Microsoft has rushed out a system update that will disable the sloppy mitigation patch deployed earlier by Intel for Spectre vulnerabilities detected on Windows systems.
Update KB4078130 was delivered in haste to reverse the system instability that Intel's Spectre variant 2 (CVE 2017-5715 Branch Target Injection) could cause. Since withdrawing the patch, the chipmaker has belatedly admitted that PCs that will absorb the update could become less stable.
"Our own experience is that system instability can in some circumstances cause data loss or corruption ... We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions," Microsoft said on the note that accompanied the hastily deployed update.
The company said the system update would apply to all supported OS versions - Windows 7, Windows 8.1, and Windows 10.
The Windows-maker also assured users that as of Jan. 25, there are no indications that the Spectre variant 2 patch has been weaponized for potential hacking attacks.
Security Concerns
As stated by Microsoft, the mitigation system update will deactivate CVE 2017-5715, and the inevitable result is some form of vulnerability. For the moment, the company said the update is a form of compromise for users to retain a better performance level, which is crucial for enterprise users.
There might be a chance, however, that the issue will be corrected on specific system models. In such case, restoring the Spectre 2 variant 2 patch will be the safe thing to do.
"We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device," Microsoft advised.
For majority of Windows users though, installing KB4078130 is the best course available at the moment. For users who require reliability more than anything, security can take the backseat for now. Microsoft continues to monitor the situation, and, so far, exploits based on Intel's Spectre patch do not exist.
Transparency Demanded
Notwithstanding the availability of immediate solutions to Spectre and Meltdown, security experts have scored what they termed as mishandling of the whole affair. Jonathan Corbet, a Linux Foundation technical advisory board member, claimed that the important details on the subject have been deliberately suppressed, which prevented the revelation of the whole story.
The foundation said that had any of the parties observed some amount of transparency about the security issue, corrective and preventive measures would have been better implemented, and that this case should help the industry find a better way of dealing with similar vulnerabilities in the future.