Intel's response to the Meltdown and Spectre vulnerabilities has been far from perfect. Alongside numerous chastisements by Linux godfather Linus Torvalds calling the company's fixes for the exploits 'garbage' and a revelation that Intel chose to warn its partners before the U.S. government, the company also revealed that the patches that were supposed to fix these exploits had a flaw of their own.
Microsoft issued an emergency update over the weekend to remove the offending patches, as the company found the negative impact on stability to be of particular concern. In a new advisory, the company stated:
"Our own experience is that system instability can in some circumstances cause data loss or corruption. On January 22nd Intel recommended that customers stop deploying the current microcode version on impacted processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions."
The patches aimed at mitigating Variant 2 (Spectre) of the three vulnerabilities revealed by Google's Project Zero were causing systems to crash unexpectedly for a number of users. While the company had initially started by only warning some of its larger customers to refrain from installing the patches, it soon extended that advice to all users, promising a fix was on the way.
In the meantime, Intel suggested a new update from its OEM partners would remove the mitigations aimed specifically at Variant 2 (Spectre) while it continues to work on finalising a comprehensive, bug-free version of the fix. The KB4078130 update pushed today does exactly that, with Microsoft emphasising that it "specifically disables only the mitigation against CVE-2017-5715 – 'Branch target injection vulnerability.'"
It has, of course, been weeks since these vulnerabilities were first made public. Microsoft points out that as of January 25, no known exploits based on Variant 2 (Spectre) have been used against customers. However, users would be remiss if they weren't concerned about disabling mitigations against one of the most serious and wide-ranging security vulnerabilities in recent history. For those, Microsoft is also making available an advanced option to manually turn the mitigations for CVE-2017-5715 on and off, based on their preference. The instructions for implementing this option can be found on Microsoft's advisory.
KB4078130 is available to all Windows 7 (SP1), Windows 8.1 and Windows 10 devices, for both end-users and servers, and must be manually obtained via the Microsoft Update Catalog.
Update: Clarified the story to indicate that the update is optional, and was not pushed.
Source: Microsoft via The Register
42 Comments - Add comment