Microsoft on Saturday issued an out-of-band Windows security update that disabled a patch the company released earlier this month to protect personal computers from possible attacks leveraging one of the “Spectre” vulnerabilities.
The weekend release was Microsoft’s response to an announcement seven days ago by Intel, which told customers of all stripes – from computer makers to end users – to stop deploying the firmware updates it had offered after disclosures of the Spectre and Meltdown flaws. According to Intel, the new firmware “may introduce [a] higher-than-expected [number of] reboots and other unpredictable system behavior” on Broadwell and Haswell processors. Those silicon families were introduced in 2015 and 2013, respectively.
“Our own experience is that system instability can in some circumstances cause data loss or corruption,” Microsoft confirmed in the support document accompanying the surprise update. “While Intel tests, updates and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – ‘Branch target injection vulnerability.’ In our testing this update has been found to prevent the behavior described.”
The update was written for all supported versions of Windows, including Windows 7, 8.1 and 10, as well as the corresponding Server editions.
Along with the turn-it-off update, Microsoft also published instructions for manually disabling the defenses against the pertinent Spectre vulnerability. Those instructions offer IT administrators the keys which, when added to the Windows registry, enable or disable the mitigations.
Intel’s notice and Microsoft’s emergency update were just the latest bits in one of the messiest security events in ages.