Things Get Messier: Microsoft Issues Another Emergency Update to Kill Intel’s Faulty Spectre Fix
Microsoft is releasing another out of band emergency patch to Windows users. This time, the update is not to fix anything, but to actually remove the buggy Intel fix for the Spectre variant 2 chip vulnerability (CVE-2017-5715). This makes it the second emergency patch for the month, both dealing with the chip flaws.
Emergency Windows update released to disable Intel's buggy patches
The second out of band update was released over the weekend by the Redmond software maker to disable patches for one of Spectre bugs. This is a very rare update (KB4078130) as Microsoft pushed a patch over the weekend to disable one of the fixes released by the company earlier.
The confusion around Meltdown and Spectre flaws appears to be getting even more confusing for the end user. Intel had itself warned last week that the buggy firmware updates could result in data loss. Microsoft added that the fixes are creating stability issues and random reboots that could lead to data loss. "Our own experience is that system instability can in some circumstances cause data loss or corruption," Microsoft said.
"We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions."
Microsoft also referred to Intel's financial results where a warning about the data loss issues associated with mitigation was buried inside the text. "Mitigation techniques, including software and firmware updates, may not operate as intended or effectively resolve these vulnerabilities," Intel's statement reads.
Security vulnerabilities and/or mitigation techniques, including software and firmware updates, may result in adverse performance, reboots, system instability, data loss or corruption, unpredictable system behavior, or the misappropriation of data by third parties.
Apart from Microsoft, Dell and HP have also pulled their BIOS updates, which will be released once Intel fixes the problems. As for Windows, users need to install KB4078130 (rated critical) on their Windows 7 SP1, Windows 8.1, and all versions of Windows 10 - client and server. This update will only disable mitigation against CVE-2017-5715, while keeping the fixes for Meltdown and Spectre variant 1 in place.
For advanced users who don't want to remain vulnerable (there are no known cases of variant 2 having been used in the wild), Microsoft has made another option available to manually disable or enable the mitigation against Spectre variant 2 (CVE 2017-5715) independently via registry setting changes. More details are available here.