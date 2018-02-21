Follow Slashdot stories on Twitter

 


Intel Has a New Spectre and Meltdown Firmware Patch For You To Try Out

Posted by msmash from the second-time's-the-charm? dept.
Mark Wilson writes: The Spectre/Meltdown debacle continues to rumble on, and now the chip manufacturer has announced the availability of a new 'microcode solution' to the vulnerability. The updated firmware applies to 6th, 7th and 8th Generation Intel Core devices, and the release sees the company crossing its fingers and hoping that everything works out this time.

This is Intel's second attempt at patching the vulnerability, and this time around both the company and its customers will be praying that the fix for Skylake, Kaby Lake and Coffee Lake chips actually does the job.

  • Tricky decision (Score:5, Insightful)

    by bestweasel ( 773758 ) on Wednesday February 21, 2018 @01:45PM (#56165061)

    I'm waiting for the point when the Intel patch does less damage than Spectre and Meltdown. Are we there yet?

  • Not keen to be a guinea pig

  • Prayer vs. Testing. (Score:5, Insightful)

    by geekmux ( 1040042 ) on Wednesday February 21, 2018 @01:52PM (#56165101)

    "...this time around both the company and its customers will be praying that the fix for Skylake, Kaby Lake and Coffee Lake chips actually does the job."

    I can understand the masses praying for a legitimate fix, but the company is praying this will work? Did they suddenly abandon the concept of testing prior to release?

    I mean, it's not like Intel has to go digging to find a metric fuckton of affected hardware...

  • Who writes these taglines? (Score:5, Insightful)

    by Dwedit ( 232252 ) on Wednesday February 21, 2018 @01:53PM (#56165103) Homepage

    Who writes these taglines? This is clearly not a Meltdown patch at all, so it shouldn't be mentioned anywhere.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Take it easy, brah, don't have a meltdown

  • Reminds me of an old TV show (Score:5, Funny)

    by 93 Escort Wagon ( 326346 ) on Wednesday February 21, 2018 @01:54PM (#56165119)

    There was a campy, over-the-top parody TV show called "Sledge Hammer" back in the 80s... although even if you're old enough, you may not remember it since it wasn't exactly a roaring success. The "protagonist" (using that term loosely) was a gun-happy cop whose solution to everything involved using his gun. If someone was stealing a candy bar, he might shoot the candy bar out of the perp's hands, for instance. If an old lady missed her bus, he might shoot out the tires of the bus.

    Anyway, right now Intel reminds me of the show's intro. Most of it just featured glamour shots of Sledge Hammer's gun... but, at the end, Sledge Hammer says "Trust me, I know what I'm doing", and he shoots - but the bullet miscarries, resulting in a (virtual) bullet hole on your TV screen.

    That's Intel, in a nutshell.

  • Spectre only (Score:4, Informative)

    by PhrostyMcByte ( 589271 ) <phrosty@gmail.com> on Wednesday February 21, 2018 @01:54PM (#56165125) Homepage
    You can't fix Meltdown with a CPU patch.

    • Re: Spectre only (Score:1)

      by Anonymous Coward

      You can fix it with a flat-head screwdriver by prying the damn thing off your motherboard.

      -Homer

    • Re: (Score:2)

      by suutar ( 1860506 )

      why not? My understanding was that meltdown was based on predictive branching, in which case if you disable predictive branching it doesn't happen.

      Granted, that's a pretty heavyhanded fix, but there may be other ways that are still down to changing the cpu microcode...

      • Heavy handed is why not. A patch that literally makes your CPU perform like something from the 90s is not a patch which 'works'.

    • Re:Spectre only (Score:4, Informative)

      by amorsen ( 7485 ) <benny+slashdot@amorsen.dk> on Wednesday February 21, 2018 @04:56PM (#56166367)

      It's a bit funny that this post is 5 Informative. It is exactly the wrong way around. Meltdown can be fixed with a patch. It involves speculating across a hardware security barrier, which is something that microcode has a chance to detect.

      Spectre, on the other hand, does not involve speculating into inaccessible memory. It just involves speculating into memory that the program (typically a jit compiler) is carefully avoiding touching.

  • Waiting for the next /. how-it-went update (Score:5, Funny)

    by adosch ( 1397357 ) on Wednesday February 21, 2018 @02:02PM (#56165187)

    Let me know how it goes, everyone! I'll see you all in therapy...

    • Re: (Score:2)

      by sinij ( 911942 )

      Let me know how it goes, everyone! I'll see you all in therapy...

      The meeting is in the next room to the "Patch Tuesday Support Group", down the hall from "Dependency Hell Anonymous", right?

    • Re: (Score:3)

      by jwhyche ( 6192 )

      But I just got all my shit working again....

