Microsoft issued a new security update over the weekend to disable Intel’s buggy firmware fixes for Spectre, the two-decade-old chip flaw that allows attackers to steal private data from affected machines.
The update, issued Saturday, is the second out-of-band security update Microsoft issued this month. It comes after Intel warned enterprise customers to skip their buggy patches because of instability, data loss, corruption and unwanted reboots.
Intel has promised more stable patches in the near future and next-generation chips that fix the root of the Meltdown and Spectre vulnerabilities. Those patches will be released some time in 2018.
Until then, there appears to be no complete fix possible for Spectre until those chips are created.
Meltdown is numbered CVE-2017-5754. The two Spectre attacks are CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Spectre variant 1 are fixed with software patches. Users are not so lucky with Spectre variant 2.
“While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – ‘Branch target injection vulnerability.,'” Microsoft’s blog post explained. “This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server.”
In suspending patches for Spectre variant 2, Microsoft follows HP, Dell and other manufacturers who advised against installing BIOS updates meant to fix Spectre due to instability.
Google Project Zero’s Jann Horn, one of the researchers who discovered the Spectre flaw, “demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible,” Google’s security team laid out earlier this month.
“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers,” Microsoft explained in its blog post on the new patch. “We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.”
It’s an interesting statement because some researchers have warned that detecting exploitation is “probably” impossible because Spectre “does not leave any traces in traditional log files.”
Social media is full of reports on problems caused and time lost to the buggy patches. Anger in the tech world against Intel and its partners is palpable, best boiled down to Linux creator Linus Torvald publicly slamming the messy and apparently under-tested patches as “complete and utter garbage.“