The last few weeks have been rough for technology manufacturers and users alike, with the Meltdown and Spectre exploits making headlines and requiring fixes that can slow down our gadgets. Intel issued microcode fixes for its own CPUs meant to address the issue and then quickly retracted them due to system reboots and instability. Now, Microsoft has concluded that fixes meant to address the Spectre Variant 2 exploit are bad enough to cause data loss, and its issued its own fix.
For now, this fix comes via a support bulletin that it issued the following statement:
“Intel has reported issues with recently released microcode meant to address Spectre Variant 2 (CVE 2017-5715 Branch Target Injection) — specifically Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and then noted that situations like this may result in “data loss or corruption.” Our own experience is that system instability can in some circumstances cause data loss or corruption. On January 22, Intel recommended that customers stop deploying the current microcode version on impacted processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.”
Microsoft’s response, for now at least, is to simply turn off the mitigation against Spectre Variant 2. It provided an update that users can run at the Microsoft Update Catalog site, along with steps to manually disable and enable the mitigation by modifying the registry. The registry is a finicky thing, though, and so be careful if you choose the latter route.
While it’s usually a bad idea to turn off security measures meant to protect against known exploits, in this case, the damage that Intel’s bad microcode can cause clearly outweighs what Microsoft considers to be a negligible potential for harm. According to the company, there have been no known attacks based on Spectre Variant 2, at least as of Thursday, January 25.
Microsoft will likely issue a more widely available update once its official Patch Tuesday update rolls around next month. This emergency out-of-band update might be worth running in the meantime, though, particularly if any of your PCs have been acting a bit crazy since being updated with the Spectre fixes.