Microsoft Issues Emergency Update to Plug Intel’s Faulty Spectre Patch
Microsoft issued an emergency security update on Saturday, second in this month, to mitigate the effects of Intel’s fix for the Spectre Variant 2 attack. The company announced that the new out-of-band update will prevent the systems from random reboots and data loss resulting from the buggy security patch released by Intel. Microsoft said that its own testing has shown that the resulting system instability can result in data loss or corruption. Intel however already announced last week that its own fix is faulty, causing unexpected reboots and unpredictable system behavior, advising its customers to stop deploying the current update.
The latest update from Microsoft will specifically disable the protection against CVE-2017-5715 – “Branch target injection vulnerability”, covering Windows 7, Windows 8.1 and all versions of Windows 10 for client and server. The patch will not affect the fixes for the other two vulnerabilities associated with Meltdown and Spectre.
The newly released patch isn’t a part of the regular “Windows Update” distribution and hence will require users to download the update manually. For advanced users and IT admins, the company has also released a new option to manually disable and enable the mitigation against the attack by making changes in the registry settings. This new update, however, is not required for users who do not have the buggy Intel patch.
Microsoft has also requested users to re-enable the mitigation against the Spectre Variant 2 attack, once the chipmaker reports that the faulty system behavior has been resolved. “We understand that Intel is continuing to investigate the potential effect of the current microcode version, and we encourage customers to review their guidance on an ongoing basis to inform their decisions”, Microsoft said. The company has also indicated that no known attack on customers using the Meltdown and Spectre vulnerabilities have been observed and is working closely with the chipmaker and hardware vendors to protect its customers.
Navin Shenoy, Executive Vice President and General Manager of the Data Center Group at Intel said that the company has identified the root cause of the reboot issue on Broadwell and Haswell processors, and is making a good progress in developing the solution for it. The company already released the updated version of the solution with the industry partners for testing and the final release will be announced once the testing is completed.
Intel is having a rough time ever since the vulnerabilities were made public. The company is already facing scrutiny from lawmakers in the US for inappropriately handling the embargo and keeping smaller tech companies in the dark. Although the Meltdown and Spectre bugs affect other processors too, Intel’s hardware is the only one affected by all the three vulnerabilities resulting from the two. Despite the controversies though, the company reported a strong Q4 result last week, showing that investors aren’t worried about the bugs.