Security

Microsoft works weekends to kill Intel's shoddy Spectre patch

Out-of-band patch may assuage user anger over Intel crudware, closed-club disclosure process

By Richard Chirgwin

49 SHARE

Microsoft has implemented Intel's advice to reverse the chipmaker's Spectre variant 2 microcode patches.

Redmond issued a rare weekend out-of-cycle advisory on Saturday here, to make the unwind possible.

Intel's first patch was so bad, it made many computers less stable, sending Linux kernel supremo Linus Torvalds into a justifiable meltdown last week.

Chipzilla later withdrew the patch, but it had made its way into a Microsoft fix, which the Windows giant pulled on Saturday.

“Our own experience is that system instability can in some circumstances cause data loss or corruption,” Microsoft wrote, adding “We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.”

This applies only to the Spectre processor vulnerability patch, Microsoft emphasised: “Application of this payload specifically disables only the mitigation against CVE-2017-5715 – 'Branch target injection vulnerability.'”

It noted that as far as anyone knows, nobody's yet weaponised Spectre variant 2 in the wild.

LinuxConf panel: Embargo a 'sh!t-show'

The handling of Spectre and Meltdown received sharp criticism at last week's LinuxConfAU in Sydney, with Linux Foundation technical advisory board member Jonathan Corbet complaining of the ongoing secrecy about events between the first private reports of the bugs and their eventual disclosure (which The Register broke on January 2).

Instead of the disclosure processes used for most vulnerabilities, Corbet said, “This disclosure process was handled very differently,” and nobody's explained why.

Corbet later added “I'd like the industry to end at least that piece of it, so that we can get the whole story out there, and figure out how to do better the next time around”.

Developer Jess Frazelle said disclosure could be improved by “not having an absolute shit-show of an embargo”, while Katie McLaughlin added that only big cloud providers were in the know: “It seems to be like an exclusive club as to whether you know or don't know, and it's not really clear the lines of who should be informed.”

A video of the conference panel is below, for your viewing pleasure. ®

Sign up to our NewsletterGet IT in your inbox daily

49 Comments

More from The Register

VMware and Microsoft make up and get NSX-y together

Virtzilla's virtual cloud networking push is on and Switchzilla is in its sights

Microsoft postpones VMware-on-Azure details release by two weeks

What's Redmond got to hide? Or clear with lawyers?

Xen Project patches Intel’s Lazy FPU flaw, VMware doesn't need to

UPDATE Guest register states are readable, but the patch cavalry has arrived

Microsoft to run VMware on Azure, on bare metal. Repeat. Microsoft to run VMware on Azure.

VMware-certified partners will help as Redmond also starts vSphere-to-Azure migrations

Microsoft ports its Quantum Development Kit to Linux and macOS

Now that it's not Windows-only, you can simulate a theoretical computer on a real computer

Microsoft loves Linux so much its R Open install script rm'd /bin/sh

Machine-learning suite ends its sloppy packaging ways after Debian dev roasts Redmond

Desktop hypervisor fiends. Both of you. VMware's testing a new cut of Workstation

Complete with a REST API for automated amusement

Microsoft loves Linux so much it wants someone else to build distros for its Windows Store

WSL blueprint open-sourced to tempt distro makers

VMware's GM for networking and security jumps to Google

Veteran Jeff Jennings to get the band back together with VMware founder Diane Greene

Wintel part deux? Microsoft Azure first for Intel Clear Linux

Stateless Linux data center released into the wilds