Microsoft disables Spectre mitigations as Intel’s patches cause instability (opens in new tab)

(securityweek.com)

757 pointstomtoise8y ago315 comments

315 comments

These updates most definitely could've been handled better. I was having a busy week with exams and I get a call about around 10 machines not booting (this was before the announcement). Sure enough, last thing everyone reported was updating. I call the supplier and apparently they have reports of at least 2000 machines (at that moment) that had to be reimaged across the city (from what I could tell, all were older AMD PCs) because of this dumb update. I was used to not being to able to trust software, but if I can't trust hardware now either, farming does suddenly appear much more appealing.

InvisibleCities8y ago

Trust me, if you don't like the idea of your entire livelihood hinging on weather or not a piece of equipment boots up, farming is NOT the career for you.

Spare_account8y ago

I like what you did with the typo there.

noiv8y ago

I like the idea of Internet Weather. Seems probability of rain is currently increasing. And so does anticipation of floods and surges.

2 more replies

mygo8y ago

Holy wow. This is prose. This is poetry.

1 more reply

KindOne8y ago

Become a goat farmer. https://www.reddit.com/r/sysadmin/comments/4l7kjd/found_a_te...

lettergram8y ago

Fully support lol you can buy land in Colorado pretty cheap.

Had a friend do that... He bought 3 acres, spent a couple years building a cabin in his free time. Then one day just quit and went off to the woods.

Still visit him and he seems pretty happy with it. He doesn't need much income and makes enough money off odd jobs he seems to be doing pretty well.

protomyth8y ago

One of the attempts at adding to the list "Nobody is ever going to sell you goats as a service." is actually wrong. Companies do rent goats for land clearing[1]. Go for beekeeper then you too can do "bees as a service"[2].

1) http://rentagoat.com/

2) http://americanbeejournal.com/insights-honey-pollination-pac...

astrange8y ago

But if you look into their eyes, you can still see the progress bars…

c3534l8y ago

Farming is all mechanized these days. Farmers have to deal with OS and firmware updates on their tractors.

stickfigure8y ago

...and DRM: https://motherboard.vice.com/en_us/article/xykkkd/why-americ...

spike0218y ago

Yeah, AWS had scheduled reboots that were supposed to happen around the day this was all announced, so we had to scramble to deal with them manually beforehand so we'd ensure our systems booted up properly.

tjoff8y ago

I lost many hours over this last week. The system was unable to boot and finally a thread on reddit came to the rescue ( https://www.reddit.com/r/techsupport/comments/7sbihd/howto_f... ).

This actually made the system boot but there are some leftovers being installed on first boot that I've been unable to disable that also causes the system to be unable to boot.

So now, the machine is running but as soon as it is restarted we have to re-image the disk, go through the process of manually removing patches, and then pray that we don't have a power shortage as we'd have to do everything yet again on next boot.

I'm not convinced that this patch will solve the issue either, because if this updates requires a reboot the fix won't be installed if we can't boot. I might try to install this update from the recovery console see if that works.

Quite frustrating.

thanksgiving8y ago

Speaking of which, why do so many things require reboot to update on Windows?

beagle38y ago

There is a very fundamental difference between how Unix and Windows view open files:

On Windows, once the file is open, it is that filename that is open; You can't rename or delete it; Therefore, if you want to replace a DLL (or any other file) that is in use, you have to kill any program that uses it before you can do that; And if it's a fundamental library everything uses (USER32.DLL COMCTL.DLL etc), the only effectively reliable way to do that is reboot.

On Unix, once you have a handle=descriptor of the file, the name is irrelevant; You can delete or rename the file, The descriptor still refers to the file that was opened. Thus, you can just replace any system file; Existing programs will keep using the old one until they close/restart, new programs will get the new file.

What this means is, that even though you don't NEED to restart anything for most upgrades in Unix/Linux, you're still running the old version until you restart the program that uses it. Most upgrade procedures will restart relevant daemons or user programs, or notify that you should, (e.g. Debian and Ubuntu do).

You always need a reboot to upgrade a kernel (kernel-splice and friends not withstanding), but otherwise it is enough in Unixes to restart the affected programs.

10 more replies

josteink8y ago

> Speaking of which, why do so many things require reboot to update on Windows?

Can't speak for everyone else, but Windows fully supports shared file-access which prevents the kind of file-locks which causes reboot requirements.

The problem is that the default file-share permissions in the common Windows APIs (unless you want to get verbose in your code) is that the opening process demands exclusive access and locking to the underlying file for the lifetime of that file-handle.

So unless the programmer takes the time to research that 1. these file-share permissions exists, 2. which permissions are appropriate for the use-cases they have in their code, and 3. how to apply these more lenient permissions in their code...

Unless all that, you get Windows programs which creates exclusive file-locks, which again causes reboot-requirements upon upgrades. Not surprising really.

In Linux/UNIX, the default seems to be the other way around: Full-sharing, unless locked down, and people seem prepared to write defensive code to lock-down only upon need, or have code prepare for worst-case scenarios.

pjc508y ago

Windows executables are opened with mandatory exclusive locking. So you can't overwrite a program or its DLLs while any instances of it are running. If a DLL is widely used, that makes it essentially impossible to update while the system is in use.

There is a registry key which allows an update to schedule a set of rename operations on boot to drop in replacement file(s). https://blogs.technet.microsoft.com/brad_rutkowski/2007/06/2...

1 more reply

vetinari8y ago

> Speaking of which, why do so many things require reboot to update on Windows?

