Windows emergency patch: Microsoft's new update kills off Intel's Spectre fix

The out-of-band update disabled Intel's mitigation for the Spectre Variant 2 attack, which Microsoft says can cause data loss on top of unexpected reboots.
Written by Liam Tung, Contributing Writer

Video: Meltdown-Spectre: A reminder to the IT industry that security is a mirage.

Microsoft has released an emergency Windows update to disable Intel's troublesome microcode fix for the Spectre Variant 2 attack.

Not only was Intel's fix for the Spectre attack causing reboots and stability issues, but Microsoft also found it resulted in the worse scenario of data loss or corruption in some circumstances.

To justify the out-of-band update, Microsoft highlights a comment in Intel's fourth-quarter forward-looking statements that mentions for the first time that mitigation techniques potentially lead to data loss or corruption.

Until then, Intel had only mentioned its update was causing unexpected reboots and unpredictable system behavior.

"Our own experience is that system instability can in some circumstances cause data loss or corruption," Microsoft said.

"We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions," it added.

To prevent the potential for data loss, Microsoft issued an out-of-band update on the weekend that disables Intel's mitigation for CVE-2017-5715, or the Variant 2 Spectre attack described as a "branch target injection vulnerability".

Intel's mitigation for this bug is the main reason it advised customers and hardware makers last week to stop deploying its current microcode.

Dell and HP have since pulled their respective BIOS updates carrying Intel's buggy code, and plan to reissue them once Intel has ironed out the problems.

Read now: Cybersecurity in 2018: A roundup of predictions

Microsoft's update that disables Intel's patch is available for Windows 7 SP1, Windows 8.1, and all versions of Windows 10, for client and server. The update can be downloaded from the Microsoft Update Catalog website. The update leaves in place fixes for the other two vulnerabilities that make up Meltdown and Spectre.

Microsoft has also provided an option to manually disable and enable the mitigation for Variant 2 via special registry key settings. Links to the registry setting instructions can be found on Microsoft's support page.

Given that there are no known reports of attacks on Spectre Variant 2, it would seem the greatest risk to systems and data at present is Intel's buggy microcode.

The company is facing scrutiny from US lawmakers over its handling of the embargo, which has been described by some as an utter mess that left important software projects in the dark.

Jonathan Corbet, a member of the Linux Foundation's Technical Advisory Board, said the disclosure process for Meltdown and Spectre was unusually secretive.

While the bugs affect Arm and AMD too, Intel is the only chipmaker whose hardware is vulnerable to all three attacks. Despite facing a heightened risk of lawsuits, investors in Intel don't appear to have been spooked by the bugs.

Intel CEO Brian Krzanich said at last week's earning update the company will "restore confidence in data security with customer-first urgency, transparent, and timely communication".

Previous and related coverage

Meltdown-Spectre: Why were flaws kept secret from industry, demand lawmakers

Great work on patching your own products, but why were smaller tech companies kept in the dark?

Spectre flaw: Dell and HP pull Intel's buggy patch, new BIOS updates coming

Dell and HP have pulled Intel's firmware patches for the Spectre attack.

Windows 10 Meltdown-Spectre patch: New updates bring fix for unbootable AMD PCs

AMD PCs can now install Microsoft's Windows update with fixes for Meltdown and Spectre and the bug that caused boot problems.

Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch

Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs.

26% of organizations haven't yet received Windows Meltdown and Spectre patches(Tech Republic)

Roughly a week after the update was released, many machines still lack the fix for the critical CPU vulnerabilities.

Bad news: A Spectre-like flaw will probably happen again (CNET)

Our devices may never truly be secure, says the CEO of the company that designs the heart of most mobile chips.

Editorial standards