Microsoft works weekends to kill Intel's shoddy Spectre patch
Out-of-band patch may assuage user anger over Intel crudware, closed-club disclosure process
Microsoft has implemented Intel's advice to reverse the chipmaker's Spectre variant 2 microcode patches.
Redmond issued a rare weekend out-of-cycle advisory on Saturday here, to make the unwind possible.
Intel's first patch was so bad, it made many computers less stable, sending Linux kernel supremo Linus Torvalds into a justifiable meltdown last week.
Chipzilla later withdrew the patch, but it had made its way into a Microsoft fix, which the Windows giant pulled on Saturday.
“Our own experience is that system instability can in some circumstances cause data loss or corruption,” Microsoft wrote, adding “We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.”
This applies only to the Spectre processor vulnerability patch, Microsoft emphasised: “Application of this payload specifically disables only the mitigation against CVE-2017-5715 – 'Branch target injection vulnerability.'”
It noted that as far as anyone knows, nobody's yet weaponised Spectre variant 2 in the wild.
LinuxConf panel: Embargo a 'sh!t-show'
The handling of Spectre and Meltdown received sharp criticism at last week's LinuxConfAU in Sydney, with Linux Foundation technical advisory board member Jonathan Corbet complaining of the ongoing secrecy about events between the first private reports of the bugs and their eventual disclosure (which The Register broke on January 2).
Instead of the disclosure processes used for most vulnerabilities, Corbet said, “This disclosure process was handled very differently,” and nobody's explained why.
Corbet later added “I'd like the industry to end at least that piece of it, so that we can get the whole story out there, and figure out how to do better the next time around”.
Developer Jess Frazelle said disclosure could be improved by “not having an absolute shit-show of an embargo”, while Katie McLaughlin added that only big cloud providers were in the know: “It seems to be like an exclusive club as to whether you know or don't know, and it's not really clear the lines of who should be informed.”
A video of the conference panel is below, for your viewing pleasure. ®
Sponsored: Becoming a Pragmatic Security Leader