We are getting there on Linux too - with atomic or image based updates of the underlying system. On servers you will (or already) have A/B partitions (or ostrees), on mobiles and IoT too, some desktops (looking at Fedora) also prefer reboot-update-reboot cycle, to prevent things like killing X while doing your update and leaving your machine in inconsistent state.

macOS also does system updates with reboot, for the same reasons.

2 more replies

Shivetya8y ago

I used to joke that Windows was alone in this issue, my work laptop being a prime example, but even Apple tends to towards reboots more often than not and especially as of late. Fortunately both can do it during slow periods; as in over night; and make updates nearly invisible to users.

jameshart8y ago

So that's a fine question to ask, and you've received many fascinating answers, but can I just suggest that this case - that is, applying patches that relate to the security of your processor cache - is a very fine reason for requiring a reboot, since it will ensure that your processor cache starts out fresh and all behaviors that cause data to be placed there are correctly following the patched behavior.

faragon8y ago

The main reason is that in Windows executable files and dynamic libraries (.exe and .dll) are locked while a process is using them, while in other systems, e.g. Linux, you can delete them from disk. The only absolute need for reboot should be an OS kernel update (there are cases where a kernel could be updated/patched without a reboot).

Momquist8y ago

I think a better question would be: why does Windows need multiple successive reboots? Too often my experience can be resumed as: update-reboot-reboot-update continuing-reboot... ad nauseam.

At least on *nix, even when you need a reboot, once is enough.

gaius8y ago

To force a reinitialisation of all security contexts. Same reason that many websites make you log in again immediately after changing your password (which interestingly Windows doesn’t)

Historically (Windows 95 and earlier) reboots were required to reload DLLs and so on but that’s not really true anymore. Still a lot of installers and docs say to reboot when it’s not really necessary as a holdover from then

1 more reply

chli8y ago

Same thing happened to me this week-end and we are not alone [1]. The worst is that it's actually the second time on this computer (Kaby Lake i3 on a MB with Intel B250 Chipset). I had the same issue in December last year (exact same behaviour with probably an earlier version of that hotfix).

I'm running with Windows Update service disabled till this is fixed for good !

[1] https://answers.microsoft.com/en-us/windows/forum/windows_10...

dhimes8y ago

I have not been able to disable the update service. I'm supposed to be able to, but damn if I don't open my computer in the morning and see everything closed (and lock files all over the place) and all kinds of annoying shit like this.

I actually like Win 10, but it's shit like this that keeps me from becoming a true convert. Oh, for $X00 I can get enterprise update, but IMO that's just Win 10 home being used as ransomware. /rant

cesarb8y ago

In a related development, there are proposed patches to the Linux kernel (not yet merged) to blacklist the broken microcode updates: https://www.spinics.net/lists/kernel/msg2707159.html

That patch disables the use by the kernel of the new IBPB/IBRS features provided by the updated microcode, when it's of a "known bad" revision. Since Linux prefers the "retpoline" mitigation instead of IBRS, and AFAIK so far the upstream kernel (and most of the backports to stable kernels) doesn't use IBPB yet, that might explain why Linux seems to have been less affected by the microcode update instabilities than Windows.

Also interesting: that patch has a link to an official Intel list of broken microcode versions.

Valmar8y ago

> In a related development, there are proposed patches to the Linux kernel (not yet merged) to blacklist the broken microcode updates

Linus probably won't pull it until it's truly known to be stable, because of his attitude towards having decent quality code and not causing needless system instability.

Without Linus... who knows what would have happened by now.

cesarb8y ago

They are on the "tip" tree (https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/...), so they'll probably be sent to Linus as soon as the merge window opens (Linux 4.15 has just been released, so the merge window should open soon). I expect these patches to be on 4.16, and also to be backported to the stable releases (4.15.x and others).

But yeah, upstream Linux kernel development is taking it slow. As far as I can see, variant 3 mitigations (PTI) are already in, variant 2 mitigations are partially in (retpoline) and partially not (the microcode dependent ones), and variant 1 mitigations are still under discussion.

2 more replies

speedie8y ago

Everyone would have politely installed their "fixes" . This situation shows why linus was swearing .

1 more reply

ComodoHacker8y ago

>However, Intel does not appear too concerned that the incident will affect its bottom line - the company expects 2018 to be a record year in terms of revenue

There is an interesting paradox in our industry. If you pay enough attention (read: money) to security, you will be late to the market, your costs will be high and you lose profit. If you don't pay enough attention, you take the market, get your profits, but your product (be it hardware or software) and reputation will be screwed later. And worst of all: there's never enough attention to security.

So by simple logic, an optimal strategy is to forge your product quickly, take your profits within a [relatively] short period and vanish from the market. I guess we'll see this strategy executed from IoT vendors when market start to punish them for their bad sec.

For Intel, that "long period" just happened to be REALLY long.

AnIdiotOnTheNet8y ago

I doubt Intel will see serious punishment in the market. As usual, there will be a lot of wailing and gnashing of teeth but when push comes to shove most people will prioritize nearly everything over security.

All markets work like this. People bitch about the quality of products, but still buy the cheap stuff.

javajosh8y ago

This will be true until something uses Meltdown in the wild to cause massive damage. When a digital superflu comes, businesses and individuals will be faced with a choice: continue to use Intel and be vulnerable to a flu that is literally wiping out businesses, exchanges, hospitals, etc or replace ALL of their hardware with AMD.

Interestingly, I think AMD has a lot of motive to create such a superflu, or at least encourage it's creation.

