Newsletter Archives

  • Intel releases more Meltdown/Spectre firmware fixes, while Microsoft unveils a new Surface Pro 3 firmware fix that doesn’t exist

    You’d have to be incredibly trusting — of both Microsoft and Intel — to manually install any Surface firmware patch at this point. Particularly when you realize that not one single Meltdown or Spectre-related exploit is in the wild. Not one.

    Computerworld Woody on Windows.

  • Yet another surprise patch, KB 4078130, for all versions of Windows, disables part of the Meltdown/Spectre patches

    Follow-up article in Computerworld Woody on Windows.

    More fun ‘n games.

    Last night, Microsoft released KB 4078130, which is specifically designed to turn off the Intel-identified buggy code in the Meltdown/Spectre patches. Sayeth Microsoft:

    ‘Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection) – specifically Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and then noted that situations like this may result in “data loss or corruption.” Our own experience is that system instability can in some circumstances cause data loss or corruption.

    While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing this update has been found to prevent the behavior described.

    The patch is only available from the Update Catalog, and it’s the same patch for all versions of Windows.

    @MrBrian has taken a look and confirms:

    This update indeed does set the registry values… documented weeks ago to disable CVE 2017-5715 mitigation in Windows.. This update doesn’t appear in the list of installed updates. This update needs admin privileges to function properly.

    If you’ve avoided this month’s Meltdown/Spectre patches, there’s nothing you have to do. On the other hand, if you jumped into the trenches, this one might keep you from losing some data.

    Microsoft goes on to say:

    As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.

    It’s highly likely that when Intel gives the all-clear for Spectre variant 2, it’ll be part of yet another patch.

    Moral of the story: Wait.