Last week, Intel confirmed what many PC users had suspected: Its first firmware patch for the recently-revealed Spectre and Meltdown vulnerabilities was so buggy that PC makers stopped deploying it. And over the weekend, Microsoft stepped in too, issuing a software update for Windows users that reverses the Intel-created patch.
Right. It’s a fix for a fix.
“We have received reports from a few customers of higher system reboots after applying firmware updates,” an Intel advisory notes. “Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center. We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue.”
I’m reasonably sure that I’ve experienced problems from this patch: My HP desktop PC, which did get a BIOS firmware update in the wake of Spectre and Meltdown, no longer reboots properly. But the HP Spectre 13 laptop that I’m currently reviewing never received this update, and HP has halted it, and the firm is waiting for a more reliable version.
I’m not aware of any PC makers that are actively patching the errant fix. And I’d imagine that many are simply waiting for the improved version from Intel so that they can deploy that to their customers.
But Microsoft isn’t waiting. Over the weekend, it issued an out-of-band security update to address this problem.
“Our own experience is that system instability [caused by the Intel patch] can in some circumstances cause data loss or corruption,” a Microsoft support note explains. “We understand that Intel is continuing to investigate the potential impact of the current microcode version … While Intel tests, updates and deploys new microcode, we are making available an out of band update that specifically disables only the mitigation against Spectre variant 2 [which is the buggy patch].”
The update was made available to those who had installed the Intel patch on Windows 7 (Service Pack 1 or higher), Windows 8.1, and Windows 10 (all versions), on both client and server. You can also install it manually from the Microsoft Update Catalog, which ironically is styled like Windows XP. Microsoft also provides a manual workaround for those who wish to tackle this problem themselves: Check out the support note for details.
“There are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715) has been used to attack customers,” Microsoft concludes. “We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.”
I’m sure the next Intel patch will work great. Cough.