Microsoft Monday issued an emergency Windows update that disables Intel's Spectre update, that by the chip-maker's own admission is buggy.
Intel told customers last week not to implement its patches after reports that they prompted computers to reboot spontaneously.
“While Intel tests, updates and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – ‘Branch target injection vulnerability,'” Microsoft said. “In our testing, this update has been found to prevent the described behavior in devices that have affected microcode.”
The company also offered advanced users who have affected devices an option “to manually disable and enable the mitigation against SpectreVariant 2 (CVE 2017-5715) independently through registry setting changes,” Microsoft said.
“I know patching and repatching is a pain for organizations. And I'm not saying that Intel is blameless here, but people always jump to the conclusion that any vulnerability means negligence,” said Jeff Williams, co-founder and CTO at Contrast Security. “But these attacks are truly novel and tricky to fix.”
Noting that consumers want faster technology quickly, Williams said, “We wouldn't like it if companies engineered everything like NASA – it would take decades, cost many times more, and execute slowly.”
He said the industry “are all complicit. We have all reaped the benefits of an ecosystem that prioritizes speed to market over security.”
But “instead of throwing bombs,” Williams said, “how about we encourage collaboration and openness around the best ways to solve this new attack.”