Microsoft has disabled a recent Intel fix for the Spectre CPU flaw after the update caused some systems to unexpectedly reboot.
PCs running Windows 7, 8.1 and 10 will have the Intel Spectre fix nullified by a new, out-of-bounds Microsoft patch, KB4078130.
The problematic Intel fix was designed to mitigate against attacks using the Spectre-related Branch Target Injection vulnerability, CVE 2017-5715. However, after investigating reports that the fix was causing systems to become unstable, Intel last week recommended that system manufacturers and OS vendors stopped offering the update. Microsoft says the resulting system instability “can in some circumstances cause data loss or corruption”. Since Intel issued its warning, Dell and HP have also since withdrawn BIOS updates that included the buggy fix.
Intel is working on developing a new microcode update to address the Spectre vulnerability that doesn’t cause the same instability.
SEE: Incident response policy (Tech Pro Research)
Spectre and Meltdown are vulnerabilities in modern chip design that could allow attackers to bypass system protections on nearly every recent PC, server and smartphone–allowing hackers to read sensitive information, such as passwords, from memory.
Microsoft’s update, which doesn’t affect any other Meltdown or Spectre fixes, can be downloaded from the Microsoft Update Catalog website. Expert users can also manually enable or disable Intel’s Branch Target Injection fix by updating the Windows registry, using the instructions here.
While tech firms have been preparing updates to mitigate the Spectre and Meltdown flaws for months, details of the vulnerabilities leaked out early.
In the rush to issue patches there have been multiple instances of Spectre- and Meltdown-related updates causing problems of their own.
Earlier this month, Microsoft warned that Windows PCs won’t receive any further security updates until third-party AV software is verified as compatible with Windows patches for Spectre and Meltdown, although this issue has now mostly been resolved.
And chipmaker AMD worked with Microsoft to resolve problems after the patches caused PCs running on some older AMD Opteron, Athlon and AMD Turion X2 Ultra processors to refuse to boot.
Intel CEO Brian Krzanich recently said the chipmaker is working on a new design for processors that would incorporate “silicon-based changes” to mitigate the threat posed by the Spectre and Meltdown vulnerabilities.
However, whether these changes will completely eliminate the danger of attacks exploiting these vulnerabilities, or just make attacks harder to pull off, is unclear.
- Intel: Don’t install our Spectre fix, risk of unwanted reboots is too great (TechRepublic)
- Intel chips have critical design flaw, and fixing it will slow Linux, Mac, and Windows systems (TechRepublic)
- 26% of organizations haven’t yet received Windows Meltdown and Spectre patches (TechRepublic)
- Meltdown-Spectre: More businesses warned off patching over stability issues (ZDNet)
- Intel halts some chip patches as the fixes cause problems (CNET)
- Spectre flaw: Dell and HP pull Intel’s buggy patch, new BIOS updates coming (ZDNet)
- Spectre-Meltdown glitches: Intel warns that new PCs, servers also risk unexpected reboots (TechRepublic)
- This fake Spectre/Meltdown patch will infect your PC with malware (TechRepublic)
- Spectre and Meltdown: Insecurity at the heart of modern CPU design (ZDNet)
- How to protect yourself from Meltdown and Spectre CPU flaws (CNET)