Microsoft's Emergency Spectre Fix Disables Intel Fix



Microsoft released an emergency update over the weekend to disable Intel's Spectre fix.

Microsoft issued an emergency patch over the weekend to address Intel’s firmware fixes for Spectre, something the firm said it found could cause “system instability that can in some situations cause data loss or corruption.”

Microsoft’s fixes, which apply to Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, client and server, effectively supersedes microcode by Intel designed to remediate Spectre variant 2, a/k/a CVE 2017-5715, the branch target injection vulnerability. There were two variants of Spectre, one of two the security vulnerabilities in microprocessors identified early this year. The other Spectre issue was a bounds check bypass (CVE-2017-5753).

The update (KB4078130) comes about a week after Intel recommended that OEMs, cloud service providers, system manufacturers, software vendors and end users should halt deployment of its code after it determined it could result in “higher than expected reboots and other predictable behavior,” on Broadwell and Haswell microarchitectures.

Windows users obviously couldn’t stop using Intel’s microcode since it's built into Microsoft’s own security updates, so this past weekend’s fix should remedy that, at least until Intel has enough time to review, test, and deploy new microcode.

It’s the second out-of-band patch Microsoft has had to issue this month around Spectre and Meltdown, the other recently disclosed flaw in microprocessors manufactured by Intel, AMD, and ARM. After the vulnerabilities were disclosed, on January 3, Microsoft issued an emergency update for Windows 10. Microsoft said in the days following the disclosure that users running Windows 7 and 8 - and therefore older chips - would notice a performance impact once updates for those systems were installed.

Microsoft's move follows in the footsteps of Dell and HP, which advised users against deploying the microcode last week.

The flaws, discovered by researchers and cryptographers with Google's Project Zero, private firms, and academic institutions, could be abused by attackers to leak information, like passwords and keys, through speculative execution, a technique used by processors to optimize performance.

Chris Brook

Do You Know Your Data's Worth?