Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Intel

Intel Has a New Spectre and Meltdown Firmware Patch For You To Try Out (betanews.com) 130

Mark Wilson writes: The Spectre/Meltdown debacle continues to rumble on, and now the chip manufacturer has announced the availability of a new 'microcode solution' to the vulnerability. The updated firmware applies to 6th, 7th and 8th Generation Intel Core devices, and the release sees the company crossing its fingers and hoping that everything works out this time.

This is Intel's second attempt at patching the vulnerability, and this time around both the company and its customers will be praying that the fix for Skylake, Kaby Lake and Coffee Lake chips actually does the job.

This discussion has been archived. No new comments can be posted.

Intel Has a New Spectre and Meltdown Firmware Patch For You To Try Out

Comments Filter:
  • Tricky decision (Score:5, Insightful)

    by bestweasel ( 773758 ) on Wednesday February 21, 2018 @02:45PM (#56165061)

    I'm waiting for the point when the Intel patch does less damage than Spectre and Meltdown. Are we there yet?

    • It depends... (Score:4, Insightful)

      by gwolf ( 26339 ) <(gro.flowg) (ta) (flowg)> on Wednesday February 21, 2018 @03:30PM (#56165455) Homepage

      Does losing up to ~30% of your chip's speed mean more or less damage to you, to your usual workload, to the threat model you feel as better applying to your person?

      • Now feeling a bit smug about my move back to AMD. Pure dumb luck that it doesn't get Spectred of course, but this is just one reason I like Zen more than Core arch.

        • Ah, I meant Meltdown of course, not Spectre.

      • by AmiMoJo ( 196126 )

        It's academic anyway. You can't get the patch yourself, you have to wait for your motherboard manufacturer to release BIOS update.

        Intel hasn't updated it's boards yet. Probably never will.

  • Not keen to be a guinea pig

  • by geekmux ( 1040042 ) on Wednesday February 21, 2018 @02:52PM (#56165101)

    "...this time around both the company and its customers will be praying that the fix for Skylake, Kaby Lake and Coffee Lake chips actually does the job."

    I can understand the masses praying for a legitimate fix, but the company is praying this will work? Did they suddenly abandon the concept of testing prior to release?

    I mean, it's not like Intel has to go digging to find a metric fuckton of affected hardware...

    • by Powys ( 1274816 ) on Wednesday February 21, 2018 @03:53PM (#56165597)
      They are following the Google model of releasing everything as BETA so they have to provide no warranty, and push testing on the unwashed masses. Only after it is deemed successful will they remove the "BETA" moniker. Saves them the trouble.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      You are assuming that Intel does testing in the first place. We now know that they prefer to pray than test. "Our Father, who art in Silicon Valley, hallowed be thy chipsets. Thy breadboards come, thy NAND gates done, on XOR as it is in RAM. Give us this day our daily clock speed and lead us not into a Meltdown but deliver us from AMD. For thine is the multi-core, the multi-thread, and the L3 cache forever. Amen."

    • by sjames ( 1099 )

      Perhaps they're an AMD shop?

    • by DeVilla ( 4563 )
      Be reasonable. There is always a period between having something runnable and getting test results back. It sounds like this is just now going into test.
  • by Dwedit ( 232252 ) on Wednesday February 21, 2018 @02:53PM (#56165103) Homepage

    Who writes these taglines? This is clearly not a Meltdown patch at all, so it shouldn't be mentioned anywhere.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      Take it easy, brah, don't have a meltdown

    • by tomxor ( 2379126 )
      Lets face it, the FUD spread to blur Meltdown with Spectre has been won by Intel. It's up to the non-tech crowd to evolve to not take headlines at face value. It seems you can do no wrong in PR no matter how misleading... It's not possible to shout loudly enough against it, people have already moved onto the next headline.
  • by 93 Escort Wagon ( 326346 ) on Wednesday February 21, 2018 @02:54PM (#56165119)

    There was a campy, over-the-top parody TV show called "Sledge Hammer" back in the 80s... although even if you're old enough, you may not remember it since it wasn't exactly a roaring success. The "protagonist" (using that term loosely) was a gun-happy cop whose solution to everything involved using his gun. If someone was stealing a candy bar, he might shoot the candy bar out of the perp's hands, for instance. If an old lady missed her bus, he might shoot out the tires of the bus.

    Anyway, right now Intel reminds me of the show's intro. Most of it just featured glamour shots of Sledge Hammer's gun... but, at the end, Sledge Hammer says "Trust me, I know what I'm doing", and he shoots - but the bullet miscarries, resulting in a (virtual) bullet hole on your TV screen.

    That's Intel, in a nutshell.

  • Spectre only (Score:4, Informative)

    by PhrostyMcByte ( 589271 ) <phrosty@gmail.com> on Wednesday February 21, 2018 @02:54PM (#56165125) Homepage
    You can't fix Meltdown with a CPU patch.
    • by Anonymous Coward

      You can fix it with a flat-head screwdriver by prying the damn thing off your motherboard.

      -Homer

    • by suutar ( 1860506 )

      why not? My understanding was that meltdown was based on predictive branching, in which case if you disable predictive branching it doesn't happen.

      Granted, that's a pretty heavyhanded fix, but there may be other ways that are still down to changing the cpu microcode...

      • Heavy handed is why not. A patch that literally makes your CPU perform like something from the 90s is not a patch which 'works'.

    • Re: (Score:3, Informative)

      by amorsen ( 7485 )

      It's a bit funny that this post is 5 Informative. It is exactly the wrong way around. Meltdown can be fixed with a patch. It involves speculating across a hardware security barrier, which is something that microcode has a chance to detect.

      Spectre, on the other hand, does not involve speculating into inaccessible memory. It just involves speculating into memory that the program (typically a jit compiler) is carefully avoiding touching.