1 more reply

_jal8y ago

Intel is TBTF. Like the banks but in via different mechanism, they appear to have reached consequence-immunity by becoming critical infrastructure.

curun1r8y ago

The same could've been said about Microsoft 10-15 years ago. Now, we could probably get by without them.

Intel may be too big for an abrupt failure, but they can absolutely fail in a decade-long slide into obscurity.

Feniks8y ago

Feature of the industry. It would take a new corp entering into the chip industry hundreds of billions and decades to get where Intel is today.

doktrin8y ago

You conclusion isn't in agreement with the section you quoted, so are you saying that Intel will be punished by the market in the mid to distant future (after 2018)?

stinos8y ago

"Here's a patch" - "Here's a patch to disable that other patch" - ...

What's next? Repeat? Sounds like this could turn into a maintainance nightmare quickly. Also because I've introduced things like that myself in the past, and that was for normal applications and not a kernel or OS. Somewhere, someday, there's usually this one exception for which none of your rules hold true and the thing blows up in your face. Anyway, I'd love to see the actual code for this. Not a chance probably?

hishnash8y ago

Im really wanding they had more than 6months to do these patches and they did not bother testing on a good number of systems. Its not like MS + Intel dont have enough money to buy a few 1000 testing machines and get some testers on it.

prewett8y ago

Have you released a bugfix to a large application? I've had one line fixes break some use case I hadn't even heard of before, and it doesn't always show up right away, either. Intel's fix has to work on every application in every version of Windows, macOS, Linux, for multiple versions of processors with multiple different chipsets. And it has to be done yesterday. That's a nightmare scenario.

x0x08y ago

I came here to ask the same thing. How did these folks squander six months?

1 more reply

im3w1l8y ago

Only reason I can think of is that they didn't immediately realize how much of a headache it would be.

PerusingAround8y ago

I'm amazed on how Intel's stock price still keeps going UP, despite all these problems... just WOW.

adtac8y ago

The recent jump is because they released a good earnings report.

https://www.cnbc.com/2018/01/26/intc-intel-stock-jumps-to-hi...

collinmanderson8y ago

I have a feeling there's going to be a lot of demand for future Intel hardware that's immune to spectre and meltdown. I think it might cause _more_ sales of Intel chips in the future, not fewer.

xigency8y ago

Regardless of sales, I would think damage to their image would be a concern. Maybe it's not a concern to investors because their "PR nightmare" turned out to be softball for them, and it's been hard to pin anything on Intel when they keep pointing fingers in all directions.

I think it's our responsibility as technology literate folks and decision makers to explicitly highlight their failures so that mistakes and poor handling like this are not normalized.

1 more reply

NelsonMinar8y ago

What, are you going to stop buying Intel processors?

ImaCake8y ago

I will, but I am just a guy who builds his own computer every few years.

speedie8y ago

I tend to think it's because the folk who trade with stock very well know that these "issues" are actually features. I can also bet that that "grilling" they get from US government is not about the mess the chip flaws are doing , it's about why the "flaws" were publicly announced.

fineng1238y ago

I think we're just in a bull market so people ignore bad news

ggregoire8y ago

Do you know someone who is going to stop buying Intel's CPUs?

tyfon8y ago

I know in my company this has indeed resulted in a full stop in buying Intel and going AMD instead. There is also an active "project" to replace the Intel servers.

I work in a bank and they are terrified of the possibility of user processes reading privileged memory. Not necessarily out of actual fear but out of the insane amount of paperwork this will require to satisfy the auditors that it is still safe.

Anecdotally, but you asked for "someone" and here is someone :)

1 more reply

speedie8y ago

Well , Linus already said perhaps linux should look at the arm folk . Should that happen , well guess what ? From my very small knowledge , 90+% of internet infrastructure runs on linux .

1 more reply

ceejayoz8y ago

Spectre affects AMD, too, so there's no competitor to run to... and CERT was saying at one point that only new processors would fully fix it. They're looking at everyone needing to buy a bunch of replacement products, aren't they?

Valmar8y ago

Spectre v2 affects AMD less drastically than it does with Intel, because of the architectural differences between Zen and Intel's processors.

HugoDaniel8y ago

So much for the embargo period. I guess the bsd people were not so wrong after all. They might as well just had published it as soon as it was found.

Valmar8y ago

Intel has had literally months upon months to test and stabilize their microcode and kernel-side patches for Meltdown/Spectre... but it seems like Intel just doesn't give half a shit, if they're having major issues now.

Intel's actions seem to shout that they have cared far more about releasing Kaby/Skylake X and Coffee Lake in short order, as a response to Ryzen/ThreadRipper, than actually really digging into fixing their major security flaws. Their actions speak of them preferring to keep their market and mindshare over actually fixing any security issues.

Intel is still so deeply entrenched that they likely believe that they can get away with their lazy approach. They make millions upon millions, if not billions of dollars ~ why should they give a shit, when their monopoly and half-hearted attempt at a solution will get them by? Intel is being strangled by their shitty management, seemingly...

tallanvor8y ago

By my reading of the article, Microsoft is disabling some mitigations for Spectre due to instabilities that Intel's microcode update have been causing.

Intel certainly isn't making any friends these days...

hishnash8y ago

I would love to see the message log between MS Apple and Intel on this.

