Slashdot Mirror
Microsoft Issues Windows Out-of-Band Update That Disables Spectre Mitigations (bleepingcomputer.com)
An anonymous reader quotes BleepingComputer: Microsoft has issued on Saturday an emergency out-of-band Windows update that disables patches for the Spectre Variant 2 bug (CVE-2017-5715). The update -- KB4078130 -- targets Windows 7 (SP1), Windows 8.1, all versions of Windows 10, and all supported Windows Server distributions. Microsoft shipped mitigations for the Meltdown and Spectre bugs on January 3. The company said it decided to disable mitigations for the Spectre Variant 2 bug after Intel publicly admitted that the microcode updates it developed for this bug caused "higher than expected reboots and other unpredictable system behavior" that led to "data loss or corruption."
HP, Dell, and Red Hat took previous steps during the past week.
"We are also offering a new option -- available for advanced users on impacted devices -- to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently via registry setting changes..." Microsoft writes.
"We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device. "
HP, Dell, and Red Hat took previous steps during the past week.
"We are also offering a new option -- available for advanced users on impacted devices -- to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently via registry setting changes..." Microsoft writes.
"We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device. "
I tend to agree. Meltdown had an obvious path to exploit -- run an unauthorized branch of code to access something one shouldn't, then make sure another bit of code read that unauthorized data before it was flagged and wiped. Spectre.... it's just snooping on random processes hoping to find something interesting at the same user-level access.
In a jewelry store theft comparison:
Meltdown -- walk in as a celebrity, ask the jeweler if you can view a specific priceless ring that only celebrities could afford, and then you bolt for the door as soon as the ring is on your finger. You got exactly what you wanted.
Spectre -- walk in, try to grab any ring an average customer is presently inspecting... assuming there are any customers and any of them are viewing any rings during your visit. You have no idea what you're going to get, if anything.... but whatever you DO get, it won't be the specific ring in Meltdown you could have gotten.