Microsoft's ongoing struggles with QA and Edge

After a terrible month of QA issues with Windows 10's 1809 update, and following revelations that those issues aren't actually over yet, even after 1809's re-release, comes news that Microsoft's other flagship product has similar issues. As reported by betanews:

Microsoft's update procedure for Windows 10 has been a little, er, wobbly of late. The Windows 10 October 2018 Update proved so problematic that it had to pulled, and even the re-released version is far from perfect.

Now it seems the cancer is spreading to Office. Having released a series of updates for Office 2010, 2013 and 2016 as part of this month's Patch Tuesday, Microsoft has now pulled two of them and advised sysadmins to uninstall the updates if they have already been installed.

In both instances -- KB4461522 and KB2863821 -- Microsoft says that the problematic updates can lead to application crashes. While this is not as serious a problem as, say, data loss, it does little to quieten the fears that have been voiced about the quality control Microsoft has over its updates.

So, the bad news is that Microsoft's attempts to reassure consumers and Enterprise customers that their quality assurance procedures really are up to the challenge of delivering software-as-a-service seem to be failing. What's the good news?

Apparently, the good news is that Edge has failed so hard that Microsoft is now collaborating with Google and Qualcomm to bring the Chrome browser to Windows 10's ARM version. Yes, really.

Still melting down

Back when Meltdown and Spectre were first making headlines, the word was that Meltdown was more serious but also easier to fix, while Spectre would be haunting us for a long, long time (hence the name). But not only is Meltdown proving more pernicious than first thought, there are more Meltdown-like vulnerabilities in Intel's chips. Yikes.

First, from Bleeping Computer:

Microsoft's patches for the Meltdown vulnerability have had a fatal flaw all these past months, according to Alex Ionescu, a security researcher with cyber-security firm Crowdstrike.

Only patches for Windows 10 versions were affected, the researcher wrote today in a tweet. Microsoft quietly fixed the issue on Windows 10 Redstone 4 (v1803), also known as the April 2018 Update, released on Monday.

Welp, it turns out the #Meltdown patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation. This is now patched on RS4 but not earlier builds -- no backport?? pic.twitter.com/VIit6hmYK0

— Alex Ionescu (@aionescu) May 2, 2018

Back-ported patches are apparently in the works, but no ETA yet from Microsoft. So, that's the bad news. Ready for the worse news?

From Reuters:

Researchers have found eight new flaws in computer central processing units that resemble the Meltdown and Spectre bugs revealed in January, a German computing magazine reported on Thursday.

The magazine, called c’t, said it was aware of Intel Corp’s plans to patch the flaws, adding that some chips designed by ARM Holdings, a unit of Japan’s Softbank, might be affected, while work was continuing to establish whether Advanced Micro Devices chips were vulnerable.

[...]

C’t did not name its sources because researchers were working under so-called responsible disclosure, in which they inform companies and agree to delay publishing their findings until a patch can be found.

The magazine said Google Project Zero, one of the original collective that exposed Meltdown and Spectre in January, had found one of the flaws and that a 90-day embargo on going public with its findings would end on May 7.

Once again, it's looking like a pretty good day to be a W7-using AMD fan.

Google to the rescue!

First, Google's Project Zero researchers found the CPU-level security vulnerabilities known as Meltdown and Spectre. Now, they've found the cure... or, at least, a more efficient workaround, as reported in The Verge:

Google just gave chipmakers some much needed good news. In a post on the company’s Online Security Blog, two Google engineers described a novel chip-level patch that has been deployed across the company’s entire infrastructure, resulting in only minor declines in performance in most cases. The company has also posted details of the new technique, called ReptOnline, in the hopes that other companies will be able to follow the same technique. If the claims hold, it would mean Intel and others have avoided the catastrophic slowdowns that many had predicted.

“There has been speculation that the deployment of KPTI causes significant performance slowdowns,” the post reads, referring to the company’s “Kernel Page Table Isolation” technique. “Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”

[...]

That assessment is consistent with early reports from Intel, which had said slowdowns would be “highly workload-dependent and, for the average computer user, should not be significant.” Those claims were met with skepticism, with many seeing them as an effort by Intel to downplay the impact of the newly public vulnerabilities. At the same time, some early benchmarks saw slowdowns as high as 17 percent.

More recently, Intel announced it had deployed patches that would render chips immune to the new attacks, and restated that the performance impact was not significant. It’s difficult to confirm Google and Intel’s claims until the patches are deployed, but it’s significant that Google has joined the chipmaker in reporting minimal slowdowns.

As someone who met Intel's early minimal-impact claims with skepticism, I can honestly say to all Core i5 users that I'm glad to learn that the picture is looking less grim than first thought. I'm still glad to be an AMD man, though, and even more glad that Google were awake at the switch for this one. People give Google a lot of grief for sometimes acting like they've forgotten their original mission statement, but this, folks, is what they meant by "don't be evil." Not only were they not evil, they used their powers for good, and are extending help to anyone who needs it, for free.

Intel, meanwhile, is claiming to have finished patches for 90% of their products released in the past five years, which sounds a little weaksauce considering that Meltdown affects Intel products released in the last ten years, much like the firmware issue that was reported a few months ago. And there's also the small matter of Intel, who were notified about Meltdown and Spectre back in June, being led by a CEO who sold off a bunch of stock in October, before either flaw became public knowledge, as reported by MP1st, among others:

Suspiciously, Intel CEO Brian Krzanich sold off $24 million worth of stock late last year before the vulnerabilities became public knowledge. An Intel spokesperson said the stock trade was “unrelated” despite Intel knowing about the issue for five months.

Oops! I predict that the SEC will be investigating that piece of business.

