"An insecure hash"
Doubtless they used MD5, because really, it's secure enough for basically everything.
However, it's probably an offer to the US TLA's -- something that's "secure" unless you have Google-level resources to reverse an MD5 HMAC. It needs a signing key with the data, hmac generated. That, and the microcode documentation so that the US can make these chips do whatever they deign. Because there's only *one* key to find (like government backdoor'd encryption, *again*), it makes a prime target for entities with resources -- and, as demonstrated, backdoors will be unlocked by others. Now that someone other than the TLA has shown its vulnerability, "Oops, hah, hah, that was a *total* oversight, lets get that fixed, then. Here ya go."
This is not something that anyone but nations and corporations the size of Google can achieve -- and how much did Google spend on this, anyway? I guess about $50 000 to crack an md5 hash these days, right? for a proof-of-concept?
The fix is obvious: code the microcode to check for a *second* signature, of sha1 or sha256 (I wonder which -- if it's not at least sha256, then they're again giving concessions to the TLA's). Then the newer microcode is included in the BIOS of patched motherboards (so that it can't be worked around), and loaded (first!!?) for anything else -- preventing later loading of an attack microcode. All microcodes will still have to be signed (first) with the MD5 hmac, so that *any* cpu (even older ones) will accept the real microcode patched with a stronger hash, but then the same microcode will reverify itself (because theater), and verify the stronger hash of any later-loaded microcode (forward-security).