It is time to mitigate a mitigation. That is exactly what Microsoft did this weekend as it disabled mitigations for one of the Spectre attack variants because the fix can be worse than the original issue.
The fix could cause systems to become unstable.
As it turns out, in a rush to mitigate the Spectre and Meltdown issues, the fixes turned out to have issues, often making systems unbootable or causing them to reboot more frequently.
Intel suspended its patches until the issue is resolved and advised customers to stop deploying the updates.
HP, Dell, Lenovo, VMware, Red Hat and others paused the patches and now Microsoft has done the same.
The problem appears to be related to CVE-2017-5715, which has been described as a “branch target injection vulnerability.” This is one of the flaws that allows Spectre attacks, specifically Spectre Variant 2 attacks.
Microsoft said Intel’s patches cause system instability and can in some cases lead to data loss or corruption. Update KB4078130 released by the company over the weekend for Windows 7, Windows 8.1 and Windows 10 for clients and servers disables the mitigation for CVE-2017-5715.
The company also provided instructions for advanced users on how to manually enable and disable Spectre Variant 2 mitigations through registry settings.
“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, re-enable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device,” Microsoft said in its advisory.
Microsoft quickly released mitigations for Meltdown and Spectre after the attack methods were disclosed, but the company’s own updates were also buggy. Shortly after it had started rolling them out, Microsoft was forced to suspend patches for devices with AMD processors due to instability issues.
The Spectre and Meltdown vulnerabilities allow malicious applications to bypass memory isolation mechanisms and access sensitive data. The Meltdown attack relies on one vulnerability, tracked as CVE-2017-5754, but there are two main variants of the Spectre attack, including CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2).
Meltdown and Variant 1 of Spectre can end up patched efficiently with software updates, but Spectre Variant 2 requires microcode updates for a complete fix.