The Shopify Hacker-Powered Security Story » Get the Report from HackerOne!
Welcome Guest | Sign In
ECommerceTimes.com

FOSS Community Struggles to Patch Against Spectre, Meltdown Flaws

By David Jones LinuxInsider ECT News Network
Jan 13, 2018 11:00 AM PT
spectre-meltdown

Many in the open source community worked feverishly this week to respond to heightened fears that software updates to fix the Spectre and Meltdown vulnerabilities would put millions of computers at risk of slowdowns or even total disability.

Updated kernels were released for mitigation of Meltdown variant 3, or CVE-2017-5754, for X86-64 architecture, Dean Henrichsmeyer, vice president of cloud engineering at Canonical, which provides commercial support for Ubuntu, said Friday in an online post.

Optimized kernels based on 12.04 ESM Precise, 14.04 ESM Trusty, 16.04 LTS Xenial and 17.10 Artful were released, he said, along with linux-aws, linux-azure, linux-gcp and hardware enablement kernels.

Updated cloud images have been published, and reduced performance has been observed in tests of Meltdown mitigations, Henrichsmeyer said.

Ubuntu Zesty 17.04 reaches end of life on Saturday, so there will be no upgrades to kernel 4.10 to mitigate Meltdown or Spectre, and users will need to upgrade.

Precise 12.04 LTS has ended, so only users with Extended Security Maintenance for Precise will receive extended kernels.

The focus has shifted to mitigation of CVE-2017-5753 and CVE-2017-5715, which are Spectre variants 1 and 2, Henrichsmeyer noted. Microcode has been released for Intel processors, and kernel updates will begin on Monday. Updates of v4.13 for Artful 17.10 and 16.04 will soon follow.

"The issue impacted only a small number of systems running the 4.4. kernel," said Canonical spokesperson Sarah Dickinson.

"This was noticed immediately," she told LinuxInsider, "and within a couple of hours a replacement was posted with the fixed kernel."

Hats On

"Security updates are always of great interest to Red Hat customers, and our subscribers have been very engaged with our support and field personnel throughout the progression of the incident," said Christopher Robinson, manager of product security assurance at Red Hat.

Red Hat's customers deploy its products in many different environments, he told LinuxInsider.

The company is responding to all questions posed to it, and it is investigating reported problems just as it would with any new product release, Robinson said.

Suse has been keeping customers up to date through its blog, according to spokesperson Kevan Barney.

Suse engineers have been working with partners and the Linux community on upstream kernel patches and have released patches for Suse Linux Enterprise, Matthias Eckermann, director of product management, wrote earlier this month in an online post.

Additional patches for SLE versions and environments would be forthcoming, he said.

Troubling Signs

The Canonical issue affects some system combinations, but it is not as severe as the potential impact of the Microsoft and AMD problem, said Mark Nunnikhoven, vice president, cloud security at TrendMicro.

Microsoft updates have bricked a number of AMD systems, making them unbootable, he told LinuxInsider, and the companies have been pointing fingers at each other.

There could be some problems down the road, Nunnikhoven said, warning that a few "proof of concept" code samples have been published, and that "it's only a matter of time before we see this technique used in a real world campaign by a cybercriminal."

All operating systems are affected by Spectre and Meltdown, said Paul Teich, principal analyst at Tirias Research.

That's because the vulnerabilities are not really an operating system issue, but rather the result of choices made during chip design, he told LinuxInsider.

All of the fixes have OS kernel components, and some of the fixes are combined with processor microcode updates in addition to kernel updates.

"Linux is a special case in the OS world," Teich said, "because kernel fixes are shared among various OS distributions, unlike Microsoft Windows Server, Azure and other OS cloud variants. There will be some missteps in favor of speed, but they will be small road bumps."


David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.


PLEASE SUPPORT THE E-COMMERCE TIMES

Advertising revenue is diminishing across the Internet, and independent publishers like ECT News Network are the most adversely affected.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats, and no subscription fees.

If you like the content on the E-Commerce Times, and want to help support traditional journalism, please consider making a contribution of any size via PayPal by clicking the Donate button:

By donating, you acknowledge that no goods or services are purchased with your donation, donations are not tax-deductible, are non-refundable, and no perks are given to donors.


HOW TO ADVERTISE

ECT News Network offers a variety of custom sponsorship packages to meet your business goals. Please contact sales for advertising information.

Facebook Twitter LinkedIn Google+ RSS
What best describes your attitude toward social networks and politics?
The value of engaging in serious political discourse outweighs the negatives.
Most of the political conversations seem overheated and ignorant.
Social networks provide a lot of very good political information from reliable sources.
Almost every political post I see is skewed or totally fake.
Political interactions on social networks simply mirror those in the real world.
Social networks remove inhibitions, bringing out the worst in people and politics.