Microsoft Steps In to Correct Errant Intel Patch on Windows

Doug Carpenter
January 30, 2018

ARM and AMD chips are also vulnerable to attacks, but Intel remains the only manufacturer with products that are affected by all three of Spectre, Spectre Variant 2, and Meltdown.

Even before that news emerged, Intel and other technology companies were already under scrutiny for working quietly behind the scenes to resolve the chip-level flaws without notifying the public.

Microsoft pushed an unscheduled update to its Windows customers that will disable the patch that was supposed to mitigate the Spectre variant 2 (CVE 2017-5715 Branch Target Injection) CPU flaw.

Intel disclosed on January 22 that its latest microcode patches related to Spectre had created reboot issues as well as "other unpredictable system behavior".

The problematic Intel fix was created to mitigate against attacks using the Spectre-related Branch Target Injection vulnerability, CVE 2017-5715. Microsoft says its testing has found that applying its update eliminates the stability problems - and potential data loss and corruption - that Intel's firmware patch has been causing. There are a pair of Knowledge Base articles that walk users through this manual process here and here. When Intel discovered the issue, the company may have made a critical misstep from a national security standpoint: It alerted Chinese customers and a small number of companies, including Chinese firms Alibaba and Lenovo, about its chip security issues before disclosing the vulnerability to the USA government, the Wall Street Journal reports.

Following reports of issues with its initial fixes, Intel last week advised hardware and software vendors and partners to stop rolling out those patches to customers. Meanwhile, Intel has promised to release new patches for Spectre and Meltdown soon, and said chips invulnerable to the problem are coming later this year. The clock is ticking for Intel to figure out an effective way to patch their vulnerability before attacks using this vulnerability become weaponized and used against companies and governments. The United States Computer Emergency Readiness Team (US-CERT), an organization within the Department of Homeland Security's National Protection and Programs Directorate, is often informed of such discoveries, which then handles how the information is addressed.

Other reports by

Discuss This Article