1 more reply

notspanishflu8y ago

It is not only Microsoft reverting this patch. HP, Dell or Red Hat are doing that as well.

https://www.bleepingcomputer.com/news/microsoft/microsoft-is...

mosselman8y ago

So what can I do for my next self-built pc? Get some AMD equipment, or is that not enough?

hishnash8y ago

AMD have released patches (to reduce the near-zero risk of exploit to 0 risk) and they are not having any instability issues! so yes go with AMD

for server, Epyic is now finally available to purchase for desktop workstation Threadripper for desktop RyZen

for mobile... not many newer cpus out yet.. need to wait :(

avtar8y ago

I'm eyeing Threadripper for my next build but beyond that I'm going to choose a motherboard vendor based on the level of support they offer in this scenario. Some observations that I'm making:

* How promptly did they address the issue via official channels, i.e. did they leave users in the dark as they appealed to vendors in their forums (hint: most of them seem to have gone down this route) or did they share updates directly on their official sites, social media accounts, etc.

* Did they provide some estimates as to when users could expect patches?

* How much of their product catalogue were they willing to cover with security updates? Since this is a unique security issue with high impact I would have expected them to cover motherboards at least 4-5 years old.

ShroudedNight8y ago

For those in the market for an X399/TR4 motherboard, have you come to any conclusions?

1 more reply

ihsw28y ago

AMD equipment should be fine, current-gen Ryzen/Threadripper is more than adept at workstation tasks and next-gen Ryzen (named Ryzen 2 and Threadripper 2) will edge out any advantage that Intel's CPUs have.

ageofwant8y ago

I'll be getting a few high-end Intel CPU's that will soon flood the market on the cheap for home machines running arch.

chrisper8y ago

Depends on what you are building it for.

mosselman8y ago

I have my macbook for work and programming, my PC has windows on it (much to my dislike) and I use it for occasional gaming. I will probably not get new parts anytime soon though as performance is currently fine. Just wondering for when someone asks me to build them a PC.

1 more reply

megaman228y ago

I've not been impressed with my Windows 10 installations of late. All my machines that don't have the Long Term Servicing Branch have had wild instabilities and performance issues the past few months - crazy things, like the task manager taking minutes to launch, and the whole shell periodically crashing. The Fall Creators Update was so bad I had to wipe and start over on some boxes. It's not engendering a lot of confidence in their competence of late.

dimmuborgir8y ago

Creators Updates (1703 / 1709) are the culprits. LTSB (1607) has not been upgraded to Creators Update yet and it runs like butter.

nippples8y ago

Gee, if only they had a Linus Torvalds type around to block irresponsible commits.

duncan_bayne8y ago

They did, once upon a time, after a fashion:

https://www.joelonsoftware.com/2006/06/16/my-first-billg-rev...

https://www.wired.com/2002/01/bill-gates-trustworthy-computi...

kyberias8y ago

I had to read that billg-review thing one more time. It's such a wonderful story.

mtgx8y ago

Didn't Torvalds already accept Intel's "garbage" Linux kernel patches?

icebraining8y ago

I don't think so, they're still under discussion on LKML, including an alternative proposal by Ingo Molnar.

bonzini8y ago

Nah, it's just the well-known issue with the microcode being buggy. There's nothing new really.

ksk8y ago

Microcode is not reviewed by anyone outside of Intel.

Thimothy8y ago

I never got them. The last update in my windows is from Dec 2017. My antivirus is compliant, the registry key correctly set up and yet it refuses to update.

I still haven't had the time to debug it, but I wonder how many people are out there with their OS silently refusing to update.

epistasis8y ago

I had huge problems with Win 10. Updates wold fail and install again and again without actually getting installed. Sometimes I would get an opaque error number but web searches revealed nothing for that number, and it was rare that I would be able to find even an error number. I don't do Windows, and just installed it for VR, and didn't spend that much time in Windows, so I would spend 15-30 minutes looking a month, before realizing I had spent more debugging time than VR time that week.

After probably 9 months of this, and with Windows doing ever more intrusive pop overs whenever I launched it for updates that don't take, I wiped all boot sectors everywhere and installed from scratch. That seemed to work, but it was incredibly frustrating that the boot process was so buggy as was error reporting. I've never encountered a situation like it in the past 15 years of heavy Linux use. Problems there are usually solvable with a couple web searches, even for extremely obscure kernel bugs with obscure packages. Windows refused to tell me anything as did the web.

whywhywhywhy8y ago

I built a Windows machine for 3D work and VR just over a year ago, after being a Mac only user for 15+ years. Honestly my Win 10 experience has been the total opposite, it's been stable, fast, minimum update nagging. Overall I've actually been shocked how stable and hassle free the experience has been.

Maybe I just got lucky with the right combination of hardware.

speedie8y ago

So , Linus was right for cursing at Intel ?

akerro8y ago

UTTER GARBAGE

dang8y ago

Please don't.

https://news.ycombinator.com/newsguidelines.html

2 more replies

speedie8y ago

Sry , my cognitive abilities have been at real low of lately . Took me a while to comprehend your comment. Spot on m8 ;)

ohiovr8y ago

My brother was hit by a recent update to Windows 7 that prevented the machine from booting. He went to Microcenter to buy a hard drive. There were a lot of people doing the same thing for the same reason when he was there.

quiq8y ago

I don't use the windows side of my machine very often, but decided to update it last night. Booted fine (OS on SSD), but one of the HDDs with all of the windows files was corrupted. No go with ntfsfix, chkdsk, partition table destroyed. Reformatted it as ext4 and windows doesn't get to touch it anymore. Haven't tested it too much yet but seems to be working fine.

