Processor giant Intel has told some of its customers that the microcode patches it issued to fix the Meltdown and Spectre flaws in its products are buggy and that they should not install them.
The advice, reported by The Wall Street Journal, was issued to select customers on Wednesday.
The company told customers to "delay additional deployments of these microcode updates", and added, "Intel will provide frequent updates".
Stephen Smith, the general manager of Intel's data centre group, told the WSJ that the advice was provided to makers of PCs and big cloud providers after feedback that its updates had caused some machines to reboot.
{loadposition sam08}Smith claimed that the bugs are "unrelated to security", adding that the company advised consumers to use firmware update from their vendors. Computer makers and cloud providers were told to avoid using Intel's patches.
— Christine Hall (@BrideOfLinux) 10 January 2018
Details of the two bugs, dubbed Meltdown and Spectre, were released last week after an embargo of 9 January collapsed.
An employee of Google's Project Zero was the first to discover the two vulnerabilities, and the company justified breaking the embargo, saying: "We are posting before an originally co-ordinated disclosure date of 9 January 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."
Since then, a number of industry players, big and small, have issued patches for their products, including Microsoft and the Linux kernel project.
Meltdown removes the barrier between user applications and sensitive parts of the operating system while Spectre, which is also reportedly found in some AMD and ARM processors, can trick vulnerable applications into leaking the contents of their memory.
The WSJ quoted one unnamed Intel partner, who, like Theo de Raadt, the head of the OpenBSD project, expressed disquiet that the company was only informing some customers about the problems with the patches.
De Raadt told iTWire about the initial bug disclosure: "Only Tier-1 companies received advance information, and that is not responsible disclosure – it is selective disclosure. Everyone below Tier-1 has just gotten screwed."