Microsoft releases update to reverse problematic Spectre patch

by Hilbert Hagedoorn on: 01/29/2018 12:49 PM | source: | 25 comment(s)

What a mess this is becoming. Over the weekend Microsoft released an update (in the weekend even) outside of its usual monthly schedule, end-users who experience restart/reboot problems can now disable the Spectre problematic Spectre patch.

Microsoft: Update to Disable Mitigation against Spectre, Variant 2

Summary

Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection) – specifically Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and then noted that situations like this may result in “data loss or corruption.” Our own experience is that system instability can in some circumstances cause data loss or corruption. On January 22nd Intel recommended that customers stop deploying the current microcode version on impacted processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.

While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing this update has been found to prevent the behavior described. For the full list of devices, see Intel’s microcode revision guidance. This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.”

We are also offering a new option – available for advanced users on impacted devices – to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently via registry setting changes. The instructions for the registry key settings can be found in the following two Knowledge Base articles:

KB4073119: IT Pro Guidance
KB4072698: Server Guidance

As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.

Related Stories

Microsoft to retire Windows HomeGroup feature - 01/29/2018 09:58 AM
The latest Windows Insider build of Windows 10, Microsoft has ended the Windows HomeGroup option. Originally a part of Windows 7 in 2009 and continuing until now, HomeGroup was a way to share files a...

Windows 10 to get tool that shows what collected telemetry data is send to Microsoft - 01/25/2018 10:38 AM
Microsoft has planned to release what is called a Diagnostic Data Viewer later this year. This is a Windows 10 tool that allows users to see exactly what data telemetry Windows 10 uploads to Microso...

Microsoft Surface Precision Mouse - 01/25/2018 10:03 AM
Microsoft has recently introduced their newest wireless mouse, the Surface Precision Mouse. Made for creative work which requires accurate and precise operation....

Microsoft has ended free Windows 10 upgrades through Assistive Technologies - 01/18/2018 07:06 PM
It had a good, nice and long run. But the options to freely upgrade towards Windows 10 through the Assistive Technologies option, has been removed from the website, the upgrade feature has been halte...

Microsoft Classic IntelliMouse Makes a Return - 01/16/2018 04:57 PM
Microsoft started selling its classic IntelliMouse here in the EU. it is based on the IntelliMouse Explorer 3.0 dating back to the year 2003, but has seen a few upgrades....

5 pages 1 2 3 4 5

Noisiv
Senior Member

Posts: 8185
Joined: 2010-11-16

#5515112 Posted on: 01/29/2018 01:05 PM

Quick recap:

Protection Class (1) - Subsequently Microcode Update Fixed Processors
A microcode update is applied, which brings new CPU commands, which provide extensive Specter protection (Meltdown is rendered harmless by means of an operating system update). The same costs a bit of performance (supposedly more with older CPUs than with newer ones), but can be made available in a relatively short time by the CPU developers and motherboard manufacturers. As a disadvantage, many older CPUs (despite the technical possibility) no longer receive such a fix because their support has been discontinued.

Protection class (2) - Factory-fixed by microcode update Processors
Here again, a microcode update is scheduled, which brings new CPU commands, which provide extensive Specter protection (Meltdown is thereby harmless by means of an operating system update) . The same costs a bit of performance (supposedly less on older processors than on older ones) and is mostly already in the delivery state, which is why the CPU manufacturers then talk about "meltdown / Specter-free processors", although there are actually no changes on real hardware Level has given. But this method can be applied to every newly emerging CPU generation and will probably be realized in the same way for all upcoming CPUs.

Protection class (3) - Meltdown / Specter-free CPU architectures

RealNC
Senior Member

Posts: 3669
Joined: 2011-11-24

#5515114 Posted on: 01/29/2018 01:12 PM

Meanwhile, it seems Linux has opted to mitigate Spectre v2 at the compiler level ("retpoline") and not use the microcode, calling Intel's microcode "crap."

On my system:

$ cat /sys/devices/system/cpu/vulnerabilities/meltdown
Mitigation: PTI
$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full generic retpoline

(There's no mitigation for v1 by anyone yet.)

AFAICT from the LKML posts, the retpoline method is actually faster than using the microcode. Although it gets a bit confusing for non-kernel people like me to interpret the posts, so I could be wrong.

Berke53
Member

Posts: 65
Joined: 2013-04-20

#5515118 Posted on: 01/29/2018 01:38 PM

My system is behaving erratically so I downloaded the KB4078130 update. I appears to be a small 25 kB executable. When opening it does ablosutly nothing. There is no installer popping up or something. Is this normal? How to install it properly?

Turanis
Senior Member

Posts: 1780
Joined: 2014-08-15

#5515119 Posted on: 01/29/2018 01:38 PM

In short:

Enable and disable Spectre Variant 2 mitigation manually

Microsoft also provides the following registry settings for user who want to enable or disable the Spectre Variant 2 without deploying KB4078130 on their systems:

To enable Variant 2: CVE 2017-5715 "Branch Target Injection":

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 1 /f

To disable Variant 2: CVE 2017-5715"Branch Target Injection":

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 1 /f

KB4078130 isn’t shipped via Windows Update, and can only be downloaded for Windows 7, 8.1, and 10 from the Update Catalog here.

Alessio1989
Senior Member

Posts: 2266
Joined: 2015-06-11

#5515122 Posted on: 01/29/2018 01:51 PM

Good.

Hopefully Microsoft will going to use the "retpoline" soluition.

5 pages 1 2 3 4 5

Post New Comment

Click here to post a comment for this news story on the message forum.