  • the release sees the company crossing its fingers and hoping that everything works out this time

    Intel has relationships with pretty much every computer OEM and cloud computing provider -- why do they need to cross their fingers and hope for the best when they can get their partners (who are just as motivated as Intel to have a usable solution) involved in large-scale tests?

    • Intel has relationships with pretty much every computer OEM and cloud computing provider -- why do they need to cross their fingers and hope for the best when they can get their partners (who are just as motivated as Intel to have a usable solution) involved in large-scale tests?

      One possible answer is because those others might just discover other security vulnerabilities in the silicon, possibly either unintentional in nature and/or some that were requested/ordered to be left in or deliberately inserted by US TLAs.

      Strat

  • They've only had since June (Score:5, Informative)

    by bill_mcgonigle ( 4333 ) * on Wednesday February 21, 2018 @02:20PM (#56165357) Homepage Journal

    Hey, Google only notified them in June and maybe they were going to get around to working on it after the holidays. And there are two new variants out this week that aren't considered, so be ready for the next round in a month or so as well.

    You can't expect Intel to get these things done immediately, people! (the class action suits are going to love that they didn't fix it with six months' warning).

    • Hey, Google only notified them in June and maybe they were going to get around to working on it after the holidays. And there are two new variants out this week that aren't considered, so be ready for the next round in a month or so as well.

      You can't expect Intel to get these things done immediately, people! (the class action suits are going to love that they didn't fix it with six months' warning).

      This sounds very much like the Navy-owned submarine torbedo development facility, at the beginning of WWII. They sounded just the same and showed the same organizational problems, when the torbedoes that the submariners used failed to explode, over and over. Like 8 fired and one worked!

      They were later found to have half a dozen serious bugs and defects, which had never been tested. Estimated to have caused a number of our ships to be destroyed and over 800 people to be killed!

      And not all computers just run

    • Ok, understandably, the ignorance of many comments here make sense on the surface: Intel how long really does it take you to fix this, you incompetent bunch of nerfherders!

      Well, my guess, is that the fix was pretty much knocked out within days. Then a bit longer to get it 99.9% right. Then a month to get it 99.99% right. Then three months to get it validated, and verified, to 99.999% right.

      Intel needs to be 99.9999% right because of the volume of different designs and chips out there and the possibility of

      • Re: (Score:2)

        by HiThere ( 15173 )

        For Metldown, the quality of the last patch they offered, which was so bad that company after company said "don't install that" (though, AFAIK, only Linus added "garbage") seems to indicate that they didn't start development of the patch until after public notice.

        Spectre is a different problem, but Meltdown ought to be fixable, if only by disabling the running speculative execution. (Whether they can do better than that I wouldn't guess.) OTOH, that approach should also solve Spectre...but nobody wants to

  • Q3 2015 (Score:5, Interesting)

    by darkain ( 749283 ) on Wednesday February 21, 2018 @02:20PM (#56165359) Homepage

    Skylake launched Q3 2015. So Intel is pushing the patch for barely more than 2 years worth of product. What about the millions (billions?) of systems out there that were not replaced in the past two years? Are they going the same way of Android in the "well fuck, sucks to be you!" mentality of security because the device isn't the absolute latest and greatest? I'm thinking they only supported back that far is because there are Xeon-D CPUs that launched Q1 2018 with Skylake architecture, and Intel is all over that Xeon-D right now (this is what Facebook is now using)

    • My guess is that they will go back further than they need to in order to cover all their products under warranty. Anything beyond that is them just being nice.

      • Re: Q3 2015 (Score:1)

        by Anonymous Coward

        Well, my next CPUs will be AMDs, for the foreseeable future. Fuck Intel.

    • Re: (Score:2)

      by AHuxley ( 892839 )
      Re: systems out there that were not replaced in the past two years?
      Buy a new CPU soon that will be tested before its approved for the production line.

  • Don't we have a chimp or a rabbit that we could test this stuff on first?

  • So have we finally put to bed the finger pointing going on between Intel, Dell, and Redhat yet?

  • Well

    https://downloadcenter.intel.c... [intel.com]

    finds only ancient, 2017 microcode version :-(

  • Now with less reboot! (Score:1)

    by Anonymous Coward

    But more crashes!

  • Still shipping vulnerable processors? (Score:3)

    by NewtonsLaw ( 409638 ) on Wednesday February 21, 2018 @04:24PM (#56166211)

    Is Intel still shipping processors with these vulnerabilities?

    If so, you have to ask "what the hell are they thinking"?

    Would Ford or Chevy be allowed to keep selling a vehicle which was known to have defects that made it unroadworthy even before you drove it off the showroom floor?