Remember to use backups!

ohiovr8y ago

My brother did have major data loss. And no real backup strategy.

shultays8y ago

Amount of fuck-up in this whole issue is mind blowing. I am getting more surprised with every new I get

dotdi8y ago

Intel has been called out by Linus Torvalds several days ago for the crappy fixes they delivered for GNU/Linux. I would be very surprised if Intel actually shipped proper fixes for Windows. It's a shame, really.

DominikD8y ago

And then another developer kindly explained why he's wrong. It's fun to listen to Linus' rants, sure, but he's not always correct.

1 more reply

watwut8y ago

Those were not delivered fixes, that was work in progress that is still work in progress. And the dude who was "called out" works for Amazon.

2 more replies

mtgx8y ago

But wait, there's more!

https://www.techrepublic.com/article/03175c88-5c9b-4ccd-ac62...

534b44a8y ago

I doubt some the best/most popular players of the USA-tech-industry dream team will get any real punishment at their own soil. Any fines will give a sense of justice to the public but it will just be peanuts.

2 more replies

imglorp8y ago

I wonder how much all this cleanup will cost in hours, downstream, for all the installed users? Judging by all the grief on this thread it's substantial.

bartl8y ago

>Intel, AMD and Apple face class action lawsuits over the Spectre and Meltdown vulnerabilities.

I sure hope Intel will face a class action suit over this botched update. Many professionals have wasted countless hours dealing with this junk.

cjsuk8y ago

Not what I wanted to wake up to this morning. I suspect we’re in for a rough ride for a long time thanks to this mess.

kzrdude8y ago

Your comment is even more fitting today (politics)

chrisper8y ago

Just checked for Updates, but there don't seem to be any?

taspeotis8y ago

“If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website”

https://support.microsoft.com/en-us/help/4078130/update-to-d...

chrisper8y ago

Thanks

thg8y ago

Just in case you, like me, missed the memo where Microsoft said they'd stop supplying security updates if you have no AV / AV incompatible with the patches installed. The fix to the former is creating the registry entry manually.

https://support.microsoft.com/en-us/help/4072699/january-3-2...

morsch8y ago

Bizarre.

Customers without Antivirus

In cases where customers can’t install or run antivirus software, Microsoft recommends manually setting the registry key as described below in order to receive the January 2018 security updates.

3 more replies

Santosh838y ago

Microsoft won't supply updates even if you have no AV installed, including builtin Defender disabled??

I thought stopping updates was only for the case of unpatched AVs that did not set the registry key...

2 more replies

mm-vorticesoft8y ago

Linus was right

anfilt8y ago

Well he is known for calling a spade a spade. No matter how blunt that may be.

cat1998y ago

except for when he is wrong.

Why he gets a pass for being the 'nice guy' and DeRaadt gets the bad rep is still a mystery to me

cm21878y ago

I thought he was angry about the mitigation being disabled by default, not being unstable.

icebraining8y ago

Nah, it was more than that: The patches do things like add the garbage MSR writes to the kernel entry/exit points. That's insane. That says "we're trying to protect the kernel". We already have retpoline there, with less overhead.

1 more reply

sundarurfriend8y ago

His overall point was a bewilderment at the incompetent and non-sensical patches that were being given as "fixes" in this issue. Linus was pointing out a particular instance of that, but this news and other behaviour from Intel seems to indicate this is part of an endemic, cultural, administrative issue inside the company.

byte19188y ago

Aren't we talking about two different things? Linux vs Windows kernel?

cbcoutinho8y ago

OP is probably referencing the 'bullshit patches from Intel' comment from Linus about the patches they were sent, and that Microsoft might have been sent similar obfuscatory patches.

pjmlp8y ago

Given that the patches are CPU micro-code delivered by OS drivers, AFAIK, the actual OS won't make much difference.

topspin8y ago

"Decades old trap/fault software is being replaced by 10-20 operating systems, and there are going to be mistakes made."

- Theo de Raadt

richardwhiuk8y ago

Linus was talking about Linux patches, not these microcode patches. They've been known broken for at least a week

mehrdadn8y ago

About what? Would you have a link?

bmon8y ago

Linus Torvalds: “Somebody is pushing complete garbage for unclear reasons.” http://lkml.iu.edu/hypermail/linux/kernel/1801.2/04628.html

1 more reply

gsich8y ago

Like always.

Valmar8y ago

He generally is. His rants are almost always spot-on and pure gold. :)

emptyfile8y ago

What are you talking about?

debt8y ago

I mean, is this an unmitigated disaster on Intel's part? It's like a train wreck in slow motion.

A part of me feels this stories like this are going to keep getting worse until Spectre is finally used in the wild.

dsign8y ago

What a mess!

The day this blew up we rented our first physical server for the express purpose of running secure critical workloads in unpatched environments. Yes, I know that there is nothing secure, but not everything we do is running a chunk of logic uploaded by an attacker, so we will take our chances.

hi418y ago

What does the Spectre bug mean for a person planning to buy a new windows computer? Should I buy an AMD CPU based computer instead of an Intel based computer?

Roritharr8y ago

I'm pretty sure these patches were responsible for my notebook crashing everytime i hooked it up to our Thunderbolt 3 Dockingstations.

kuon8y ago

Anybody know what is the status of FreeBSD? I googled a bit and found nothing except "we wait", is it still the case?

mehrdadn8y ago

Anyone know if people who had disabled the mitigations via FeatureSettingsOverride = 3 were still affected?

mark_l_watson8y ago

A more accurate title would be that Microsoft disabled the specter mitigation’s due to a flawed Intel update, right? I thought this was all Microsoft’s fault until getting half way through the article.

joemaller18y ago

Even more accurate: Microsoft joins HP, Dell, Lenovo, VMware and Red Hat in disabling Intel's buggy Spectre patch.

