Meltdown and Spectre Patches Bricking Ubuntu 16.04 Computers

An anonymous reader writes: Ubuntu Xenial 16.04 users who updated to receive the Meltdown and Spectre patches are reporting they are unable to boot their systems and have been forced to roll back to an earlier Linux kernel image. The issues were reported by a large number of users on the Ubuntu forums and Ubuntu's Launchpad bug tracker. Only Ubuntu users running the Xenial 16.04 series appear to be affected.

All users who reported issues said they were unable to boot after upgrading to Ubuntu 16.04 with kernel image 4.4.0-108. Canonical, the company behind Ubuntu OS, deployed Linux kernel image 4.4.0-108 as part of a security update for Ubuntu Xenial 16.04 users, yesterday, on January 9. According to Ubuntu Security Notice USN-3522-1 and an Ubuntu Wiki page, this was the update that delivered the Meltdown and Spectre patches.

Baby out with the bathwater

[Lab+Rat+Jason]

It seems that these companies (Microsoft and Ubuntu and others) are forgetting everything about sound software development practices here. They're in such a hurry to deploy patches that they aren't taking the time to fully test them. The cure is worse than the ailment.

Re:Baby out with the bathwater

[king+neckbeard]

To be fair, there is a major security flaw covering the majority of desktop CPUs sold over the last two decades. You are correct that they have not done proper testing, but this is on a ridiculous scale.

Re:Baby out with the bathwater

[110010001000]

When you are connected to the Internet (especially through the web) you have many users of your system. For example, any website you visit can run a Javascript program on your machine. With this flaw it can "break out" of your browser. What a mess.

Re:Baby out with the bathwater

[squiggleslash]

There are two bugs here:

Meltdown is Intel-only and requires the ability to run binaries on the victim's computer. If you can run binaries on the victim's computer, you probably already have enough access to do whatever it is you want to do that made you want to hack them in the first place. The extent to which Meltdown adds security issues is miniscule.

Spectre is cross platform and can be exploited with Javascript. With difficulty. But it can. Kinda. There's sorta a proof of concept out there. Which works with one JS engine. And doesn't extract any useful information. But in theory if you know the exact status of the user's browser and you're very lucky you might be able to extract some information from it that you wouldn't normally have access to.

So, what is the rush here? Especially with Meltdown?

The entire fucking industry has gone completely nuts. You'd think that we were back in the 1990s with no memory protection and ActiveX given the panic about this.

And before anyone goes "Yeah, but it's still a problem", so are kernel patches that brick computers. We're bricking computers, and slowing down the ones we don't brick, because we're panicking over this rather than doing this properly.

Re:Baby out with the bathwater

[chill]

Meltdown is Intel-only and requires the ability to run binaries on the victim's computer. If you can run binaries on the victim's computer, you probably already have enough access to do whatever it is you want to do that made you want to hack them in the first place. The extent to which Meltdown adds security issues is miniscule.

That isn't really accurate. Meltdown is potentially devastating for virtual machines and set-ups like shared hosting. Getting a VM slice on a much larger machine is where Meltdown scares cloud-deployed companies. Spin up a small VM, execute Meltdown exploit, and compromise who else is on that host. Ditto with a shared web host.

Re:Baby out with the bathwater

[thegarbz]

In a controlled environment or on a system that you already 0wn that would be a problem. However if I go to a website right now there's no reliable way of accessing a desired chunk of memory from another process without knowing where that memory is in the first place or without dumping absolutely everything and manually looking afterwards.

I.e. Yes javascript can read what it wants due to this bug, but good luck trying to get it to read what *you* want like the running encryption key.

This attack would work well for an NSA attempting to extract encryption keys style attack, but does bugger all for a script kiddie with a bit of javascript.

Bricked!!?!?! Oh wow!

"have been forced to roll back to an earlier Linux kernel image."

So, not actually bricked then...

WORDS MEAN THINGS!

Re:Bricked!!?!?! Oh wow!

[billyoc903]

Yeah, but who's going to click on a link that says "Ubuntu kernels rolled back to the one from the day before yesterday"? Do you know ANYTHING about social media marketing strategies? It's like you're not even trying.

Re:Bricked!!?!?! Oh wow!

[GameboyRMH]

I would say that if a software hack, or even a simple hardware hack with common tools can fix it, it's not bricked. If you have to get out a JTAG adapter, then it's bricked.

Re:Bricked!!?!?! Oh wow!

No when Microsoft did it, it was not bricking. Several people even pointed it out in the very comments of that Slashdot article.

On the other hand, you have selective memory or didn't even bother to check, because your are a Microsoft fanboi/shill.

It is *NOT* bricking!

[Qbertino]

Bricking is the equivalent of applying a killpoke. A software action that makes the hardware henceforth unusable.

This just screws up the kernel and requires you to set up a fresh one, perhaps reinstalling the core system. On Linux this is usually nothing more than a minor annoyance.

Again: it's not bricking. Bricking is when a software update or piece of code renders my smartphone not more useful than a brick and irreversibly so.

Stop using the word just because it's new and describes something significant. It doesn't make your news more interesting, it makes your news false.

Thank you.

Re:It is *NOT* bricking!

It's part of a larger Millennial Trend to make their stupid, worthless "contributions" seem much more impressive.

"literally" -> absolutely, positively NOT literally
"hacking" -> doing something differently, like putting avocado on toast
"crypto" -> some retarded cartoon-backed pseudo currency

Not everyone is affected/Nobody "Bricked"

[mykepredko]

Just saw the headline and panicked, checking my Linux systems (all running ubuntu 16.04 LTS) and did a quick check:

myke@mimeticsL01:~$ uname -a
Linux mimeticsL01 4.4.0-108-generic #131-Ubuntu SMP Sun Jan 7 14:34:49 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
myke@mimeticsL01:~$

I've never had a problem with Ubuntu updates (although I RFTA, it sounds like all Ubuntu users have an issue at one time or another). I suspect that the kernel update was tested before it was released so this updates affects some subset of the systems out there.

Like many other people, I was very concerned when i saw the headline saying the updated was "bricking" systems - whoever wrote the headline needs to have the term "bricking" explained to them (ideally with an actual brick).

In the future, msmash, you might want to be a bit less sensational in the headlines and make sure you understand if the terms used in it are correct.