Meltdown/Spectre week three: World still knee-deep in something nasty
And years away from safety
It is now almost three weeks since The Register revealed the chip design flaws that Google later confirmed and the world still awaits certainty about what it will take to get over the silicon slip-ups.
The short version: on balance, some steps forward have been taken but last week didn't offer many useful advances.
In the "plus" column, Microsoft and AMD got their act together to resume the flow of working fixes. Vendors started to offer tools to manage the chore of fixing the twin flaws, such as VMware’s dashboard kit for its vRealize Operations automation tools.
$ grep . /sys/devices/system/cpu/vulnerabilities/*
into a Linux terminal window now reveals whether you have a Meltdown/Spectre problem to address.
On the downside, Intel faced a rebellion of sorts as major enterprise vendors like Red Hat, Lenovo, VMware and many others told their users to ignore Chipzilla’s first batch of microcode updates because they made servers reboot a lot. Intel first said only Broadwell and Haswell CPUs had the problem, but later said its more recent Ivy Bridge, Sandy Bridge, Skylake and Kaby Lake architectures are all misbehaving after patching. The company also revealed that data centre workloads will be slower after it’s done patching.
That’s bad news for all sorts of reasons, not least that some users rushing to cope with the twin menaces may have overlooked the fact that appliances sold as “it just does the job, don’t worry about the innards” often have Intel Inside. Hence analyst firm Gartner’s advice to remember that devices like application delivery controllers or WAN optimisation boxen pack x86s, need a fix and won’t optimise things quite as optimally from now on. Which means talking to telcos and all sorts of other fun.
Also unwelcome was news that Spectre impacts Oracle's SPARC platform, with patches due some time in February. Nor are the hordes of smaller ARM licensees making much noise.
Now Meltdown patches are making industrial control systems lurchREAD MORE
News that the sky has not fallen in on public clouds won a better reception. Indeed, there are even signs that big players have stopped worrying and learned to love the bomb, or at least minimise the impact of their patches.
Smaller clouds have had less to say, perhaps because they resent not having been included in the original cabal that nutted out a response to Meltdown/Spectre. The Register hears gossip to the effect that Oracle, for one, is furious it wasn’t immediately invited to the top table. It has, however, scheduled and/or executed patches for its x86 cloud. We’ve seen evidence of the same at VMware-on-AWS, Linode, IBM cloud and others.
But we've also heard an industry-wide silence about CPU-makers’ roadmaps for a Meltdown-and-Spectre-free future. Rumours are rife that a generation of products will have to be redesigned, at unknowable expense and delaying next-generations products by un-guessable amounts of time.
The news isn’t all glum, however: marketers have cottoned on to the fact that Meltdown and Spectre represent an opportunity to spruik products like data centre inventory tools or performance analysis code. Their offers aren't classy, but are at least far more sensible than all the initial coin offerings landing in Reg inboxes. ®
Sponsored: Becoming a Pragmatic Security Leader