Security

Gigabyte Withholding Spectre Firmware, Only Provided to Customers On Request

We’ve been busily auditing client environments and evaluating their readiness for Spectre mitigation. Frustratingly, of the long list of devices, computers and mainboards we have, the vast majority of products greater than two years old don’t have firmware patches available on the manufacturers’ support websites. In reaching out to Gigabyte support to determine if they did, in fact, have firmware available for a particular model, we were then provided with the file. When we asked why they have firmware available that isn’t being published on the product’s support page, they responded with this disturbing revelation:

At present, we provide bios with Intel’s Spectre microcode updated for old models by customers request.
We are, frankly, shocked at this breathtakingly short-sighted meander down frustrate-the-heck-out-of-your-supply-channel-just-for-kicks lane. The job of the entire professional IT industry to attempt to mitigate Spectre is quite colossal enough without manufacturers deliberately frustrating our efforts. We responded with this:

We very strongly recommend you review this policy. Spectre is a massive, global problem. While it might be fine for individuals with a single PC to contact support once to retrieve these files, there are going to be thousands of IT technicians and personnel patching hundreds of systems each – they don’t have time to contact manufacturers on an individual basis for every single model – that’s just a ridiculous, frustrating and extremely disrespectful waste of their time. Remember, it is IT professionals that are your biggest repeat clients and your strongest independent advocates. One of the biggest reasons we use and recommend Gigabyte products is reliability – we’ve found Gigabyte products to be well designed and highly reliable for a consumer brand. But that reliability must extend to after-sales support, or we can’t have confidence in a brand.

This kind of experience is extraordinarily frustrating – we’re in the process of auditing and evaluating the extent of patching required for all of our clients’ systems, and we shouldn’t have to contact any manufacturer to procure firmware files for every single product – you’ve taken what should be a five minute job per model and turned it into something that’s going to take days and waste many hours of our time. We stopped selling another brand of workstation and server products years ago because of the difficulty of getting support from them – compared to Intel who have always been extremely helpful, respond rapidly, turnaround firmware updates very quickly, and will airfreight completely new replacement products for in-warranty RMAs free of charge; we don’t have time or interest in brands that don’t have excellent after-sales support, it’s just too important.

So we do encourage you in the strongest terms to review this policy – the IT industry must be supported to make this job as easy as possible. It’s already a colossal job patching every PC and server in the world without manufacturers making our job even more difficult.

While we have only received official word from Gigabyte about this, we highly suspect other manufacturers are operating in a similar manner. We’re in the process of requesting files for a range of devices, so we’ll update this post once we have more details about how widespread the practice is.

In the meantime, we strongly recommend IT professionals contact manufacturers if Spectre firmware patches don’t appear on product support pages for the devices you support, not only to request those firmware files, but to demand that the manufacturers make these patches easily available on their public portals. Forcing people to jump through hoops just to get patched isn’t just ludicrous, it is dangerously disruptive.