      • by Anonymous Coward

        No, GP had it right - Meltdown can't be fixed with a CPU patch, because the access-granting flaw isn't in the microcode. All the CPU patches are for Spectre variant 2.

      • You've misunderstood the problem. The patchability of this issue has been public knowledge for quite a while, so there's no excuse for your flippant ignorance on it. The article even specifically calls out Spectre: you'll see only the summary incorrectly mentions Meltdown.

        Meltdown is only patchable via software at the OS level. This is the entire reason operating systems put in these huge page table isolation pages. The CPU fix will come years from now.

        Spectre variant 2 is patchable via software per-app via

  • by adosch ( 1397357 ) on Wednesday February 21, 2018 @03:02PM (#56165187)

    Let me know how it goes, everyone! I'll see you all in therapy...

    • by sinij ( 911942 )

      Let me know how it goes, everyone! I'll see you all in therapy...

      The meeting is in the next room to the "Patch Tuesday Support Group", down the hall from "Dependency Hell Anonymous", right?

    • by jwhyche ( 6192 )

      But I just got all my shit working again....

  • the release sees the company crossing its fingers and hoping that everything works out this time

    Intel has relationships with pretty much every computer OEM and cloud computing provider -- why do they need to cross their fingers and hope for the best when they can get their partners (who are just as motivated as Intel to have a usable solution) involved in large-scale tests?

    • Intel has relationships with pretty much every computer OEM and cloud computing provider -- why do they need to cross their fingers and hope for the best when they can get their partners (who are just as motivated as Intel to have a usable solution) involved in large-scale tests?

      One possible answer is because those others might just discover other security vulnerabilities in the silicon, possibly either unintentional in nature and/or some that were requested/ordered to be left in or deliberately inserted by US TLAs.

      Strat

  • by bill_mcgonigle ( 4333 ) * on Wednesday February 21, 2018 @03:20PM (#56165357) Homepage Journal

    Hey, Google only notified them in June and maybe they were going to get around to working on it after the holidays. And there are two new variants out this week that aren't considered, so be ready for the next round in a month or so as well.

    You can't expect Intel to get these things done immediately, people! (the class action suits are going to love that they didn't fix it with six months' warning).

    • Hey, Google only notified them in June and maybe they were going to get around to working on it after the holidays. And there are two new variants out this week that aren't considered, so be ready for the next round in a month or so as well.

      You can't expect Intel to get these things done immediately, people! (the class action suits are going to love that they didn't fix it with six months' warning).

      This sounds very much like the Navy-owned submarine torbedo development facility, at the beginning of WWII. They sounded just the same and showed the same organizational problems, when the torbedoes that the submariners used failed to explode, over and over. Like 8 fired and one worked!

      They were later found to have half a dozen serious bugs and defects, which had never been tested. Estimated to have caused a number of our ships to be destroyed and over 800 people to be killed!

      And not all computers just run

    • Ok, understandably, the ignorance of many comments here make sense on the surface: Intel how long really does it take you to fix this, you incompetent bunch of nerfherders!

      Well, my guess, is that the fix was pretty much knocked out within days. Then a bit longer to get it 99.9% right. Then a month to get it 99.99% right. Then three months to get it validated, and verified, to 99.999% right.

      Intel needs to be 99.9999% right because of the volume of different designs and chips out there and the possibility of

      • by HiThere ( 15173 )

        For Metldown, the quality of the last patch they offered, which was so bad that company after company said "don't install that" (though, AFAIK, only Linus added "garbage") seems to indicate that they didn't start development of the patch until after public notice.

        Spectre is a different problem, but Meltdown ought to be fixable, if only by disabling the running speculative execution. (Whether they can do better than that I wouldn't guess.) OTOH, that approach should also solve Spectre...but nobody wants to

  • Q3 2015 (Score:5, Interesting)

    by darkain ( 749283 ) on Wednesday February 21, 2018 @03:20PM (#56165359) Homepage

    Skylake launched Q3 2015. So Intel is pushing the patch for barely more than 2 years worth of product. What about the millions (billions?) of systems out there that were not replaced in the past two years? Are they going the same way of Android in the "well fuck, sucks to be you!" mentality of security because the device isn't the absolute latest and greatest? I'm thinking they only supported back that far is because there are Xeon-D CPUs that launched Q1 2018 with Skylake architecture, and Intel is all over that Xeon-D right now (this is what Facebook is now using)

    • My guess is that they will go back further than they need to in order to cover all their products under warranty. Anything beyond that is them just being nice.

      • by Anonymous Coward

        Well, my next CPUs will be AMDs, for the foreseeable future. Fuck Intel.

    • by AHuxley ( 892839 )
      Re: systems out there that were not replaced in the past two years?
      Buy a new CPU soon that will be tested before its approved for the production line.
  • Don't we have a chimp or a rabbit that we could test this stuff on first?

  • So have we finally put to bed the finger pointing going on between Intel, Dell, and Redhat yet?
  • Well

    https://downloadcenter.intel.c... [intel.com]

    finds only ancient, 2017 microcode version :-(

  • by Anonymous Coward

    But more crashes!

  • by NewtonsLaw ( 409638 ) on Wednesday February 21, 2018 @05:24PM (#56166211)

    Is Intel still shipping processors with these vulnerabilities?

    If so, you have to ask "what the hell are they thinking"?

    Would Ford or Chevy be allowed to keep selling a vehicle which was known to have defects that made it unroadworthy even before you drove it off the showroom floor?

  • Should have been:

    Intel Has a New Spectre and Meltdown Firmware Patch And Wants You To Test It Because Intel Couldn't Be Arsed To Do Its Own Testing.

interlard - vt., to intersperse; diversify -- Webster's New World Dictionary Of The American Language

Working...