Security

Microsoft works weekends to kill Intel's shoddy Spectre patch

Out-of-band patch may assuage user anger over Intel crudware, closed-club disclosure process

By Richard Chirgwin

49 SHARE

Microsoft has implemented Intel's advice to reverse the chipmaker's Spectre variant 2 microcode patches.

Redmond issued a rare weekend out-of-cycle advisory on Saturday here, to make the unwind possible.

Intel's first patch was so bad, it made many computers less stable, sending Linux kernel supremo Linus Torvalds into a justifiable meltdown last week.

Chipzilla later withdrew the patch, but it had made its way into a Microsoft fix, which the Windows giant pulled on Saturday.

“Our own experience is that system instability can in some circumstances cause data loss or corruption,” Microsoft wrote, adding “We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.”

This applies only to the Spectre processor vulnerability patch, Microsoft emphasised: “Application of this payload specifically disables only the mitigation against CVE-2017-5715 – 'Branch target injection vulnerability.'”

It noted that as far as anyone knows, nobody's yet weaponised Spectre variant 2 in the wild.

LinuxConf panel: Embargo a 'sh!t-show'

The handling of Spectre and Meltdown received sharp criticism at last week's LinuxConfAU in Sydney, with Linux Foundation technical advisory board member Jonathan Corbet complaining of the ongoing secrecy about events between the first private reports of the bugs and their eventual disclosure (which The Register broke on January 2).

Instead of the disclosure processes used for most vulnerabilities, Corbet said, “This disclosure process was handled very differently,” and nobody's explained why.

Corbet later added “I'd like the industry to end at least that piece of it, so that we can get the whole story out there, and figure out how to do better the next time around”.

Developer Jess Frazelle said disclosure could be improved by “not having an absolute shit-show of an embargo”, while Katie McLaughlin added that only big cloud providers were in the know: “It seems to be like an exclusive club as to whether you know or don't know, and it's not really clear the lines of who should be informed.”

A video of the conference panel is below, for your viewing pleasure. ®

Sign up to our NewsletterGet IT in your inbox daily

49 Comments

More from The Register

Dell's hokey cokey IPO takes new turn – VMware in, VMware out....

Investor roadshow delayed as Mick D considers alternative plan

Linux 4.19 lets you declare your trust in AMD, IBM and Intel

Wave the CPU trust flag if you're feeling safe enough

Love Microsoft Teams? Love Linux? Then you won't love this

Updated Learn to love the browser instead

Arm cozies up to Intel for second time in a week – this time to borrow tools from Yocto Project for Mbed Linux

Aww, ain't that sweet

SUSE and Microsoft give enterprise Linux an Azure tune-up

Veteran penguin botherer feels the need. For speed

VMware and Microsoft make up and get NSX-y together

Virtzilla's virtual cloud networking push is on and Switchzilla is in its sights

Microsoft postpones VMware-on-Azure details release by two weeks

What's Redmond got to hide? Or clear with lawyers?

WLinux brings a custom Windows Subsystem for Linux experience to the Microsoft Store

What's better than one Linux distro? Dozens of 'em, of course!

VMware, AWS preview database-on-vSphere

VMworld US Database ops need less 'muck' says AWS boss Andy Jassy

Microsoft to run VMware on Azure, on bare metal. Repeat. Microsoft to run VMware on Azure.

VMware-certified partners will help as Redmond also starts vSphere-to-Azure migrations