> HP, Dell, Lenovo, VMware, Red Hat and others had paused the patches and now Microsoft has done the same.

giancarlostoro8y ago

It's really telling that even Linus Torvalds was not happy with their "fixes" and now Microsoft. Intel needs to start taking the situation completely seriously cause their actions don't imply they are.

segmondy8y ago

Intel doesn't care. What choice do we have?

4 more replies

dang8y ago

Thanks. We've edited the title above.

rootw0rm8y ago

Ugh, is this the cause of the weird bugchecks I've been having this week? Just gave myself 64gb page file and enabled full memory dumps so I could track it down in WinDbg. I always forget something on fresh installs...

IanSanders8y ago

Meanwhile Intel stock is at 5 year highest

j / k navigate · click thread line to collapse

315 comments

zingmars8y ago

InvisibleCities8y ago

Trust me, if you don't like the idea of your entire livelihood hinging on weather or not a piece of equipment boots up, farming is NOT the career for you.

Spare_account8y ago

I like what you did with the typo there.

noiv8y ago

I like the idea of Internet Weather. Seems probability of rain is currently increasing. And so does anticipation of floods and surges.

2 more replies

mygo8y ago

Holy wow. This is prose. This is poetry.

1 more reply

KindOne8y ago

Become a goat farmer. https://www.reddit.com/r/sysadmin/comments/4l7kjd/found_a_te...

lettergram8y ago

Fully support lol you can buy land in Colorado pretty cheap.

Had a friend do that... He bought 3 acres, spent a couple years building a cabin in his free time. Then one day just quit and went off to the woods.

Still visit him and he seems pretty happy with it. He doesn't need much income and makes enough money off odd jobs he seems to be doing pretty well.

protomyth8y ago

1) http://rentagoat.com/

2) http://americanbeejournal.com/insights-honey-pollination-pac...

astrange8y ago

But if you look into their eyes, you can still see the progress bars…

c3534l8y ago

Farming is all mechanized these days. Farmers have to deal with OS and firmware updates on their tractors.

stickfigure8y ago

...and DRM: https://motherboard.vice.com/en_us/article/xykkkd/why-americ...

spike0218y ago

tjoff8y ago

I lost many hours over this last week. The system was unable to boot and finally a thread on reddit came to the rescue ( https://www.reddit.com/r/techsupport/comments/7sbihd/howto_f... ).

This actually made the system boot but there are some leftovers being installed on first boot that I've been unable to disable that also causes the system to be unable to boot.

Quite frustrating.

thanksgiving8y ago

Speaking of which, why do so many things require reboot to update on Windows?

beagle38y ago

There is a very fundamental difference between how Unix and Windows view open files:

You always need a reboot to upgrade a kernel (kernel-splice and friends not withstanding), but otherwise it is enough in Unixes to restart the affected programs.

10 more replies

josteink8y ago

> Speaking of which, why do so many things require reboot to update on Windows?

Can't speak for everyone else, but Windows fully supports shared file-access which prevents the kind of file-locks which causes reboot requirements.

Unless all that, you get Windows programs which creates exclusive file-locks, which again causes reboot-requirements upon upgrades. Not surprising really.

pjc508y ago

There is a registry key which allows an update to schedule a set of rename operations on boot to drop in replacement file(s). https://blogs.technet.microsoft.com/brad_rutkowski/2007/06/2...

1 more reply

vetinari8y ago

> Speaking of which, why do so many things require reboot to update on Windows?

macOS also does system updates with reboot, for the same reasons.

2 more replies

Shivetya8y ago

jameshart8y ago

faragon8y ago

Momquist8y ago

I think a better question would be: why does Windows need multiple successive reboots? Too often my experience can be resumed as: update-reboot-reboot-update continuing-reboot... ad nauseam.

At least on *nix, even when you need a reboot, once is enough.

gaius8y ago

To force a reinitialisation of all security contexts. Same reason that many websites make you log in again immediately after changing your password (which interestingly Windows doesn’t)

1 more reply

chli8y ago

I'm running with Windows Update service disabled till this is fixed for good !

[1] https://answers.microsoft.com/en-us/windows/forum/windows_10...

dhimes8y ago

I actually like Win 10, but it's shit like this that keeps me from becoming a true convert. Oh, for $X00 I can get enterprise update, but IMO that's just Win 10 home being used as ransomware. /rant

cesarb8y ago

In a related development, there are proposed patches to the Linux kernel (not yet merged) to blacklist the broken microcode updates: https://www.spinics.net/lists/kernel/msg2707159.html

Also interesting: that patch has a link to an official Intel list of broken microcode versions.

Valmar8y ago

> In a related development, there are proposed patches to the Linux kernel (not yet merged) to blacklist the broken microcode updates

Linus probably won't pull it until it's truly known to be stable, because of his attitude towards having decent quality code and not causing needless system instability.

Without Linus... who knows what would have happened by now.

cesarb8y ago

2 more replies

speedie8y ago

Everyone would have politely installed their "fixes" . This situation shows why linus was swearing .

1 more reply

ComodoHacker8y ago

>However, Intel does not appear too concerned that the incident will affect its bottom line - the company expects 2018 to be a record year in terms of revenue

For Intel, that "long period" just happened to be REALLY long.

