Microsoft released an emergency Windows patch to disable Intel’s buggy Spectre fix which could cause reboots, instability issues and ‘data loss or corruption.’
Microsoft released an out-of-band patch over the weekend to disable Intel’s buggy Spectre variant 2 microcode fix.
After the world learned of Meltdown and Spectre, it took Intel some time to get around to releasing patches. The fixes were “garbage” according to rant by Linux creator Linus Torvalds. Intel at first mentioned that its firmware updates were causing some reboots, but admitted last week that the fixes were a buggy mess causing systems to restart for no good reason and other stability issues.
Last week, Intel recommended “that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior.”
[ Download the State of Cybercrime 2017 report and bookmark CSO’s daily dashboard for the latest advisories and headlines.| Sign up for CSO newsletters .]
In fact, in Microsoft’s explanation of why it was issuing an emergency patch to disable Intel’s microcode for Spectre variant 2, the Redmond giant pointed at a comment in Intel’s fourth-quarter financial results. Intel had noted that the buggy firmware could lead to “data loss or corruption.”
Microsoft agreed, saying, “Our own experience is that system instability can in some circumstances cause data loss or corruption.” The company added, “We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.”
While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing this update has been found to prevent the behavior described. For the full list of devices, see Intel’s microcode revision guidance.
This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.”
Microsoft offered another Spectre Variant 2 option, one meant for advanced users as it deals with manually disabling and enabling mitigations via changes in registry settings.
As of January 25, Microsoft said there were no known reports of attacks using Spectre variant 2; it recommended re-enabling the mitigation against that variant as soon as Intel is sure the “unpredictable system behavior” has been resolved.
As you likely remember, Microsoft immediately rushed out patches to mitigate Meltdown and Spectre; however, those fixes were also buggy and caused system instability. In response to mass complaints of Windows crashing to a BSOD, Microsoft hit the brakes and stopped rolling out the “fixes” to AMD devices.
Over the weekend it came to light that Intel notified Chinese companies of the security flaws in its chip before it told the U. S. government. The Wall Street Journal reported that it was a “near certainty” that, by Intel warning a small group of Chinese firms about the flaws in its processor chips, the Chinese government knew since it monitors all communications of Chinese tech companies.
This gave China the opportunity to exploit the flaws before the U. S. government even knew about them. At this time, experts have seen no evidence to suggest the information was used to launch attacks.
