RedHat reverts patches to mitigate Spectre Variant 2
CVE-2017-5715 (variant 2), also known as Spectre, as most people know by now is a serious problem affecting a large number of computers across the world.
RedHat previously released patches to mitigate this issue, however, in a rather controversial move, has decided to roll back these changes after complaints about systems failing to boot with the new patches, and instead is now recommending that, "subscribers contact their CPU OEM vendor to download the latest microcode/firmware for their processor."
Many people have taken to saying that Redhat has, “Washed their hands†of the problem, dumping it onto the responsibility of others to handle instead.
The full statement about the recommendation can be found here; it says
Red Hat Security is currently recommending that subscribers contact their CPU OEM vendor to download the latest microcode/firmware for their processor.
The latest microcode_ctl and linux-firmware packages from Red Hat do not include resolutions to the CVE-2017-5715 (variant 2) exploit. Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems not to boot.
The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released before the Spectre/Meltdown embargo lift date on Jan 3rd. Customers are advised to contact their silicon vendor to get the latest microcode for their particular processor.
This means that virtually every person running Redhat, CentOS, or others such as Scientific Linux that are based on Redhat, now are left without a means to mitigate Spectre Variant 2, unless they contact their hardware manufacturers on a case-by-case basis, which could cause a massive shift of people/companies to potentially move their servers to a different OS in the future.
Granted, many may do as recommended as well, only time will tell, but the move has left a slightly sour taste among many users throughout the community.
According to the Redhat Linux homepage, they are the “The world’s leading enterprise Linux platform,†so knowing that they have the most significant market share out of the primary enterprise distributions, means that potentially millions of customers are now being left to handle the situation themselves.
Now you: What is your opinion on the move by Redhat to leave their paying subscribers to fend for themselves on this one? Are you a Redhat user, and if so, will you be staying and fixing it yourself, or will you take other measures? Let us know in the comments!
Hi
At the moment are there patches in safe for spectre or not ? (linux redhat intel) , from what i see.. no.. thanx
Intel tells customers to stop using its faulty Spectre patch
https://www.engadget.com/2018/01/22/intel-spectre-patch-reboots/
if it’s borking certain cpus only, then why rollback for those that are not borked too? (albeit slowed)
Apparently Ubuntu is now doing the same thing. In my Linux Mint system I’m seeing an available update for Intel microcode that is one version back.
I think RedHat just gave all the other distros the excuse they needed.
RedHat made the correct decision. Their customers are vulnerable, yes, but their servers are running. Microsoft quickly delivers an “patch”, kill servers everywhere and you can complain or cry on their support forums, nobody will care about your money losses. Sometimes you need to choose the less destructive option, after you take the optimal solution. And using Linux you are totally free to search the microcode and kill your server (or not).
RedHat made the correct decision. Their customers are vulnerable, yes, but their servers are running. Microsoft quickly delivers an “patch”, kill servers everywhere and you can complain or cry on their support forums, nobody will care about your money losses. Sometimes you need to choose the less destructive option, after you take the optimal solution. And using Linux you are totally free to search the microcode and kill your server (or not).
>Are you a Redhat user, and if so, will you be staying and fixing it yourself, or will you take other measures?
Yes, I’m a Red Hat user. Yes, I’m staying on this platform. No, I’m not try to fix by myself.
The update BROKE several machines with type 79 CPUs. That is why the update was reversed. It had nothing to do with washing hands.
The vulnerabilities were created by Intel and somewhat AMD and ARM. Microsoft had their proboscis in there too – they have a lot of influence on what the silicon design can do for them. Intel is on 80-90% of all systems.
Redhat is right in telling their paying customers that they will respond with a software fix to protect the OS when and where applicable, but the silicon is not their responsibility. The client probably got their hardware from an OEM. The OEM bought into what the chip makers offered.
The paying clients will be swinging wildly and randomly at any and every vendor associated with their computing.systems. Their massive investments in these products front end their business. Redhat is merely directing the client’s fire in the right direction.
“Microsoft had their proboscis in there too”
That’s a fantastic line! :)
Until someone finds a working, widespread exploit using this vulnerability then I’m perfectly happy to remain unpatched thank you very much.
Meltdown/Spectre windows malware already exist. Google Smoke loader malware.
Smoke Loader is just run of the mill Russian malware, ironically it is being pushed right now by FAKE Spectre and Meltdown patches. There is NO current widespread exploit for these vulnerabilities.
Is all overblown… For a regular user like me, that is still on the good but old Xp, I’m vulnerable to everything but I buy a lot online, take good backups, check pc very good, ect. and still I have to find one virus, malware,… in this 17 years. What I know of Spectre and the other one is that a hacker can see your passwords or protected files but I have no protected files and when I’m doing online banking than I have here in Belgium an offline device where I need to put my card in and that generates a password for logging in. Oke, I have a password safe also but I’m not to concerned because I need first have a malware of something on the pc that can exploit it or I need to have a breach when I’m surfing the net but with NoScript and other measures I think that it is also doable for now to protect me enough…
I think the same.
These ‘vulnerablities’ has been around since about 1995 (according to a Swedish IT-site for corporations) so they aren’t really new. They call them bugs, but i think they are there because of NSA (american spy org) asked to have them. Now someone suddenly ‘found’ them…and the world go nuts !