Intel's stock price has, naturally, dropped as a result of all this news, while AMD's has risen, but I suspect that Intel's problems over these problems are only beginning.

UPDATE:

One minor correction: While Jann Horn at Google Project Zero (GOOGL.O) came to similar conclusions independently, it looks like credit for discovering Meltdown actually goes to an independent researcher named Daniel Grus, whose feat of security research is described in this article by The Verge:

The 31-year-old information security researcher and post-doctoral fellow at Austria’s Graz Technical University had just breached the inner sanctum of his computer’s central processing unit (CPU) and stolen secrets from it.

Until that moment, Gruss and colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor’s ‘kernel’ memory, which is meant to be inaccessible to users, was only theoretically possible.

“When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked,” Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured.

Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result.

“We sat for hours in disbelief until we eliminated any possibility that this result was wrong,” said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as “one of the worst CPU bugs ever found”.

Damn, Daniel! (Sorry, I couldn't resist.) Seriously, though, congratulations to Mr. Gruss for some solid detective work.

UPDATE #2:

Cue the lawsuits! As reported by Gizmodo:

It’s been just two days since The Register first reported that all Intel x86-64x processors were subject to a severe security vulnerability, and already Intel has been hit with at least three separate class action lawsuits related to the vulnerability.

The Register first reported the news on January 2nd, noting that the solution to fixing the vulnerability could result in slowdown of the affected computers. Intel has since claimed that any performance penalties would be negligible, and today Google, which has implemented a fix on its affected servers (which host its cloud services, including Gmail) wrote that, “On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”

Plaintiffs in three different states disagree. As Law.com first noted, a class action complaint was filed January 3rd in United States District Court for the Northern District of California. Since then Gizmodo has found two additional class action complaints filed today (just eleven minutes apart)—one in the District of Oregon and another in the Southern District of Indiana.

All three complaints cite the security vulnerability as well as Intel’s failure to disclose it in a timely fashion.

That's some fast work, and I have a feeling that there are more to come.

Meltdown and Spectre - much less sexy than the James Bond movies they sound like.

Yesterday, The Reg reported that Intel CPUs going back ten years had a fundamental design flaw which compromised the security of users. At the time, it looked like only Intel chips were affected, but Intel has been quick to claim that AMD and ARM chips have the flaw, too.

Here's the thing about that, funny story.. it's actually not true. Not Pants On Fire, mind you, but still Mostly False, or at best Half True, according to this report from Gizmodo:

Originally, the Register reported, only Intel processors (which dominate the U.S. market) were believed to be subject to the flaw. But it’s become clear that a wide range of processor types could be affected, with Google writing that AMD, ARM, and other devices were also vulnerable—though only partially and with less performance impact following a fix than Intel-based devices.

In a statement to Gizmodo, AMD said that of the three attack variants, one was easily resolved with “negligible performance impact,” while the others have “near zero risk” or “zero risk” due to “architecture differences.”

ARM told Gizmodo that it has been working “together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors. This is not an architectural flaw; this method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory.”

I don't believe Intel's spin on this one; there is currently no evidence that AMD and ARM have anywhere near the same kind of fundamental design issues that Intel have with this, and users of AMD and ARM products will not see the same kind of slowdown post-patch as Core i5 users. Sure, AMD (and ARM) are also engaged in a little PR over this development, but right now, I'm inclined to trust them a lot more than I trust Intel, for whom this is the second such wide-reaching security problem that comes built right in to their Core i5 product line. 

Right now, it looks like AMD and ARM are acting from an abundance of caution, here (better safe than sorry, right?), and not trying to "work the refs" in advance of the inevitable flood of class action lawsuits by which Intel will shortly be besieged. So, yeah... I'm still glad to be an AMD man, at least for one more day.

Windows 10 runs terribly on ARM

I hope Microsoft wasn't banking too heavily on Windows 10 on ARM competing with cheaper Chromebooks, because it's probably not in the cards. The performance simply isn't there, according to this article on SlashGear:

When it announced its Windows 10 on ARM, specifically on Snapdragon 835, thrust late last year, Microsoft emphasized power efficiency as the primary selling point. What it might not have disclosed is that those savings in battery life might come at the cost of a significant hit in performance. [...] Sadly, this Windows 10 on ARM sighting might be the worst we’ve seen so far.

This isn’t a case of Windows 10 on ARM vs Windows 10 on x86. It is, after, arguable that a quad-core Intel Core i7, even a fanless one, could outperform an octa-core Qualcomm Snapdragon 835 under certain condition. No, this is a case of Windows 10 on ARM versus, say, Android on ARM, running on the exact same chipset and closely similar hardware.

An Android device running on a Snapdragon 835 averages 2,200 on single-core and 7,700 on multi-core tests on Geekbench. Last week’s mysterious “Qualcomm CLS” device 1,202 and 4,263 on those same scores. This ASUSTeK TP370QL, in comparison, yields an embarrassing 889 in single-core performance and 3,174 in multi-core at its highest.

[...]

At this point, it isn’t clear where Microsoft wants to take Windows 10 on ARM anyway. It has all but lost interest in the mobile market, as far as pushing Windows 10 itself goes, and might be eyeing a very niche market for Windows 10 on Snapdragon-powered tablets, possibly for industry use. But with benchmark scores like that, it might be dead on arrival.

Ouch.

Intel wasn't at all happy about Windows 10 on ARM, which they saw as infringement of their x86 patents, but if these benchmarks are anything to go by, Intel needn't worry too much, since nobody will be buying ARM-based Windows 10 machines anytime soon. Whether they start buying x86-based Windows 10 machines again is still anyone's guess (although I still guess that they won't, because Moore's Law isn't a thing anymore).