Attention B2B Marketers: Access 30 Million IT Decision Makers with a Custom Lead Generation Program Click to Learn More!
Welcome Guest | Sign In

FOSS Community Struggles to Patch Against Spectre, Meltdown Flaws

By David Jones LinuxInsider ECT News Network
Jan 13, 2018 11:00 AM PT

Many in the open source community worked feverishly this week to respond to heightened fears that software updates to fix the Spectre and Meltdown vulnerabilities would put millions of computers at risk of slowdowns or even total disability.

Updated kernels were released for mitigation of Meltdown variant 3, or CVE-2017-5754, for X86-64 architecture, Dean Henrichsmeyer, vice president of cloud engineering at Canonical, which provides commercial support for Ubuntu, said Friday in an online post.

Optimized kernels based on 12.04 ESM Precise, 14.04 ESM Trusty, 16.04 LTS Xenial and 17.10 Artful were released, he said, along with linux-aws, linux-azure, linux-gcp and hardware enablement kernels.

Updated cloud images have been published, and reduced performance has been observed in tests of Meltdown mitigations, Henrichsmeyer said.

Ubuntu Zesty 17.04 reaches end of life on Saturday, so there will be no upgrades to kernel 4.10 to mitigate Meltdown or Spectre, and users will need to upgrade.

Precise 12.04 LTS has ended, so only users with Extended Security Maintenance for Precise will receive extended kernels.

The focus has shifted to mitigation of CVE-2017-5753 and CVE-2017-5715, which are Spectre variants 1 and 2, Henrichsmeyer noted. Microcode has been released for Intel processors, and kernel updates will begin on Monday. Updates of v4.13 for Artful 17.10 and 16.04 will soon follow.

"The issue impacted only a small number of systems running the 4.4. kernel," said Canonical spokesperson Sarah Dickinson.

"This was noticed immediately," she told LinuxInsider, "and within a couple of hours a replacement was posted with the fixed kernel."

Hats On

"Security updates are always of great interest to Red Hat customers, and our subscribers have been very engaged with our support and field personnel throughout the progression of the incident," said Christopher Robinson, manager of product security assurance at Red Hat.

Red Hat's customers deploy its products in many different environments, he told LinuxInsider.

The company is responding to all questions posed to it, and it is investigating reported problems just as it would with any new product release, Robinson said.

Suse has been keeping customers up to date through its blog, according to spokesperson Kevan Barney.

Suse engineers have been working with partners and the Linux community on upstream kernel patches and have released patches for Suse Linux Enterprise, Matthias Eckermann, director of product management, wrote earlier this month in an online post.

Additional patches for SLE versions and environments would be forthcoming, he said.

Troubling Signs

The Canonical issue affects some system combinations, but it is not as severe as the potential impact of the Microsoft and AMD problem, said Mark Nunnikhoven, vice president, cloud security at TrendMicro.

Microsoft updates have bricked a number of AMD systems, making them unbootable, he told LinuxInsider, and the companies have been pointing fingers at each other.

There could be some problems down the road, Nunnikhoven said, warning that a few "proof of concept" code samples have been published, and that "it's only a matter of time before we see this technique used in a real world campaign by a cybercriminal."

All operating systems are affected by Spectre and Meltdown, said Paul Teich, principal analyst at Tirias Research.

That's because the vulnerabilities are not really an operating system issue, but rather the result of choices made during chip design, he told LinuxInsider.

All of the fixes have OS kernel components, and some of the fixes are combined with processor microcode updates in addition to kernel updates.

"Linux is a special case in the OS world," Teich said, "because kernel fixes are shared among various OS distributions, unlike Microsoft Windows Server, Azure and other OS cloud variants. There will be some missteps in favor of speed, but they will be small road bumps."

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

Facebook Twitter LinkedIn Google+ RSS
How do you feel about accidents that occur when self-driving vehicles are being tested?
Self-driving vehicles should be banned -- one death is one too many.
Autonomous vehicles could save thousands of lives -- the tests should continue.
Companies with bad safety records should have to stop testing.
Accidents happen -- we should investigate and learn from them.
The tests are pointless -- most people will never trust software and sensors.
Most injuries and fatalities in self-driving auto tests are due to human error.