What Dell EMC’s Spectre patch backtrack says about software updates

lock breaking in half

Posted on Wednesday, January 31, 2018

The on-going saga of the Spectre vulnerability took yet another turn this week when Intel, Microsoft, Dell EMC and VMWare were among manufacturers warning users not apply the latest microcode security update.

Take this updated knowledge base article from Dell EMC, which says that users may encounter “unpredictable system behaviour” after the update.

The knowledge base article does not go into details of the problem, but users of systems from multiple vendors have reported performance issues, boot issues, reboot issues, and general system instability. Any users experiencing problems are being advised to rollback to the previous BIOS version.

Confirming the CTOs worst fears

Failed BIOS updates are a major headache for CTOs on several fronts. First, applying an update that creates new problems completely defeats the object of the exercise. Second, rolling back to a previous BIOS version also restores the original Spectre vulnerability. Third, time and resources are wasted twice – once to apply the failed BIOS update, and again to rollback on all of the affected systems.

Historically CTOs have always avoided applying updates and patches unless strictly necessary – many businesses are running two versions behind the most current. And the on-going Spectre debacle shows that this practice is entirely sensible.

Answering an important post-warranty question

One of the biggest concerns CTOs have about post-warranty support is access to security updates. Without a valid OEM maintenance agreement, they are not automatically entitled to those patches.

There are two reasons why they need not worry. First, post-warranty storage assets do not typically receive updates as standard anyway. Second, with the general reluctance to install the most recent microcode versions, the question becomes irrelevant anyway.

If anything, the Spectre BIOS situation has shown why OEM patches aren’t as important as we’re led to believe – particularly for post-warranty storage arrays. And that’s before you consider this article quoting Dell EMC, HPE, Hitachi and NetApp claiming that the effects of Spectre and Meltdown on storage arrays was minimal (“the reported vulnerabilities do not introduce any additional security risk to a customer's environment”).

To learn more about your options, and how CDS can help cut your Dell EMC maintenance costs, please get in touch.