Video: Meltdown-Spectre: A reminder to the IT industry that security is a mirage.
Microsoft has released an emergency Windows update to disable Intel's troublesome microcode fix for the Spectre Variant 2 attack.
Not only was Intel's fix for the Spectre attack causing reboots and stability issues, but Microsoft also found it resulted in the worse scenario of data loss or corruption in some circumstances.
To justify the out-of-band update, Microsoft highlights a comment in Intel's fourth-quarter forward-looking statements that mentions for the first time that mitigation techniques potentially lead to data loss or corruption.
Until then, Intel had only mentioned its update was causing unexpected reboots and unpredictable system behavior.
"Our own experience is that system instability can in some circumstances cause data loss or corruption," Microsoft said.
"We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions," it added.
To prevent the potential for data loss, Microsoft issued an out-of-band update on the weekend that disables Intel's mitigation for CVE-2017-5715, or the Variant 2 Spectre attack described as a "branch target injection vulnerability".
Intel's mitigation for this bug is the main reason it advised customers and hardware makers last week to stop deploying its current microcode.
Dell and HP have since pulled their respective BIOS updates carrying Intel's buggy code, and plan to reissue them once Intel has ironed out the problems.
Microsoft's update that disables Intel's patch is available for Windows 7 SP1, Windows 8.1, and all versions of Windows 10, for client and server. The update can be downloaded from the Microsoft Update Catalog website. The update leaves in place fixes for the other two vulnerabilities that make up Meltdown and Spectre.
Microsoft has also provided an option to manually disable and enable the mitigation for Variant 2 via special registry key settings. Links to the registry setting instructions can be found on Microsoft's support page.
Given that there are no known reports of attacks on Spectre Variant 2, it would seem the greatest risk to systems and data at present is Intel's buggy microcode.
Jonathan Corbet, a member of the Linux Foundation's Technical Advisory Board, said the disclosure process for Meltdown and Spectre was unusually secretive.
While the bugs affect Arm and AMD too, Intel is the only chipmaker whose hardware is vulnerable to all three attacks. Despite facing a heightened risk of lawsuits, investors in Intel don't appear to have been spooked by the bugs.
Intel CEO Brian Krzanich said at last week's earning update the company will "restore confidence in data security with customer-first urgency, transparent, and timely communication".
Previous and related coverage
Great work on patching your own products, but why were smaller tech companies kept in the dark?
Dell and HP have pulled Intel's firmware patches for the Spectre attack.
AMD PCs can now install Microsoft's Windows update with fixes for Meltdown and Spectre and the bug that caused boot problems.
Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs.
Roughly a week after the update was released, many machines still lack the fix for the critical CPU vulnerabilities.
Our devices may never truly be secure, says the CEO of the company that designs the heart of most mobile chips.