Turns out the 85% number is quoted from the "Top 30 Targeted High Risk Vulnerabilities" published in 2015[1], which came from Public Safety Canada's "Top 4 Strategies to Mitigate Targeted Cyber Intrusions" also from 2015[2], which came from the Australian Signals Directorate's report "Top four mitigation strategies to protect your ICT system" from 2012[3], which says (emphasis mine):
"At least 85% of the intrusions that ASD responded to in 2011 involved adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package."
A far cry from "as many as 85 percent of all targeted attacks" quoted from Intel in 2018.
Intel says the identified stability issues only affect Broadwell and Haswell while they also affect Skylake and IvyBridge.
The microcode updates are also made available to only very few channels and vendors. In turn, vendors are not making the updates available to customers. As an example, SuperMicro didn't release publically an updated BIOS.
So, one month after the end of the embargo, Intel is working very hard to ensure people cannot get properly protected.
For Linux, the microcode updates are also available at https://downloadcenter.intel.com/download/27337/Linux-Proces... or similar (oddly, that's the 20171117 version, I recall seeing the 20180108 version there earlier, but can't find it now; in any case, that newer version is still available at https://pagure.io/microcode_ctl). Distributions usually install that microcode update package so that it's activated early in the Linux kernel startup: if you see "microcode updated early to revision [...]" as the first line of your dmesg output, it's that mechanism doing its work.
Apparently the 20180108 version is faulty, so they rolled it back to 20171117. I have Manjaro on one of my laptops where the auto update mechanism keeps failing to complete the rollback because the installed version is newer. Good thing the only thing I use that for is to watch videos.
Luckly for you, the consensus from the kernel developers seems to be that these firmwares are only problematic if the new anti-Spectre features they expose to the kernel are actually used. The current upstream kernel doesn't use them, and the next upstream kernel will have a blacklist of the problematic firmware versions, so unless you distro patched the kernel to use these features without the blacklist, you should be safe.
I mean to be fair they might be releasing to these vendors and having them make sure everything still works as expected, which I imagine would take awhile.
I mean Intel is definitely not handling this well, just playing devils advocate here, they are not completely evil or insane actors.
Intel says, "Intel continues to work closely with industry partners to protect customers against the security exploits disclosed by Google Project Zero."
Linus Torvalds says, "They do literally insane things. They do things that do not make sense ... The patches do things that are not sane. WHAT THE F*CK IS GOING ON?"
It's strange they roll back these updates (microcode and BIOS updates) on all platforms. My HP Elitebook received a BIOS update after which the Microsoft powershell scripts reported the laptop as Patched (and working normally), then, last week a new BIOS update making the laptop vulnerable again.
I think that goes against the rules of marketing. It's more likely that they'll brand the fixes as something like Intel® Protected Speculation Technology™ (PST).
Haha, yeah. Checked up on the HP laptop referenced in another HN frontpage link, and the HP description on size used "thinness", not "thickness" which everybody on the planet would use, except marketers ;)
(not native English-speaker though, so happy to be corrected)
Turns out the 85% number is quoted from the "Top 30 Targeted High Risk Vulnerabilities" published in 2015[1], which came from Public Safety Canada's "Top 4 Strategies to Mitigate Targeted Cyber Intrusions" also from 2015[2], which came from the Australian Signals Directorate's report "Top four mitigation strategies to protect your ICT system" from 2012[3], which says (emphasis mine):
"At least 85% of the intrusions that ASD responded to in 2011 involved adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package."
A far cry from "as many as 85 percent of all targeted attacks" quoted from Intel in 2018.
[1] - https://www.us-cert.gov/ncas/alerts/TA15-119A
[2] - https://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/tp-str...
[3] - https://www.asd.gov.au/publications/protect/top_4_mitigation...