Discussion in 'Article Discussion' started by bit-tech, 11 Jul 2018.
Time to air-gap everything. This internet thing is maybe more trouble than it's worth
Quick, look over there!
I wonder which modern OSs aren't affected? Also if most are would a microcode update not be a better idea than requiring most OSs to be updated - unless the patches for different OSs are basically the same?
Microcode updates require OEMs to care enough to release updates BIOS/UEFI with the updated microcode. You just need to look at the original round of spectre updates to see how relying on OEM updates pans out.
Updating at the microcode level is preferable, updating at the OS level is less grief in the long run and covers those OEMs who can't [or won't] provide an updated BIOS/UEFI.
Not necessarily: you can also load the microcode at boot time as a patch, which I'll grant you requires the operating system makers to test and release said microcode update themselves - but there are fewer operating system makers than OEMs.
For one vulnerability? Maybe.
But SPECTRE isn't just "a" vulnerability, it's a whole new class of vulnerabilities, so expect to see a lot more where this came from! You wouldn't expect a CPU to detect and avoid all possible buffer underrun vulnerabilities, you rely on the OS and software to be written to mitigate that avenue of vulnerability. You would not demand that CPUs eliminate buffers, as it would result in unaceptable performance regression. Likewise, you would not demand speculative execution be eliminated, but instead write software to avoid that vulnerability being used in practice.
Separate names with a comma.