Let the BIOS/UEFI firmware recall begin!

With Intel announcing a massive “Oops! Belay that order!” mea culpa earlier this week for its Meltdown/Spectre-related firmware updates, it didn’t take long for hardware manufacturers to announce their own recalls – and set in motion an enormously complex series of stopgap and half-gap measures.

Bottom line: If you flashed your BIOS or UEFI this month, you’ll almost undoubtedly have to flash it again just to get rid of the buggy code. Then you’ll have to upgrade the firmware once again, at a later time. But nobody knows yet just when or how.

Intel has posted its list of buggy microcode families. While the initial warning went up for Broadwell and Haswell processors, this new list brings even more muck. Specifically, Intel warns that microcode patches for all of these processors are bad:

• Haswell (4th generation), Haswell Perf and Haswell ULT;
• Broadwell H (5th generation), Broadwell U/Y;
• Skylake H/S (6th generation), Skylake U/Y/U23e, Skylake X;
• Kaby Lake H/S/X/G (7th generation), Kaby Lake U/Y, U23e, Kaby Lake Refresh U4+2 (8th generation);
• Coffee Lake S + KBL PCH (8th generation).

That covers a very large percentage of Intel-based Windows PC shipped in the past five years. (If you have an older PC, be aware – they never “fixed” it anyway.)

Most people don’t download firmware updates from Intel. Instead, the system manufacturer – most likely Lenovo, Dell, or HP – integrates the microcode into their own BIOS/UEFI upgrades, then pushes those out to retail machines.

For most of us, that’s where the goo hits the road.

Yesterday, HP Customer Support released a (very!) lengthy list of all of its machines that are affected by the Intel announcement:

In response to Intel’s recommendation, HP is taking the following actions:

• HP is removing HP BIOS softpaqs with Intel microcode patches from hp.com.
• HP will be reissuing HP BIOS softpaqs with previous Intel microcode starting January 25, 2018.
• Once Intel reissues microcode updates, HP will issue revised Softpaqs.

HP is working closely with our partners, and updates will be made as soon as possible.

Which is a polite way of saying that, if you got suckered into installing an earlier firmware patch from HP, you’ll need to install the new patch (which will take you back to the older firmware) sometime after tomorrow. Then, you’ll get a new-new patch, uh, sometime. Maybe the new-new one will work.

Dell has a consumer-oriented description of its recall here and an Enterprise description here. On the consumer side, the recall says:

Dell is advising that all customers should not deploy the BIOS update for the Spectre (Variant 2) vulnerability at this time. We are removing the impacted BIOS updates from the web and suspending further BIOS updates for affected platforms.

If you have already applied the BIOS update, please wait for further information and an updated BIOS release, no other action is recommended at this point. Please continue to check back for updates.

Unlike HP, it appears as if Dell isn’t going to fix its error by re-issuing older firmware. If you’re running a Dell machine, and got suckered into installing new BIOS/UEFI software, you can just wait and see.

Lenovo has an equally impressive, massive list of affected machines. The warning now says:

Intel has changed their guidance for customers who have already deployed these microcode updates: If you are not experiencing system stability difficulties, you may decide to remain on the BIOS/UEFI level you have installed currently. For others, Lenovo is currently working with Intel to make available BIOS/UEFI updates to revert to an earlier, known stable microcode level.

Which is slightly different advice from that proposed by Dell and HP.

Almost all Lenovo machines in the list bear the imprimatur “Update withdrawn by Intel; Target TBD” but about 30 ThinkPads, mysteriously, say “Target availability 2/9/2018.” Assuming that’s Feb. 9, instead of Sept. 2, 2018, is it possible that Lenovo knows something we don’t?

For what it’s worth, I haven’t heard a peep out of Microsoft. One has to wonder what will become of the Surface Jan. 10 firmware updates.

My advice is the same as it’s always been: Sit tight. There are no known Meltdown/Spectre exploits in the wild as yet, and when they do appear, they probably won’t be directed at your poor PC. Let’s let the Titans (and Titanesses) duke it out and see what emerges from the bloody mess.

Grab some sarsaparilla and sit it out on the AskWoody Lounge.