Microsoft Issues Out-of-Band Fix for Intel’s Broken Spectre Patch

Microsoft Issues Out-of-Band Fix for Intel’s Broken Spectre Patch

Microsoft has been forced to issue an out-of-band patch to fix problems caused by a buggy Intel update for one of the Spectre vulnerabilities disclosed earlier this month.

The Redmond fix (KB4078130) was issued over the weekend and disables the mitigation for branch target injection vulnerability CVE-2017-5715.

The fix covers Windows 7 (SP1), Windows 8.1 and all versions of Windows 10, for client and server.

Intel first reported “reboot issues” for Broadwell and Haswell platforms on January 11.

Last week it claimed to be making good progress on fixing the problem, and recommended that in the meantime “OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior.”

The chip giant then claimed during its fourth quarter financials that the ‘fix’ may also lead to “data loss or corruption.”

Microsoft agreed, but said its new out-of-band update reverses the problem. It can be applied by downloading from the Microsoft Update Catalog website or – for advanced users – via registry setting changes.

Microsoft added:

“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.”

This is the second unscheduled fix Redmond has been forced to issue since the Spectre and Meltdown flaws were made public at the start of the year.

The previous one was issued in the first week of January to address the Meltdown vulnerability, but itself ended up causing problems for customers because of compatibility issues with some AV tools. These caused blue screen (BSOD) errors for some customers.

Source: Information Security Magazine