Over the weekend Microsoft rolled out out-of-band updates to disable mitigations for Spectre v2 attacks

Over the weekend, Microsoft rolled out out-of-band updates to disable mitigations for one of the Spectre attack variants because they can cause systems to become unstable.

The situation is becoming embarrassing! Just after the release of the Meltdown and Spectre security updates Intel excluded any problems for their deployments citing testing activities of conducted by other tech giants.

At the same time, some companies were claiming severe issued, including performance degradation and in some cases crashes.

Last week, Intel changed its position on the security patches, it first published the results of the test conducted on the Meltdown and Spectre patches and confirmed that the impact on performance could be serious, then it recommended to stop deploying the current versions of Spectre/Meltdown patches.

Over the weekend, Microsoft rolled out out-of-band updates to disable mitigations for one of the Spectre attack variants because they can cause systems to become unstable.

Our own experience is that system instability can in some circumstances cause data loss or corruption.” states the security advisory published by Microsoft.

While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing this update has been found to prevent the behavior described.” 

Microsoft was among the first companies that provided security updates for Meltdown and Spectre vulnerabilities, anyway, the patches caused severe issues to AMD architectures.

The decision follows the similar actions adopted by other tech giants like Red HatHP, Dell, Lenovo, VMware.

Microsoft and the companies above observed problems after the installation of the Spectre vulnerability (Variant 2, aka CVE-2017-5715, that is a branch target injection vulnerability) for this reason opted to revert previous patches.

While the Meltdown and Variant 1 of the Spectre attacks can be mitigated efficiently with software updates, the Spectre Variant 2 requires microcode updates to be fully addressed.

Intel published a technical note about the mitigation of the Spectre flaw, it addressed the issue with an opt-in flag dubbed IBRS_ALL bit (IBRS states for Indirect Branch Restricted Speculation).

The famous Linus Torvalds expressed in an email to the Linux Kernel mailing list his disappointment, he defined the Linux Spectre Patches “UTTER GARBAGE”

 

Spectre patches

Microsoft confirmed that the patches issued by Intel cause system instability and can in some cases lead to data loss or corruption, for this reason, the company distributed over the weekend the Update KB4078130 for Windows 7, Windows 8.1 and Windows 10 that disables the mitigation for CVE-2017-5715.

The company has also provided detailed instructions for manually enable and disable Spectre Variant 2 mitigations through registry settings.

Microsoft said it is not aware of any attack in the wild that exploited the Spectre variant 2 (CVE 2017-5715 ).

“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device,” continues the advisory.

 


Pierluigi Paganini

(Security Affairs – CVE-2017-5715, Spectre)



The post Over the weekend Microsoft rolled out out-of-band updates to disable mitigations for Spectre v2 attacks appeared first on Security Affairs.



Leave a Reply