Microsoft Disables Spectre Variant 2 Patch Via Unscheduled Update

By Lucian Armasu
published

Microsoft pushed an unscheduled update to its Windows customers that will disable the patch that was supposed to mitigate the Spectre variant 2 (CVE 2017-5715 Branch Target Injection) CPU flaw.

Intel’s “Garbage” Patches

Although Intel was in a hurry to deliver its patches to “90% of Intel CPUs introduced in the past five years,” Linus Torvalds, the creator and principal developer of the Linux kernel, recently called the company’s patches “complete and utter garbage.” because they were doing things that were "not sane."

At least some of that criticism seems to have been validated, as Intel started pulling its Spectre v2 microcode patches last week because it was causing “higher than expected reboots and other unpredictable system behavior” on users’ machines.

Microsoft Disables Its Own Spectre V2 Patch

Now Microsoft is following suit and has issued an unscheduled update (KB4078130) that disables the OS-level patch that was supposed to work with Intel’s microcode update to mitigate Spectre v2. In Microsoft’s testing, this new update should fix the reboot issues for users, but for moment it also means that these users will remain vulnerable to Spectre v2.

Microsoft’s update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you’re using Windows 7, you will need to download the new update from Microsoft’s Update Catalog website (which doesn't seem to work with Chrome or Firefox) as Microsoft stopped delivering automatic updates to Windows 7 a while ago. Users of Windows 8.1 and later will receive the update via the automatic update system.

Microsoft is also offering users a way to manually disable the previous error-causing Spectre patch via registry settings, found in the following two Knowledge Base articles:

The company added that so far there have been no reports of attacks exploiting the Spectre v2 CPU flaw, but it recommends its customers to re-enable the mitigation when Intel reports that the rebooting issues have been solved for your particular devices.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
11 Comments Comment from the forums
  • tpi2007
    The Update Catalog website works fine with Chrome and Firefox; Microsoft has fixed that problem months ago (it used to rely on ActiveX); please fix that part of the story.

    Also, Windows 7 gets automatic updates until January 2020, so I don't understand what you're trying to say regarding that. It got the out of schedule original Meltdown / Spectre patch just fine earlier this month.

    Edit: What you probably should say is that this update, KB4078130, is optional and does not apply to all machines since not all machines are fully protected against Spectre Variant 2 yet as Intel has only provided microcode updates for CPUs released in the past 5 years (people in that situation should update their web browsers as those contain mitigations for the vulnerability) and even for those machines, not all are experiencing problems, and thus it won't appear on Windows Update since it's an out-of-band update for those that need it. You can also disable such protection in the registry if it's giving you trouble.
    Reply
  • ThatTechieGuy
    What a cluster**** Best bet is to wait until the dust settles and the vendors get their heads out their you know what
    Reply
  • RCaron
    @TPI2007

    I find your comment funny because Windows update hasn't worked for my Windows 7 system for the last 2 years.. and only magically started working again in January.. most likely because of Spectre and Meltdown.

    There are plenty of articles on Windows 7 and unable to run Windows update thanks to .. bugs with Microsoft or intentional loss of service.
    Reply
  • tpi2007
    @RCaron, yes, that is true, Windows Update on Windows 7 has been borked on several occasions in the past few years, the latest one being in November / December 2017.

    One solution that works for many people is to type services.msc on the Start menu, click on it, then right-click on the Windows Update service and Stop it. Next, go to the Windows folder and look for the "SoftwareDistribution" folder and rename it (something like "SoftwareDistribution.old" does the trick). Next, go back to the services.msc and Start the Windows Update service. Then go to Windows Update and manually check for updates. New updates should appear. That solved it for many people. It will probably take a while for it to deliver results as it will have to check the system for all the updates present in order to know what is missing.

    The only downside besides that is that it will reset the counter on the last time you installed updates and empty the list "View update history". Having said that, all the installed updates prior to that are still installed, they are just not listed on that list. You can still view them by going to the Control Panel -> Uninstall a program and click on the link on the left that reads "View Installed Updates" (where you also get to uninstall them).
    Reply
  • larkspur
    I've had the same Win 7 pro installed on my main system since 2009 (never reinstalled, never needed to). Still just as snappy as it was when new. Update has worked fine for that entire time and still works. I have always had it set to "Notify me if updates are available but let me choose to download and install them." I also have an old 2010 laptop that runs Win 7 home and update works fine on that machine also. Strange to hear that others are having to update manually...
    Reply
  • derekullo
    20647861 said:
    I've had the same Win 7 pro installed on my main system since 2009 (never reinstalled, never needed to). Still just as snappy as it was when new. Update has worked fine for that entire time and still works. I have always had it set to "Notify me if updates are available but let me choose to download and install them." I also have an old 2010 laptop that runs Win 7 home and update works fine on that machine also. Strange to hear that others are having to update manually...

    Two computers doesn't represent the entire desktop, server and laptop communities.
    Reply
  • Ninevah
    This article is a little misleading. It seems to put the blame on Microsoft for issues with these updates, while Microsoft's article indicates that these changes are in response to Intel pulling its microcode, not because the OS patches were bad.
    Reply
  • derekullo
    To be fair, Microsoft wouldn't have had to release a patch if Intel had not "misjudged" its CPU design in the first place.

    It's like blaming the painter for your building not being built to code.
    Reply
  • lsatenstein
    Intel is in panic. Here we have Ryzen that is clean for the major bug, and also has a clean patch for the minor one.
    Intel has a huge world of systems out there, and therefore, they rushed to protect that base.
    They did not test adequately, and probably did not think that they needed to test older cpus.

    Ergo, they have egg on their face. And they rightly deserve it. Act professional, do adequate r&d and testing. Ask for beta testers first.
    Reply
  • larkspur
    20648012 said:
    Two computers doesn't represent the entire desktop, server and laptop communities.
    Hahaha, of course it doesn't! But Lucian wrote, "If you’re using Windows 7, you will need to download the new update from Microsoft’s Update Catalog website (which doesn't seem to work with Chrome or Firefox) as Microsoft stopped delivering automatic updates to Windows 7 a while ago." I find that very strange since I have been receiving updates through Windows update without any trouble. In other words, he is wrong or at least not being clear. They did stop releasing feature updates. But security updates continue into 2020. And I've definitely been getting them. Therefore, Microsoft most certainly does deliver automatic updates to Windows 7 machines. Maybe not all machines are getting them for some strange reason. But trust me, they certainly aren't making a special exception for silly old me :)
    Reply