sets out to create a word processor, and seemingly succeeds in doing so.   A best-seller, in fact.   How could that person --- especially two decades ago --- have possibly envisioned how a hacker... with the ability to reverse-engineer the code... could somehow "creatively exploit" it in hindsight?   I don't believe there's any way humans could have predicted what modern hackers could twist apart.

Consider that these problems have allegedly existed --- and gone unnoticed/untouched --- for two decades... sure seemed like Intel had delivered a "solid" product.   Also consider that Spectre impacts not just Intel chips, but also AMD, ARM, and NVIDEA graphic drivers (among others).  

So I repeat --- my opinion --- that it's not fair to put (all) the blame on Intel for this mess.

General info:

Scroll down to the Dell links.

https://www.bleepingcomputer.com/news/software/list-of-links-bios-updates-for-the-meltdown-and-spectre-patches/

Regards,

Bugbatter

We are having a lot of difficulties with these BIOS updates and patches in our organization.

We are an international company with over 10 offices around the world, we use Dell as our hardware provider and the majority of our desktops are Dell 7010 SF Optiplex machines, Dell stated on their Microprocessor Side-Channel Vulnerabilities notification:(http://www.dell.com/support/article/us/en/19/sln308587/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-products?lang=en) that to address these vulnerabilities under Optiplex 7010 models we should install the BIOS A26, unfortunately the BIOS update indicated does not provide any microcode to fix the Spectre vulnerability.

Accordingly the Microsoft Get-SpeculationControlSettings command results are indicating that our hardware do not contains the required microcode updates to protect against CVE-2017-5715 (Spectre).

Example below:

We contacted Dell first line of support and their answer was that our Client Machines are out of warranty, then since we have several servers around the world with an active ProPlus Support we contacted our ProPlus Support account manager in the UK and it seems that they do have been unable to give me any answer or practical solution.

To make the situation worse we have many other Dell clients PCs and Laptops that are not even listed on the oficial MeltDown and Spectre Dell statement and neither Dell first line of support or our Dell support account manages have been able to confirm what will happen with all these equipment.

This is very frustrating to say the least, is there anybody at Dell that can actually help? or shall we conclude that we are now in a situation were we cannot patch any of our Dell equipment making all our users PCs unusable?

If we are struggling like this I cannot imagine how difficult it must be for many home users, year 2018 will be year where we will see the biggest data breaches in world history as it seems these vulnerabilities will be imposible to be locked down for many users around the world due to the lack of support from many manufactures or lack of understanding from the majority of users regarding the necessary steps to protect their devices.

Best Regards,

Raul Morales
Corporate Security and Network Administrator

Hi Diamond,

Thanks for your note, I am just running out of options and I thought this was Dell forums.

Best Regards.

I pinged one of my Dell tech contacts, but you probably will have to keep pushing your ProSupport team for your corporate needs.

Here's the response that I got...

CVE-2017-5715 has not been addressed in any of the current Optiplex 7010 BIOS. Dell is only up to dealing with CVE-2017-5712 for this system.

So the article must be incorrect if it says BIOS A26 addresses Spectre. All you can do -for now- is keep checking the Support site for new BIOS updates to be posted.

Here's a summary of the last 3 BIOS versions for Optiplex 7010:

BIOS A26 1/9/18: Updated Intel ME Firmware to address security advisories INTEL-SA-00086 (CVE-2017-5711 & CVE-2017-5712) & INTEL-SA-00101 (CVE-2017-13077, CVE-2017-13078 & CVE-2017-13080)

BIOS A25 5/22/17: Updated Intel ME Firmware to address security advisory CVE-2017-5689/INTEL-SA-00075

BIOS A24 12/12/16: Improved the BIOS security. Update MEFW 8.1.70.1590 for improved the BIOS security

Hope this helps...

Ron,

Many thanks for your kind help, very much appreciated, it seems DELL updated the A26 BIOS description and now the Knowledge Base is saying that the 7010 Optiplex BIOS firmware is "in progress".

We manage to setup a phone call with our Dell sales manager representative and our ProPlus team tomorrow, hopefully I will manage to get concrete answers about the whole situation as another concern I have is that our company have a lot of DELL models worldwide that are not even listed under the Dell Meltdown / Spectre BIOS documentation, one of them as an example are Optiplex 990 PCs that were bough 5 years ago.

It is not like we are demanding a fix, all we want to know is if there will be a fix available in the future or not as otherwise I will have no other option than start flagging equipment as unusable in order to keep our corporation protected.

Best Regards,
Raul Morales
Corporate Security and Network Administrator

You're welcome.

It may depend on the CPU generation in each PC that determines whether a BIOS update is also required, in addition to the OS patch distributed via Windows Update.

My Core i3 Gen 3 laptop running Win 10 Pro got the OS update via Windows Update, but it isn't on Dell's list awaiting a BIOS update.

Something to consider is that older systems may be "End of Life" and Dell just isn't going to offer a firmware update for them.

So I'm in the same boat. I use the laptop for my business and -at minimum- want to know if it needs a firmware to be fully secure or not. And if it does need a firmware update, is Dell going to provide it?

Hey guys and peeps. Just a quick heads up about the A26 Bios update that is available on the Dell's site (Dell Optiplex 7010). I did update it recently as I have never performed such update to the Bios and went from A05 to A26. The result was a non-functional Nvidia 1050 TI GTX video card on the HDMI port. Tested on 100% -> Video simply does not provide any output on the monitor.

The resolution was a downgrade back to A05. After that all was fine with the video. 

---

@krissko wrote:

Hey guys and peeps. Just a quick heads up about the A26 Bios update that is available on the Dell's site (Dell Optiplex 7010). I did update it recently as I have never performed such update to the Bios and went from A05 to A26. The result was a non-functional Nvidia 1050 TI GTX video card on the HDMI port. Tested on 100% -> Video simply does not provide any output on the monitor.

The resolution was a downgrade back to A05. After that all was fine with the video. 

 

---

Was HDMI the only video port that didn't work in A26?

Going from A05 to A26 is a big jump. Normally, you can go from your current version to the latest, but sometimes there may be a requirement for an intermediate version. So did you check any/all of the versions in between to see if any of them require a prior version? You can find links to all the prior versions on the Support page.