Risk

1/29/2018
04:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Issues Emergency Patch to Disable Intel's Broken Spectre Fix

Affected Windows systems can also be set to "disable" or "enable" the Intel microcode update for Spectre attacks.

Fallout from flawed fixes for the Meltdown and Spectre microprocessor firmware vulnerabilities continues as Microsoft released a second emergency patch this month for Windows: this time, to deactivate Intel's buggy update for one of the Spectre issues.

Microsoft late Friday issued an out-of-band update that disables the mitigation patch for the branch target injection flaw (CVE-2017-5715), aka Spectre variant 2. Intel last week revealed that this firmware update caused spontaneous reboots and other system problems, and called for customers and OEMs to halt installation of patches for its Broadwell and Haswell microprocessors.

"Our own experience is that system instability like this may result in data loss or corruption," Microsoft said in a post for the new patch, which affects Windows 7 Service Pack 1, Windows 8.1, Windows 10, Windows Server 2008 R2 Standard, and Windows Server 2012 R2 Standard.

"While Intel tests, updates, and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715," Microsoft said.

The good news in the update: Microsoft provides an option for "advanced users" to manually disable and enable the Spectre Variant 2 patch using registry-setting changes, which helps streamline the process. This allows them to "turn off" the flawed microcode fix via the Windows update rather than roll back the buggy patches. 

"This saves a lot of work. You don't have to uninstall the microcode update and restore to the previous version. You just set this flag and it ignores the microcode" patch, says Neil McDonald, vice president and distinguished analyst at Gartner.

The manual disable option is a good move by Microsoft, he says. "It's a way to just turn off the Variant 2" option, he says, giving them the choice to patch on the fly rather than the time-consuming process of rolling back the flawed patches.

"If there's an attack, they can reactivate it," he says.

McDonald says he hopes Microsoft provides the same strategy for Meltdown and Spectre Variant 1 vulnerability updates. That allows an organization to patch for the flaws based on performance tradeoffs since some environments can't sustain the slowdown. Instead, they can address the threat system by system, he says.

Microsoft recommends Windows users then reactivate the CVE 2017-5715 update after Intel gives the all-clear that it has fixed the performance problems it caused.

Jimmy Graham, director of product management at Qualys, notes that installing the emergency Microsoft patch should remedy system problems caused by the flawed update. "Installing this patch should return unstable systems to their former condition. This does mean that Spectre Variant 2 is not mitigated, but there are currently no active attacks against this vulnerability," Graham says. 

He says it's no surprise the microcode updates caused system problems because they aren't "typical software patches."

"They rely on microcode changes that directly impact how the processor functions. As with any patching, full testing of systems should be performed before production deployment. Especially in the case of Spectre and Meltdown patches, it is important to test these systems at production load to determine if there are any performance or stability concerns," Graham says.

Meantime, Intel CEO Brian Krzanich told analysts in the company's earnings call last week that Intel will unveil new products "later this year" that mitigate the Meltdown and Spectre vulnerabilities. "Our near-term focus is on delivering high-quality mitigations to protect our customers' infrastructure from these exploits. We're working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware. And those products will begin appearing later this year," Krzanich said. 

But the Meltdown- and Spectre-free new microprocessors won't mean much to the current installed base of systems running on the vulnerable chips. While big cloud providers like Amazon, Microsoft, and Google may be able to update their systems in short order, most organizations realistically won't be able to do so. "For the typical organization, it will still be a multi-year journey," Gartner's McDonald says.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/30/2018 | 7:42:22 PM
Re: A question for DR
@Dr.T. "...Hopefully these variants will end soon."  I don't see how they could - but then I'm not on conference calls with the big players.  Maybe they have, or can, come to an agreed roadmap of mitigation waypoints, towards a solution.  If so, that would be a real achievement.  Without that, whatever one does will tilt the table for the others.  That goes for chip/OS and OS/ISVs (so chip/ISVs, as well).  With the pressure (public, political, contractual), on all of them, I imagine it's like playing the Twister game paced to a Bach Fugue. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:34:02 PM
Re: A question for DR
That is a very real possibility, and indeed it does question how Intel (and its competitors) can better build on-chip security, Intel has mot steak in this than others so it would be more important for them to get it right.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:32:39 PM
Re: A question for DR
Just wondering if on-chip security was really the best path, to begin with? It's like designing a hammer that will prevent you from hitting That is a real good question to ask. Any flow in HW would be hard to fix, maybe we need to evaluate options for HW independence.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:29:42 PM
Re: A question for DR
what happens when a new hardware vulnerability is discovered in those? That will be a real blow to intel, they my even go out of business for that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:26:34 PM
Re: A question for DR
How are things going at your organization? We are mainly applying patches released by Microsoft. Not much other options.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:25:30 PM
Re: A question for DR
The real fix to these flaws is a new generation of microprocessors, which will likely take years for most organizations to adopt. That makes sense, I am also wondering if there is way to fix exiting CPUs for new devices.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:23:43 PM
Re: A question for DR
The patches don't really fix anything--they just mitigate exploits- I think that is why we need to go to a real solution, performance hit is not really acceptable.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:22:06 PM
Re: A question for DR
The patches/updates were obviously rushed without time to properly vet and test them. That makes sense. They would still see problems when they deploy it to mass market.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:20:33 PM
Re: A question for DR
Would the last few weeks of chaos been avoided, if the confidentially informed vendors had more time before public disclosure? I hear you, I would say it would be the same, they would not take action until last minute.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:19:22 PM
Re: A question for DR
Once we learned that underlying vulnerability was multi-chip-vendor (so multi-OS and Applications), we knew a long series of mitigation and fix iterations was inevitable. That makes sense. Hopefully these variants will end soon.
Page 1 / 2   >   >>
Microsoft, Mastercard Aim to Change Identity Management
Kelly Sheridan, Staff Editor, Dark Reading,  12/3/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19980
PUBLISHED: 2018-12-08
Anker Nebula Capsule Pro NBUI_M1_V2.1.9 devices allow attackers to cause a denial of service (reboot of the underlying Android 7.1.2 operating system) via a crafted application that sends data to WifiService.
CVE-2018-19961
PUBLISHED: 2018-12-08
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes.
CVE-2018-19962
PUBLISHED: 2018-12-08
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones.
CVE-2018-19963
PUBLISHED: 2018-12-08
An issue was discovered in Xen 4.11 allowing HVM guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because x86 IOREQ server resource accounting (for external emulators) was mishandled.
CVE-2018-19964
PUBLISHED: 2018-12-08
An issue was discovered in Xen 4.11.x allowing x86 guest OS users to cause a denial of service (host OS hang) because the p2m lock remains unavailable indefinitely in certain error conditions.