Microsoft Helps Orgs Block Faulty Intel 'Spectre' Patches
Microsoft recently released resources for organizations grappling with flawed firmware updates from Intel that have resulted in reboot problems in some cases.
At issue is a broad security problem affecting most CPUs, generally known as the "Meltdown" and "Spectre" attack methods. No known attacks have been publicized yet using those techniques but the flaws were openly documented by researchers, so systems are thought to be vulnerable.
Affected stakeholders have generally responded to the potential threats by issuing both operating system patches (for instance, from Microsoft and Apple) and CPU firmware updates (also known as "microcode") from chipmakers Intel, AMD and ARM.
Intel admitted last week that firmware updates it released for its Broadwell and Haswell processors to block these types of attacks were causing reboot issues for some users. It suggested that its OEM partners should stop issuing these flawed updates and wait for new updates from Intel.
A description of which Intel processors were issued the potentially flawed microcode is available in Intel's Microcode Revision List document. Not all Intel Broadwell processors were issued the revised microcode. Intel had previously said that other processors were affected by the reboot problems, too, namely "Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms." When asked about those processors last week, an Intel spokesperson indicated that Intel was prioritizing its Broadwell and Haswell fixes with OEMs first.
Late last week, Microsoft issued Knowledge Base article KB4078130 to give organizations some tools to block the flawed Intel firmware updates from arriving. One of the tools is a standalone out-of-band update (KB4078130) that's available for download from the Microsoft Update Catalog. Users wanting it have to go and get it. This update for Intel-based systems will disable the "mitigation against CVE-2017-5715 -- 'Branch target injection vulnerability,'" which is the Spectre variant 2 attack method. The update addresses the reboot issue apparently by blocking the fix.
For "advanced users," Microsoft is also offering manual workarounds via registry edits, namely:
Those workarounds disable the Spectre variant 2 attack mitigations for Intel systems. The idea is to disable the mitigations until Intel delivers the fixed microcode. At that time, users presumably would have to remove the blocks they had set, perhaps by uninstalling KB4078130 or undoing registry edits. Update 1/30: A Microsoft spokesperson clarified that if KB4078130 gets installed, then organizations wanting to get the updated microcode from Intel when it's ready will have to make a registry change. Here's how the spokesperson described it:
For clarification, KB4078130 will not have to be uninstalled. It simply automated the manual steps outlined in Microsoft's guidance. Once Intel provides a microcode update, the mitigation will need to be enabled via the registry key as described in Microsoft's customer guidance.
Microsoft recommends enabling Intel's code when ready:
"We recommend that Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device."
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.