AnIdiotOnTheNet8y ago

All markets work like this. People bitch about the quality of products, but still buy the cheap stuff.

javajosh8y ago

Interestingly, I think AMD has a lot of motive to create such a superflu, or at least encourage it's creation.

1 more reply

_jal8y ago

Intel is TBTF. Like the banks but in via different mechanism, they appear to have reached consequence-immunity by becoming critical infrastructure.

curun1r8y ago

The same could've been said about Microsoft 10-15 years ago. Now, we could probably get by without them.

Intel may be too big for an abrupt failure, but they can absolutely fail in a decade-long slide into obscurity.

Feniks8y ago

Feature of the industry. It would take a new corp entering into the chip industry hundreds of billions and decades to get where Intel is today.

doktrin8y ago

You conclusion isn't in agreement with the section you quoted, so are you saying that Intel will be punished by the market in the mid to distant future (after 2018)?

stinos8y ago

"Here's a patch" - "Here's a patch to disable that other patch" - ...

hishnash8y ago

prewett8y ago

x0x08y ago

I came here to ask the same thing. How did these folks squander six months?

1 more reply

im3w1l8y ago

Only reason I can think of is that they didn't immediately realize how much of a headache it would be.

PerusingAround8y ago

I'm amazed on how Intel's stock price still keeps going UP, despite all these problems... just WOW.

adtac8y ago

The recent jump is because they released a good earnings report.

https://www.cnbc.com/2018/01/26/intc-intel-stock-jumps-to-hi...

collinmanderson8y ago

I have a feeling there's going to be a lot of demand for future Intel hardware that's immune to spectre and meltdown. I think it might cause _more_ sales of Intel chips in the future, not fewer.

xigency8y ago

I think it's our responsibility as technology literate folks and decision makers to explicitly highlight their failures so that mistakes and poor handling like this are not normalized.

1 more reply

NelsonMinar8y ago

What, are you going to stop buying Intel processors?

ImaCake8y ago

I will, but I am just a guy who builds his own computer every few years.

speedie8y ago

fineng1238y ago

I think we're just in a bull market so people ignore bad news

ggregoire8y ago

Do you know someone who is going to stop buying Intel's CPUs?

tyfon8y ago

I know in my company this has indeed resulted in a full stop in buying Intel and going AMD instead. There is also an active "project" to replace the Intel servers.

Anecdotally, but you asked for "someone" and here is someone :)

1 more reply

speedie8y ago

Well , Linus already said perhaps linux should look at the arm folk . Should that happen , well guess what ? From my very small knowledge , 90+% of internet infrastructure runs on linux .

1 more reply

ceejayoz8y ago

Valmar8y ago

Spectre v2 affects AMD less drastically than it does with Intel, because of the architectural differences between Zen and Intel's processors.

HugoDaniel8y ago

So much for the embargo period. I guess the bsd people were not so wrong after all. They might as well just had published it as soon as it was found.

Valmar8y ago

tallanvor8y ago

By my reading of the article, Microsoft is disabling some mitigations for Spectre due to instabilities that Intel's microcode update have been causing.

Intel certainly isn't making any friends these days...

hishnash8y ago

I would love to see the message log between MS Apple and Intel on this.

1 more reply

notspanishflu8y ago

It is not only Microsoft reverting this patch. HP, Dell or Red Hat are doing that as well.

https://www.bleepingcomputer.com/news/microsoft/microsoft-is...

mosselman8y ago

So what can I do for my next self-built pc? Get some AMD equipment, or is that not enough?

hishnash8y ago

AMD have released patches (to reduce the near-zero risk of exploit to 0 risk) and they are not having any instability issues! so yes go with AMD

for server, Epyic is now finally available to purchase for desktop workstation Threadripper for desktop RyZen

for mobile... not many newer cpus out yet.. need to wait :(

avtar8y ago

I'm eyeing Threadripper for my next build but beyond that I'm going to choose a motherboard vendor based on the level of support they offer in this scenario. Some observations that I'm making:

* Did they provide some estimates as to when users could expect patches?

ShroudedNight8y ago

For those in the market for an X399/TR4 motherboard, have you come to any conclusions?

1 more reply

ihsw28y ago

ageofwant8y ago

I'll be getting a few high-end Intel CPU's that will soon flood the market on the cheap for home machines running arch.

chrisper8y ago

Depends on what you are building it for.

mosselman8y ago

1 more reply

megaman228y ago

dimmuborgir8y ago

Creators Updates (1703 / 1709) are the culprits. LTSB (1607) has not been upgraded to Creators Update yet and it runs like butter.

nippples8y ago

Gee, if only they had a Linus Torvalds type around to block irresponsible commits.

duncan_bayne8y ago

They did, once upon a time, after a fashion:

https://www.joelonsoftware.com/2006/06/16/my-first-billg-rev...

https://www.wired.com/2002/01/bill-gates-trustworthy-computi...

kyberias8y ago

I had to read that billg-review thing one more time. It's such a wonderful story.

mtgx8y ago

Didn't Torvalds already accept Intel's "garbage" Linux kernel patches?

icebraining8y ago

I don't think so, they're still under discussion on LKML, including an alternative proposal by Ingo Molnar.

bonzini8y ago

Nah, it's just the well-known issue with the microcode being buggy. There's nothing new really.

ksk8y ago

Microcode is not reviewed by anyone outside of Intel.

Thimothy8y ago

I never got them. The last update in my windows is from Dec 2017. My antivirus is compliant, the registry key correctly set up and yet it refuses to update.

