Microsoft releases new security update against bug found on Intel chips

Posted January 30, 2018

The confusion around Meltdown and Spectre flaws appears to be getting even more confusing for the end user. Apparently, some of the software updates meant to fix them are.

Intel now faces several class-action lawsuits regarding Meltdown and Spectre, which affect almost every desktop and mobile computing device on the planet. "We understand that Intel is continuing to investigate the potential impact of the current microcode version ..."

Then on Saturday, Microsoft released a security update enabling users and IT administrators to disable Intel's mitigation for Spectre variant 2, a branch target injection flaw designated CVE-2017-5715.

The Spectre update was actually supposed to fix the vulnerability, but as the update was rolled out all of a sudden, it caused more harm than good.

The problematic Intel fix was created to mitigate against attacks using the Spectre-related Branch Target Injection vulnerability, CVE 2017-5715.

The two most worrisome vulnerabilities in computers to have surfaced in recent months are Spectre and Meltdown, which were first first disclosed earlier this month.

Intel asking everyone to skip its flawed firmware updates was apparently not enough for Microsoft. On Friday, Intel wrote in a press release that patches to its chips "may result in adverse performance, reboots, system instability, data loss or corruption, unpredictable system behavior, or the misappropriation of data by third parties". Intel noted that in some situations this reboot could case data loss or corruption.

While the Spectre Variant 2 vulnerability has the potential to cause some damage if exploited by enterprising hackers, there are now no known reports of any users impacted by the attack.

Intel CEO Brian Krzanich said that they have committed to keeping their customers and owners appraised of their progress and, through their actions.

The update can be downloaded from Microsoft's Update Catalog site. (That's the type of vulnerability that applies to Spectre and Meltdown.) That's KB4073119, and it outlines PowerShell scripts to check vulnerability protections, and registry tweaks to enable or disable them.

Intel is "working around the clock to ensure we are addressing these issues", Navin Shenoy, executive vice president and general manager of Intel's Data Center Group, said in an update last week.