Spectre and Meltdown Vulnerability Update
So, as you probably know, there’s a bit of a hoo-ha going on about two vulnerabilities called Spectre and Meltdown which basically impacts any machine with an Intel, AMD or ARM processor inside it going back to about 2007. Yes, that’s a fair few machines!
The flaws were initially identified towards the end of last year by various groups who, responsibly, started working with all the major chip vendors to scramble a few fixes out the door before going public. Such are the complexities of the issue, funnily enough, it seems at least one of the fixes did not go through enough vigorous testing before being released. So much so that Intel themselves on Monday 22nd Jan advised to not patch with the latest fix until they could get to the bottom of the mess.
Here’s an excerpt from Microsoft from yesterday where they are specifically addressing the recommendation from Intel to ‘wait’.
“Intel has identified reboot issues with microcode on some older processors.
What should I do?
Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection) – specifically Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and then noted that situations like this may result in “data loss or corruption.” Our own experience is that system instability can in some circumstances cause data loss or corruption.
On January 22nd Intel recommended that customers stop deploying the current microcode version on impacted processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.While Intel tests, updates, and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE 2017-5715 – Branch Target Injection vulnerability. In our testing this update has been found to prevent the behavior described.
For the full list of devices, see https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf. This update covers Windows 7 Service Pack 1, Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog. Application of this payload specifically disables only the mitigation against CVE 2017-5715 – Branch Target Injection vulnerability.As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers.
We recommend Windows customers, when appropriate, re-enable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.”
So in a slightly odd move, Microsoft have released this strange ‘anti-patch’ (https://support.microsoft.com/help/4078130) that disables the Spectre 2 mitigation which has been causing system reboots and data corruption. So basically Microsoft are saying you should apply the latest patches, and then apply the ‘anti-patch’ to specifically turn-off the mitigation for the CVE 2017-5715-Branch Target Injection vulnerability until further notice from Intel!
It’s a bit of a shambles really, but that’s the leading advice as of today. We’ll keep you posted.
