January 29, 2018 // 11:06 a.m.
Microsoft released an emergency out-of-band update for its supported Windows platforms this weekend, but to remove rather than add a new security feature: Intel's faulty microcode update, designed to address the Spectre security vulnerability.
Following the admission that its security-related microcode update was causing random system instability and reboots, initially believed to be limited to previous-generation Broadwell and Haswell components but later verified as affecting all Intel x86 parts, Intel was forced to warn users and vendors against using the microcode update at all.
While the faulty patch had previously been removed from the majority of Linux distributions' update repositories ahead of Intel's public warning, Microsoft's Windows platform continued to download and install the faulty microcode update - until an emergency out-of-band release this weekend. Windows Update KB4078130, released for all supported versions of Microsoft's operating system, disables the Intel microcode update - leaving systems vulnerable to attack through the Spectre vulnerability in their processors but more reliable than if the protection were in place.
The latest update doesn't remove all the protections, however. 'While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – "Branch target injection vulnerability,"' Microsoft explains in its security notice, meaning that the protections against the second Spectre variant and the related Meltdown security vulnerability will remain in-place and active. 'In our testing this update has been found to prevent the behaviour described [by Intel in its advisory against installing the microcode update].'
The company's notification also includes instructions on manually enabling the Spectre Variant 2 microcode update via the Windows Registry, allowing those who would accept increased system instability over the risk of attack. Intel, meanwhile, is still silent on when it plans to release an fixed microcode patch, having previously announced it had tracked down the root cause of the reboot bug.