Microsoft Disables Spectre Variant 2 Patch Via Unscheduled Update

Microsoft pushed an unscheduled update to its Windows customers that will disable the patch that was supposed to mitigate the Spectre variant 2 (CVE 2017-5715 Branch Target Injection) CPU flaw.

Intel’s “Garbage” Patches

Although Intel was in a hurry to deliver its patches to “90% of Intel CPUs introduced in the past five years,” Linus Torvalds, the creator and principal developer of the Linux kernel, recently called the company’s patches “complete and utter garbage.” because they were doing things that were "not sane."

At least some of that criticism seems to have been validated, as Intel started pulling its Spectre v2 microcode patches last week because it was causing “higher than expected reboots and other unpredictable system behavior” on users’ machines.

Microsoft Disables Its Own Spectre V2 Patch

Now Microsoft is following suit and has issued an unscheduled update (KB4078130) that disables the OS-level patch that was supposed to work with Intel’s microcode update to mitigate Spectre v2. In Microsoft’s testing, this new update should fix the reboot issues for users, but for moment it also means that these users will remain vulnerable to Spectre v2.

Microsoft’s update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you’re using Windows 7, you will need to download the new update from Microsoft’s Update Catalog website (which doesn't seem to work with Chrome or Firefox) as Microsoft stopped delivering automatic updates to Windows 7 a while ago. Users of Windows 8.1 and later will receive the update via the automatic update system.

Microsoft is also offering users a way to manually disable the previous error-causing Spectre patch via registry settings, found in the following two Knowledge Base articles:

The company added that so far there have been no reports of attacks exploiting the Spectre v2 CPU flaw, but it recommends its customers to re-enable the mitigation when Intel reports that the rebooting issues have been solved for your particular devices.

This thread is closed for comments
    Your comment
  • tpi2007
    The Update Catalog website works fine with Chrome and Firefox; Microsoft has fixed that problem months ago (it used to rely on ActiveX); please fix that part of the story.

    Also, Windows 7 gets automatic updates until January 2020, so I don't understand what you're trying to say regarding that. It got the out of schedule original Meltdown / Spectre patch just fine earlier this month.

    Edit: What you probably should say is that this update, KB4078130, is optional and does not apply to all machines since not all machines are fully protected against Spectre Variant 2 yet as Intel has only provided microcode updates for CPUs released in the past 5 years (people in that situation should update their web browsers as those contain mitigations for the vulnerability) and even for those machines, not all are experiencing problems, and thus it won't appear on Windows Update since it's an out-of-band update for those that need it. You can also disable such protection in the registry if it's giving you trouble.
  • ThatTechieGuy
    What a cluster**** Best bet is to wait until the dust settles and the vendors get their heads out their you know what
  • RCaron

    I find your comment funny because Windows update hasn't worked for my Windows 7 system for the last 2 years.. and only magically started working again in January.. most likely because of Spectre and Meltdown.

    There are plenty of articles on Windows 7 and unable to run Windows update thanks to .. bugs with Microsoft or intentional loss of service.