Microsoft undoes Intel's buggy Spectre fix with emergency patch
Microsoft undoing an Intel processor patch might seem unlikely, but that's just what an emergency update for Windows is doing because of Spectre reboots. Reports among Windows users of their PCs becoming unstable and rebooting randomly underscored quite how badly Intel's Spectre security fix had got things, with Microsoft now forced to issue an emergency Windows patch that rolls back the processor company's handiwork.
Intel warned last week that its initial patch for Spectre may not have been quite as successful as it first hoped. Indeed, the chip-maker cautioned that it was pulling the fix, and working on another, after various reports of system instabilities, unexpected reboots, and – most ominously – even lost data among computers which had installed it. Its advice to software and hardware partners was to cease issuing the first fix, and wait for the second.
That's just what Microsoft is doing now. Complicating matters is the fact that there are really three Intel patches in the wild at the moment, not just one. Only one of those is believed to be actually causing headaches, and even then only on certain systems.
It's the Spectre variant 2 fix, and PCs or servers based on Haswell or Broadwell processors. Now, to be fair, that can be a pretty long list of systems, since Intel has server, desktop, and laptop variants of chips based on those architectures. Not all are necessarily going to exhibit instability, though.
Microsoft's KB4078130 patch, therefore, leaves the big decision on the shoulders of the PC owner. The "Update to Disable Mitigation against Spectre, Variant 2" should only be installed if you're "running an impacted device" the software giant suggests. That means there's a risk assessment to be made.
Remove the Intel fix, out of either system instability need or general caution, and you're going to be safe from reboots and potential data loss. However, you'll also be vulnerable again to Spectre variant 2 hacks. Right now, there are no known examples of the exploit being used, in the wild, to actually attack systems. Nonetheless it seems likely that there are some agents at least exploring the possibility of using the technique to compromise unpatched systems.
Intel has said it's working on a new Spectre variant 2 fix for the affected processor ranges. Microsoft has also cooked up a Spectre variant 2 patch with a user-controllable switch: effectively, you can use the registry to turn the mitigation on and off at will. It's only recommended for expert users, mind.
In the meantime, later in 2018 Intel hopes to address both Spectre and Meltdown at the hardware level. The company is working on updated versions of its processors, which will apparently be inherently secure from the exploits. However, the new silicon isn't expected to be released until later this year, and it's unclear whether there'll be any sort of subsidized upgrade path to the new chips.