I still haven't had the time to debug it, but I wonder how many people are out there with their OS silently refusing to update.

epistasis8y ago

whywhywhywhy8y ago

Maybe I just got lucky with the right combination of hardware.

speedie8y ago

So , Linus was right for cursing at Intel ?

akerro8y ago

UTTER GARBAGE

dang8y ago

Please don't.

https://news.ycombinator.com/newsguidelines.html

2 more replies

speedie8y ago

Sry , my cognitive abilities have been at real low of lately . Took me a while to comprehend your comment. Spot on m8 ;)

ohiovr8y ago

quiq8y ago

Remember to use backups!

ohiovr8y ago

My brother did have major data loss. And no real backup strategy.

shultays8y ago

Amount of fuck-up in this whole issue is mind blowing. I am getting more surprised with every new I get

dotdi8y ago

DominikD8y ago

And then another developer kindly explained why he's wrong. It's fun to listen to Linus' rants, sure, but he's not always correct.

1 more reply

watwut8y ago

Those were not delivered fixes, that was work in progress that is still work in progress. And the dude who was "called out" works for Amazon.

2 more replies

mtgx8y ago

But wait, there's more!

https://www.techrepublic.com/article/03175c88-5c9b-4ccd-ac62...

534b44a8y ago

2 more replies

imglorp8y ago

I wonder how much all this cleanup will cost in hours, downstream, for all the installed users? Judging by all the grief on this thread it's substantial.

bartl8y ago

>Intel, AMD and Apple face class action lawsuits over the Spectre and Meltdown vulnerabilities.

I sure hope Intel will face a class action suit over this botched update. Many professionals have wasted countless hours dealing with this junk.

cjsuk8y ago

Not what I wanted to wake up to this morning. I suspect we’re in for a rough ride for a long time thanks to this mess.

kzrdude8y ago

Your comment is even more fitting today (politics)

chrisper8y ago

Just checked for Updates, but there don't seem to be any?

taspeotis8y ago

“If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website”

https://support.microsoft.com/en-us/help/4078130/update-to-d...

chrisper8y ago

Thanks

thg8y ago

https://support.microsoft.com/en-us/help/4072699/january-3-2...

morsch8y ago

Bizarre.

Customers without Antivirus

In cases where customers can’t install or run antivirus software, Microsoft recommends manually setting the registry key as described below in order to receive the January 2018 security updates.

3 more replies

Santosh838y ago

Microsoft won't supply updates even if you have no AV installed, including builtin Defender disabled??

I thought stopping updates was only for the case of unpatched AVs that did not set the registry key...

2 more replies

mm-vorticesoft8y ago

Linus was right

anfilt8y ago

Well he is known for calling a spade a spade. No matter how blunt that may be.

cat1998y ago

except for when he is wrong.

Why he gets a pass for being the 'nice guy' and DeRaadt gets the bad rep is still a mystery to me

cm21878y ago

I thought he was angry about the mitigation being disabled by default, not being unstable.

icebraining8y ago

1 more reply

sundarurfriend8y ago

byte19188y ago

Aren't we talking about two different things? Linux vs Windows kernel?

cbcoutinho8y ago

OP is probably referencing the 'bullshit patches from Intel' comment from Linus about the patches they were sent, and that Microsoft might have been sent similar obfuscatory patches.

pjmlp8y ago

Given that the patches are CPU micro-code delivered by OS drivers, AFAIK, the actual OS won't make much difference.

topspin8y ago

"Decades old trap/fault software is being replaced by 10-20 operating systems, and there are going to be mistakes made."

- Theo de Raadt

richardwhiuk8y ago

Linus was talking about Linux patches, not these microcode patches. They've been known broken for at least a week

mehrdadn8y ago

About what? Would you have a link?

bmon8y ago

Linus Torvalds: “Somebody is pushing complete garbage for unclear reasons.” http://lkml.iu.edu/hypermail/linux/kernel/1801.2/04628.html

1 more reply

gsich8y ago

Like always.

Valmar8y ago

He generally is. His rants are almost always spot-on and pure gold. :)

emptyfile8y ago

What are you talking about?

debt8y ago

I mean, is this an unmitigated disaster on Intel's part? It's like a train wreck in slow motion.

A part of me feels this stories like this are going to keep getting worse until Spectre is finally used in the wild.

dsign8y ago

What a mess!

hi418y ago

What does the Spectre bug mean for a person planning to buy a new windows computer? Should I buy an AMD CPU based computer instead of an Intel based computer?

Roritharr8y ago

I'm pretty sure these patches were responsible for my notebook crashing everytime i hooked it up to our Thunderbolt 3 Dockingstations.

kuon8y ago

Anybody know what is the status of FreeBSD? I googled a bit and found nothing except "we wait", is it still the case?

mehrdadn8y ago

Anyone know if people who had disabled the mitigations via FeatureSettingsOverride = 3 were still affected?

mark_l_watson8y ago

joemaller18y ago

Even more accurate: Microsoft joins HP, Dell, Lenovo, VMware and Red Hat in disabling Intel's buggy Spectre patch.

> HP, Dell, Lenovo, VMware, Red Hat and others had paused the patches and now Microsoft has done the same.

giancarlostoro8y ago

segmondy8y ago

Intel doesn't care. What choice do we have?

4 more replies

dang8y ago

Thanks. We've edited the title above.

rootw0rm8y ago

IanSanders8y ago

Meanwhile Intel stock is at 5 year highest

j / k navigate · click thread line to collapse