Out-of-band update disables Intel’s mitigation for Spectre Variant 2 attack, which Microsoft says can cause data loss on top of unexpected reboots.
Microsoft has released an emergency Windows update to disable Intel’s troublesome microcode fix for the Spectre Variant 2 attack.
Not only was Intel’s fix for the Spectre attack causing reboots and stability issues, but Microsoft also found it resulted in the worse scenario of data loss or corruption in some circumstances.
To justify its move, Microsoft highlights a comment in Intel’s fourth-quarter forward-looking statements that mentions for the first time that mitigation techniques potentially lead to data loss or corruption.
Until then, Intel had only mentioned its update was causing unexpected reboots and unpredictable system behavior.
“Our own experience is that system instability can in some circumstances cause data loss or corruption,” Microsoft said.
“We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions,” it added.
To prevent the potential for data loss, Microsoft issued an out-of-band update on the weekend that disables Intel’s mitigation for CVE-2017-5715, or the Variant 2 Spectre attack described as “branch target injection vulnerability”.
Intel’s mitigation for this bug is the main reason it advised customers and hardware makers last week to stop deploying its current microcode.
Dell and HP have since pulled their respective BIOS updates carrying Intel’s buggy code and plan to reissue them once Intel has ironed out the problems.
Microsoft’s update that disables Intel’s patch is available for Windows 7 SP1, Windows 8.1, and all versions of Windows 10, for client and server. The update can be downloaded from the Microsoft Update Catalog website. The update leaves in place fixes for the other two vulnerabilities that make up Meltdown and Spectre.
Microsoft has also provided an option to manually disable and enable the mitigation for Variant 2 via special registry key settings. Links to the registry setting instructions can be found on Microsoft’s support page.
Given that there are no known reports of attacks on Spectre Variant 2, it would seem the greatest risk to systems and data at present is Intel’s buggy microcode.
The company is facing scrutiny from US lawmakers over its handling of the embargo, which has been described by some as an utter mess that left important software projects in the dark.
Jonathan Corbet, a member of the Linux Foundation’s Technical Advisory Board, said the disclosure process for Meltdown and Spectre was unusually secretive.
While the bugs affect Arm and AMD too, Intel is the only chip maker whose hardware is vulnerable to all three attacks. Despite facing a heightened risk of lawsuits, investors in Intel don’t appear to have been spooked by the bugs.
Intel CEO Brian Krzanich said at last week’s earning update the company will “restore confidence in data security with customer-first urgency, transparent and timely communication”.