Welcome
About
News
Anonymous Reporting
Tools
MCA Chatter
Library
V-ID Terminal
Support
My Account

News

Icon representing US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels
US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels

June 21st 2019
Icon representing Would you pay $1m for a laptop full of malware?
Would you pay $1m for a laptop full of malware?

May 23rd 2019
Icon representing Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)
Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)

May 22nd 2019
 
 
 

Microsoft works weekends to kill Intel's shoddy Spectre patch

 
January 29th 2018
Out-of-band patch may assuage user anger over Intel crudware, closed-club disclosure process
Microsoft has implemented Intel's advice to reverse the Spectre variant 2 microcode patches.

Redmond issued a rare weekend out-of-cycle advisory on Saturday here, to make the unwind possible.

Intel's first patch was so bad, it made many computers less stable, sending Linus Torvalds into a justifiable meltdown last week.

Chipzilla later withdrew the patch, but it had made its way into a Microsoft fix, which the company pulled on Saturday.

“Our own experience is that system instability can in some circumstances cause data loss or corruption,” Microsoft wrote, adding “We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.”

This applies only to the Spectre patch, Microsoft emphasised: “Application of this payload specifically disables only the mitigation against CVE-2017-5715 – 'Branch target injection vulnerability.'”

It noted that as far as anyone knows, nobody's yet weaponised Spectre variant 2.

LinuxConf panel: embargo a "sh!t-show"
The handling of Spectre and Meltdown received sharp criticism at last week's LinuxConfAU in Sydney, with Linux Foundation technical advisory board member Jonathan Corbet complaining of the ongoing secrecy about events between the first private reports of the bugs and their eventual disclosure (which The Register broke on January 2).

Instead of the disclosure processes used for most vulnerabilities, Corbet said, “This disclosure process was handled very differently,” and nobody's explained why.

Corbet later added “I'd like the industry to end at least that piece of it, so that we can get the whole story out there, and figure out how to do better the next time around”.

Developer Jess Frazelle said disclosure could be improved by “not having an absolute shit-show of an embargo”, while Katie McLaughlin added that only big cloud providers were in the know: “It seems to be like an exclusive club as to whether you know or don't know, and it's not really clear the lines of who should be informed.”

A video of the conference panel is below, for your viewing pleasure.

Source