Risk

1/29/2018
04:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Issues Emergency Patch to Disable Intel's Broken Spectre Fix

Affected Windows systems can also be set to "disable" or "enable" the Intel microcode update for Spectre attacks.

Fallout from flawed fixes for the Meltdown and Spectre microprocessor firmware vulnerabilities continues as Microsoft released a second emergency patch this month for Windows: this time, to deactivate Intel's buggy update for one of the Spectre issues.

Microsoft late Friday issued an out-of-band update that disables the mitigation patch for the branch target injection flaw (CVE-2017-5715), aka Spectre variant 2. Intel last week revealed that this firmware update caused spontaneous reboots and other system problems, and called for customers and OEMs to halt installation of patches for its Broadwell and Haswell microprocessors.

"Our own experience is that system instability like this may result in data loss or corruption," Microsoft said in a post for the new patch, which affects Windows 7 Service Pack 1, Windows 8.1, Windows 10, Windows Server 2008 R2 Standard, and Windows Server 2012 R2 Standard.

"While Intel tests, updates, and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715," Microsoft said.

The good news in the update: Microsoft provides an option for "advanced users" to manually disable and enable the Spectre Variant 2 patch using registry-setting changes, which helps streamline the process. This allows them to "turn off" the flawed microcode fix via the Windows update rather than roll back the buggy patches. 

"This saves a lot of work. You don't have to uninstall the microcode update and restore to the previous version. You just set this flag and it ignores the microcode" patch, says Neil McDonald, vice president and distinguished analyst at Gartner.

The manual disable option is a good move by Microsoft, he says. "It's a way to just turn off the Variant 2" option, he says, giving them the choice to patch on the fly rather than the time-consuming process of rolling back the flawed patches.

"If there's an attack, they can reactivate it," he says.

McDonald says he hopes Microsoft provides the same strategy for Meltdown and Spectre Variant 1 vulnerability updates. That allows an organization to patch for the flaws based on performance tradeoffs since some environments can't sustain the slowdown. Instead, they can address the threat system by system, he says.

Microsoft recommends Windows users then reactivate the CVE 2017-5715 update after Intel gives the all-clear that it has fixed the performance problems it caused.

Jimmy Graham, director of product management at Qualys, notes that installing the emergency Microsoft patch should remedy system problems caused by the flawed update. "Installing this patch should return unstable systems to their former condition. This does mean that Spectre Variant 2 is not mitigated, but there are currently no active attacks against this vulnerability," Graham says. 

He says it's no surprise the microcode updates caused system problems because they aren't "typical software patches."

"They rely on microcode changes that directly impact how the processor functions. As with any patching, full testing of systems should be performed before production deployment. Especially in the case of Spectre and Meltdown patches, it is important to test these systems at production load to determine if there are any performance or stability concerns," Graham says.

Meantime, Intel CEO Brian Krzanich told analysts in the company's earnings call last week that Intel will unveil new products "later this year" that mitigate the Meltdown and Spectre vulnerabilities. "Our near-term focus is on delivering high-quality mitigations to protect our customers' infrastructure from these exploits. We're working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware. And those products will begin appearing later this year," Krzanich said. 

But the Meltdown- and Spectre-free new microprocessors won't mean much to the current installed base of systems running on the vulnerable chips. While big cloud providers like Amazon, Microsoft, and Google may be able to update their systems in short order, most organizations realistically won't be able to do so. "For the typical organization, it will still be a multi-year journey," Gartner's McDonald says.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/30/2018 | 7:42:22 PM
Re: A question for DR
@Dr.T. "...Hopefully these variants will end soon."  I don't see how they could - but then I'm not on conference calls with the big players.  Maybe they have, or can, come to an agreed roadmap of mitigation waypoints, towards a solution.  If so, that would be a real achievement.  Without that, whatever one does will tilt the table for the others.  That goes for chip/OS and OS/ISVs (so chip/ISVs, as well).  With the pressure (public, political, contractual), on all of them, I imagine it's like playing the Twister game paced to a Bach Fugue. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:34:02 PM
Re: A question for DR
That is a very real possibility, and indeed it does question how Intel (and its competitors) can better build on-chip security, Intel has mot steak in this than others so it would be more important for them to get it right.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:32:39 PM
Re: A question for DR
Just wondering if on-chip security was really the best path, to begin with? It's like designing a hammer that will prevent you from hitting That is a real good question to ask. Any flow in HW would be hard to fix, maybe we need to evaluate options for HW independence.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:29:42 PM
Re: A question for DR
what happens when a new hardware vulnerability is discovered in those? That will be a real blow to intel, they my even go out of business for that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:26:34 PM
Re: A question for DR
How are things going at your organization? We are mainly applying patches released by Microsoft. Not much other options.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:25:30 PM
Re: A question for DR
The real fix to these flaws is a new generation of microprocessors, which will likely take years for most organizations to adopt. That makes sense, I am also wondering if there is way to fix exiting CPUs for new devices.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:23:43 PM
Re: A question for DR
The patches don't really fix anything--they just mitigate exploits- I think that is why we need to go to a real solution, performance hit is not really acceptable.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:22:06 PM
Re: A question for DR
The patches/updates were obviously rushed without time to properly vet and test them. That makes sense. They would still see problems when they deploy it to mass market.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:20:33 PM
Re: A question for DR
Would the last few weeks of chaos been avoided, if the confidentially informed vendors had more time before public disclosure? I hear you, I would say it would be the same, they would not take action until last minute.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:19:22 PM
Re: A question for DR
Once we learned that underlying vulnerability was multi-chip-vendor (so multi-OS and Applications), we knew a long series of mitigation and fix iterations was inevitable. That makes sense. Hopefully these variants will end soon.
Page 1 / 2   >   >>
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11500
PUBLISHED: 2018-05-26
An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.
CVE-2018-11501
PUBLISHED: 2018-05-26
PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via user_submit.php?upd=2.
CVE-2018-11503
PUBLISHED: 2018-05-26
The isfootnote function in markdown.c in libmarkdown.a in DISCOUNT 2.2.3a allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file, as demonstrated by mkd2html.
CVE-2018-11504
PUBLISHED: 2018-05-26
The islist function in markdown.c in libmarkdown.a in DISCOUNT 2.2.3a allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file, as demonstrated by mkd2html.
CVE-2018-11494
PUBLISHED: 2018-05-26
The "program extension upload" feature in OpenCart through 3.0.2.0 has a six-step process (upload, install, unzip, move, xml, remove) that allows attackers to execute arbitrary code if the remove step is skipped, because the attacker can discover a secret temporary directory name (containi...