Microsoft works weekends to kill Intel's shoddy Spectre patch

Out-of-band patch may assuage user anger over Intel crudware, closed-club disclosure process

By Richard Chirgwin

Posted in Security, 29th January 2018 01:18 GMT

Microsoft has implemented Intel's advice to reverse the chipmaker's Spectre variant 2 microcode patches.

Redmond issued a rare weekend out-of-cycle advisory on Saturday here, to make the unwind possible.

Intel's first patch was so bad, it made many computers less stable, sending Linux kernel supremo Linus Torvalds into a justifiable meltdown last week.

Chipzilla later withdrew the patch, but it had made its way into a Microsoft fix, which the Windows giant pulled on Saturday.

“Our own experience is that system instability can in some circumstances cause data loss or corruption,” Microsoft wrote, adding “We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.”

This applies only to the Spectre processor vulnerability patch, Microsoft emphasised: “Application of this payload specifically disables only the mitigation against CVE-2017-5715 – 'Branch target injection vulnerability.'”

It noted that as far as anyone knows, nobody's yet weaponised Spectre variant 2 in the wild.

LinuxConf panel: Embargo a 'sh!t-show'

The handling of Spectre and Meltdown received sharp criticism at last week's LinuxConfAU in Sydney, with Linux Foundation technical advisory board member Jonathan Corbet complaining of the ongoing secrecy about events between the first private reports of the bugs and their eventual disclosure (which The Register broke on January 2).

Instead of the disclosure processes used for most vulnerabilities, Corbet said, “This disclosure process was handled very differently,” and nobody's explained why.

Corbet later added “I'd like the industry to end at least that piece of it, so that we can get the whole story out there, and figure out how to do better the next time around”.

Developer Jess Frazelle said disclosure could be improved by “not having an absolute shit-show of an embargo”, while Katie McLaughlin added that only big cloud providers were in the know: “It seems to be like an exclusive club as to whether you know or don't know, and it's not really clear the lines of who should be informed.”

A video of the conference panel is below, for your viewing pleasure. ®

Sign up to our NewsletterGet IT in your inbox daily

49 Comments

More from The Register

VMware and Microsoft make up and get NSX-y together

Virtzilla's virtual cloud networking push is on and Switchzilla is in its sights

Microsoft postpones VMware-on-Azure details release by two weeks

What's Redmond got to hide? Or clear with lawyers?

Microsoft to run VMware on Azure, on bare metal. Repeat. Microsoft to run VMware on Azure.

VMware-certified partners will help as Redmond also starts vSphere-to-Azure migrations

Microsoft ports its Quantum Development Kit to Linux and macOS

Now that it's not Windows-only, you can simulate a theoretical computer on a real computer

Microsoft loves Linux so much it wants someone else to build distros for its Windows Store

WSL blueprint open-sourced to tempt distro makers

VMware's GM for networking and security jumps to Google

Veteran Jeff Jennings to get the band back together with VMware founder Diane Greene

Wintel part deux? Microsoft Azure first for Intel Clear Linux

Stateless Linux data center released into the wilds

The Linux cloud swap that spells trouble for Microsoft and VMware

Containers just wanna be hypervisors

Roses are red, violets are blue, VMware's made a new vSphere for you

Version 6.7 should land in Q2, may end support for older CPUs

Linux laptop-flinger says bye-bye to buggy Intel Management Engine

Says 'disabling' the ME will reduce future vulnerabilities