Microsoft released an out-of-band patch over the weekend to disable Intel’s buggy Spectre variant 2 microcode fix.
After the world learned of Meltdown and Spectre, it took Intel some time to get around to releasing patches. The fixes were “garbage,” Linux creator Linus Torvalds said in a rant. Intel at first mentioned that its firmware updates were causing some reboots, but it admitted last week that the fixes were a buggy mess, causing systems to restart for no good reason, and have other stability issues.
Last week, Intel recommended “that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior.”
In fact, in Microsoft’s explanation of why it was issuing an emergency patch to disable Intel’s microcode for Spectre variant 2, the Redmond giant pointed at a comment in Intel’s fourth-quarter financial results. Intel had noted that the buggy firmware could lead to “data loss or corruption.”
Microsoft agreed, saying, “Our own experience is that system instability can in some circumstances cause data loss or corruption.”
The company added, “We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.”
While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing this update has been found to prevent the behavior described. For the full list of devices, see Intel’s microcode revision guidance.
This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.”
Microsoft offered another Spectre Variant 2 option, one meant for advanced users because it deals with manually disabling and enabling mitigations via changes in registry settings.
As of Jan. 25, Microsoft said there were no known reports of attacks using Spectre variant 2. It recommended re-enabling the mitigation against that variant as soon as Intel is sure the “unpredictable system behavior” has been resolved.
As you likely remember, Microsoft immediately rushed out patches to mitigate Meltdown and Spectre; however, those fixes were also buggy and caused system instability. In response to mass complaints of Windows crashing to a BSOD, Microsoft hit the brakes and stopped rolling out the “fixes” to AMD devices.
Intel told Chinese firms about chip flaw before U.S. government
Over the weekend it came to light that Intel notified Chinese companies of the security flaws in its chip before it told the U.S. government. The Wall Street Journal reported that it was a “near certainty” that by Intel warning a small group of Chinese firms about the flaws in its processor chips, the Chinese government knew because it monitors all communications of Chinese tech companies.
This gave China the opportunity to exploit the flaws before the U.S. government even knew about them. At this time, experts have seen no evidence to suggest the information was used to launch attacks.