Following Intel's advisory for customers to stop deploying the Meltdown and Spectre patch, Microsoft has issued...
an out-of-band patch to disable the broken fix.
Microsoft announced the out-of-band Spectre patch on Saturday, Jan. 27, and included more information than Intel had previously given when pulling the original patch.
"Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection) -- specifically Intel noted that this microcode can cause 'higher than expected reboots and other unpredictable system behavior' and then noted that situations like this may result in 'data loss or corruption.' Our own experience is that system instability can in some circumstances cause data loss or corruption," Microsoft wrote in a support advisory. "While Intel tests, updates and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715. In our testing this update has been found to prevent the behavior described."
For comparison, Intel's announcement on Jan. 22 gave no indication it was the Spectre patch at fault -- it did not mention the Meltdown or Spectre branding, nor did it say what CVE patch was causing problems -- and only said that the company had "identified the root cause" of the rebooting issues, which affected systems are running Intel Broadwell and Haswell CPUs, and that it was working on a new fix.
Intel initially announced the "reboot issues" on Jan. 11 but again, the company didn't specify which firmware updates were causing problems and didn't cite either the Meltdown or Spectre vulnerabilities. In addition, it wasn't until the chipmaker's fourth quarter 2017 earnings announcement that it acknowledged "data loss or corruption" was a possible side effect from its Spectre update.
Microsoft's new Spectre patch will disable Intel's fix and Microsoft is also offering an option for advanced users "to manually disable and enable the mitigation against Spectre variant 2 independently via registry setting changes."
A source at Microsoft, who wished to stay anonymous, told SearchSecurity the Spectre patch was a difficult situation because "you can't fix it in firmware alone or software alone."
"The chip vendor releases a firmware capability, which the OSes use in a certain way in key situations to mitigate against potential abuse [or] attack. So, to mitigate, you need a firmware update plus an OS that leverages [that update]. It's symbiotic [and] collaborative," the source said. "Given that you need both, it was possible that an OS update would rollout on machines that didn't yet have a firmware update, so the mitigation needed to be able to be 'on' or 'off' depending [on the presence of Intel's microcode update]."
Jake Williamsfounder, Rendition InfoSec LLC
Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., told SearchSecurity that Intel "isn't helping anyone by not publishing this information, but the lack of the data won't change how we action the vulnerabilities," and added that it is "exceedingly odd for a software company to disable a patch from a hardware vendor."
Microsoft claimed in its advisory that "as of January 25, there are no known reports to indicate that this Spectre variant 2 has been used to attack customers," but Williams said it may not be possible to fully confirm that claim.
"Detecting a Meltdown or Spectre attack is exceedingly difficult. While there is some interesting research on novel methods to detect the attacks, nobody is instrumented for these detections," Williams said. "It is true that we haven't seen any attacks in the wild, but I'm near 100% certain that they are happening."
Jeff Williams, co-founder and CTO at Contrast Security, said the infosec community shouldn't assume that "any vulnerability means negligence."
"These attacks are truly novel and tricky to fix. We wouldn't like it if companies engineered everything like NASA -- it would take decades, cost many times more and execute slowly," Williams told SearchSecurity. "We are all complicit. We have all reaped the benefits of an ecosystem that prioritizes speed to market over security. So instead of throwing bombs, how about we encourage collaboration and openness around the best ways to solve this new attack."