Intel urged customers not to deploy firmware updates aimed at the Spectre and Meltdown flaws because the updates caused system instability; Microsoft reacted with its own release – KB4078130 – on Saturday.
Microsoft on Saturday issued an out-of-band Windows security update that disabled a patch the company released earlier this month to protect personal computers from possible attacks leveraging one of the “Spectre” vulnerabilities.
The weekend release was Microsoft’s response to an announcement seven days ago by Intel, which told customers of all stripes – from computer makers to end users – to stop deploying the firmware updates it had offered after disclosures of the Spectre and Meltdown flaws. According to Intel, the new firmware “may introduce [a] higher-than-expected [number of] reboots and other unpredictable system behavior” on Broadwell and Haswell processors. Those silicon families were introduced in 2015 and 2013, respectively.
Microsoft reacted to that disturbing news by voiding mitigations for one of the three areas of vulnerability posed by Spectre and Meltdown.
“Our own experience is that system instability can in some circumstances cause data loss or corruption,” Microsoft confirmed in the support document accompanying the surprise update. “While Intel tests, updates and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – ‘Branch target injection vulnerability.’ In our testing this update has been found to prevent the behavior described.”
The update was written for all supported versions of Windows, including Windows 7, 8.1 and 10, as well as the corresponding Server editions.
Along with the turn-it-off update, Microsoft also published instructions for manually disabling the defenses against the pertinent Spectre vulnerability. Those instructions offer IT administrators the keys which, when added to the Windows registry, enable or disable the mitigations.
Intel’s notice and Microsoft’s emergency update were just the latest bits in one of the messiest security events in ages.
On Jan. 3, a slew of vendors, primarily makers of processors and operating systems, broke the news of Spectre and Meltdown, two classes of CPU vulnerabilities uncovered by Google researchers. (Revelations went out then, even though a months-long coordinated effort had pegged Jan. 9 as a global release date.) The security world promptly erupted, and enterprise IT scrambled to figure out what needed to be patched, which patches were available, and in what order those updates should be deployed.
While software makers – such as OS and browser vendors – were first to deliver fixes, Intel and other processor designers quickly followed with firmware updates. Intel, for example, pushed its initial updates out the first week of January, and largely completed the task by the end of the second week.
But just a day after downplaying the performance impact of its firmware changes, Intel acknowledged the reboot problem, saying then that it had received reports from only “a few customers.” In that Jan. 11 note, Intel added that, “End-users should continue to apply updates recommended by their system and operating system providers.”
Eleven days later, on Jan. 22, Intel told customers to hold off on deploying those firmware updates. “I apologize for any disruption this change in guidance may cause,” said Navin Shenoy, an Intel executive vice president who leads the company’s Data Center Group, in that note. “I assure you we are working around the clock to ensure we are addressing these issues.”
Shenoy also told personal computer users that he would provide more information as it became available.
Microsoft issued a warning of its own. “We recommend Windows customers, when appropriate, re-enable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device,” the company said.
The Windows update can be downloaded from Microsoft’s Update Catalog portal.