Everything important i have are on external drives that only are in use when offline when i need these files.
not a big deal for intel. just make or use a intel-ucode.img from other sources(arch has one prebuilt) and update boot entry. I use it with android-x86 too.
Is it possible to encrypt everything? so even if CPU got exploited by meltdown/spectre malwares, all a hacker will see is encrypted stuff.
—
Linux is still much more safer option cuz on Windows, any hacker can disable meltdown/spectre patches with simple registry hacks.
@ Dark
Really, Linux is still so much more safer option than Windows.
Might need to look at that list of Security Vulnerabilities.
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-32238/Microsoft-Windows-10.html
https://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-7/cvssscoremax-7.99/Linux-Linux-Kernel.html
Knowing this Dark, how is Linux so much more safer option that Windows??
Not mention that you’re using port 80, port 443, or port 53. Please explain how much better Linux is Windows OS. The Only OS that is safe is the OS that is not connected to the internet.
>Knowing this Dark, how is Linux so much more safer option that Windows??
It is.
Watch this video regarding cve’s: http://www.youtube.com/watch?v=HHEf5McLFNg
The reason i said Linux is much more safer option cuz the chances of you getting malwares taking advantage of meltdown/spectre is very low where as on Windows it is very high. Another reason Linux is much more safe cuz if you don’t run programs as root/sudo, chances are its not possible or very hard to exploit meltdown/spectre vulnerabilities anyway. Linux doesn’t run as root by default and requires user to enter password to make changes unlike Windows so yeah much more safer than Windows.
Keep Linux fully updated including browsers and kernel and you should have no problems.
Also avoid using closed source stuff as much as possible since you can’t audit the source code therefore can’t be sure how vulnerable it is nor can be sure closed source dev’s wont take advantage of you namely using meltdown/spectre vulnerabilities.
Linux isn’t really more secure than Windows. It’s really more a matter of scope than anything. No matter what malware, exploits, and bad users exist EVERYWHERE. One being more secure than the other is nothing more than anecdotal evidence.
Malware exists for *nix, Mac, Windows, Android, iOS, Symbian, Xbox(yes), hard drives, and bios.
The day will come with your linux box is running and someone login and steals your passwords, banking information, and your SSN. Oh but wait you said it’s safer, that can’t happen !!
Keep telling yourself that, how much “SAFER” it is till then !!
No operating system is more secure than any other, the difference is in the number of attacks and scope of attacks. As a point you should look at the number of Malware for Linux and for Windows. You’ll see a trend in that Windows has FAR more viruses for it than Linux does and that’s purely because it’s more lucrative to hack for Windows since you have a greater chance of getting the thing you want. For all we know there might be a critical flaw in Linux that would open the world to pain if discovered. It hasn’t been yet, but it could be there.
Every OS is equally secure in the hands of a competent administrator”. For a more detailed answer, you’ll need to think about things like: what programs are running? What is your patch process? End-user or server? What kind of network infrastructure is it running in? Are you include in your statistics that your average Linux user tends to be more tech-savy than your average Windows user (and therefore less likely to download and run suspicious files)
You Said – The reason i said Linux is much more safer option cuz the chances of you getting malwares. Is that the reason why linux has put clamav on your safe OS??
Don’t answer that one, we both know that one!!
https://www.linux.com/learn/intro-to-linux/2017/9/security-tools-check-viruses-and-malware-Linux
Now your using port 80 or port 443 that’s firefox if you didn’t know!!
So hilarious, You wanted me to click on a video that’s not even in https. You failed to miss the point, thanks for showing what you don’t know.
Lets see where do we start. Lets start here with this update.
https://packetstormsecurity.com/files/146019/Ubuntu-Security-Notice-USN-3541-2.html
A local attacker could use this to expose sensitive information, including kernel memory.
> Sensitive Information What like your passwords Dark??
Yep so much a safer option, for you!!
https://packetstormsecurity.com/files/146029/Ubuntu-Security-Notice-USN-3543-2.html
An attacker could possibly use this to cause a denial of service or execute arbitrary code.
List goes on and on, so your point is not valid in thinking that your Linux OS is a safer option!!
Not mention that you’re using port 80, port 443, or port 53.
The Only OS that is safe is the OS that is not connected to the internet.
You failed to explain how much more safer your linux OS using port 80, port 443 or port 53.
You said – Keep Linux fully updated including browsers and kernel and you should have no problems.
Does your brower use some magic port number other than port 80 or port 443 by default??
RedHat did the right thing. It’s Intel/AMD’s fault. They should fix the problem.
@ Malte
Yes, agree. It’s Intel’s fault.
Intel likely rush-released a buggy microcode update for Spectre 2 in Dec 2017. Unknowingly, Red Hat Inc trusted Intel for the microcode update and in turn released the Intel microcode update to their customers running Red Hat Enterprise Linux. Bam.! … Some of the customers got hit by Intel’s buggy microcode update.
Seems, Intel, M$ and other tech companies may have been resorting to buggy updates to brick people’s computers = the people have to buy new computers = more profit$ for M$ and gang.
Very bad move from Redhat. Has Redhat grown too big and is it behaving like other large and sometimes arrogant corporations? Sure seems like it. Only time will tell if they will pay a price for this stunt. Personally I’ve dumped Redhat over 10 years ago but for reasons other that this.
wow, redhat is pulling a microsoft