Microsoft Issues Emergency Patch to Disable Intels Broken Spectre Fix

  /     /     /  
Publicated : 22/11/2024   Category : security


Microsoft Issues Emergency Patch to Disable Intels Broken Spectre Fix


Affected Windows systems can also be set to disable or enable the Intel microcode update for Spectre attacks.



Fallout from flawed fixes for the Meltdown and Spectre microprocessor firmware vulnerabilities continues as Microsoft released a second emergency patch this month for Windows: this time, to deactivate Intels buggy update for one of the Spectre issues.
Microsoft late Friday issued an out-of-band update that disables the mitigation patch for the branch target injection flaw (
CVE-2017-5715
), aka Spectre variant 2. Intel last week revealed that this firmware update caused spontaneous reboots and other system problems, and called for customers and OEMs to halt installation of patches for its Broadwell and Haswell microprocessors.
Our own experience is that system instability like this may result in data loss or corruption, Microsoft said in a post for the new patch, which affects Windows 7 Service Pack 1, Windows 8.1, Windows 10, Windows Server 2008 R2 Standard, and Windows Server 2012 R2 Standard.
While Intel tests, updates, and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715, Microsoft said.
The good news in the update: Microsoft provides an option for advanced users to manually disable and enable the Spectre Variant 2 patch using registry-setting changes, which helps streamline the process. This allows them to turn off the flawed microcode fix via the Windows update rather than roll back the buggy patches. 
This saves a lot of work. You dont have to uninstall the microcode update and restore to the previous version. You just set this flag and it ignores the microcode patch, says Neil McDonald, vice president and distinguished analyst at Gartner.
The manual disable option is a good move by Microsoft, he says. Its a way to just turn off the Variant 2 option, he says, giving them the choice to patch on the fly rather than the time-consuming process of rolling back the flawed patches.
If theres an attack, they can reactivate it, he says.
McDonald says he hopes Microsoft provides the same strategy for Meltdown and Spectre Variant 1 vulnerability updates. That allows an organization to patch for the flaws based on performance tradeoffs since some environments cant sustain the slowdown. Instead, they can address the threat system by system, he says.
Microsoft
recommends
Windows users then reactivate the CVE 2017-5715 update after Intel gives the all-clear that it has fixed the performance problems it caused.
Jimmy Graham, director of product management at Qualys, notes that installing the emergency Microsoft patch should remedy system problems caused by the flawed update. Installing this patch should return unstable systems to their former condition. This does mean that Spectre Variant 2 is not mitigated, but there are currently no active attacks against this vulnerability, Graham says. 
He says its no surprise the microcode updates caused system problems because they arent typical software patches.
They rely on microcode changes that directly impact how the processor functions. As with any patching, full testing of systems should be performed before production deployment. Especially in the case of Spectre and Meltdown patches, it is important to test these systems at production load to determine if there are any performance or stability concerns, Graham says.
Meantime, Intel CEO Brian Krzanich told analysts in the companys earnings call last week that Intel will unveil
new products later this year
 that mitigate the Meltdown and Spectre vulnerabilities. Our near-term focus is on delivering high-quality mitigations to protect our customers infrastructure from these exploits. Were working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware. And those products will begin appearing later this year, Krzanich said. 
But the Meltdown- and Spectre-free new microprocessors wont mean much to the current installed base of systems running on the vulnerable chips. While big cloud providers like Amazon, Microsoft, and Google may be able to update their systems in short order, most organizations realistically wont be able to do so. For the typical organization, it will still be a multi-year journey, Gartners McDonald says.
Related Content:
Fallout from Rushed Patching for Meltdown, Spectre
Critical Microprocessor Flaws Affect Nearly Every Machine
Vendors Rush to Issue Security Updates for Meltdown, Spectre Flaws
Meltdown, Spectre Likely Just Scratch the Surface of Microprocessor Vulnerabilities

Last News

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Issues Emergency Patch to Disable Intels Broken Spectre Fix