Intel's first attempt at mitigating two major vulnerabilities in its microprocessors led to PC reboot and behavior problems, so Microsoft has come out with Windows patches to fix Intel's fixes.
Microsoft's updates are aimed at Windows Server users as well as consumers with Windows 7, 8.1 and 10. Designed to prevent problems related to Intel's flawed patches for the Spectre vulnerability, the Microsoft fixes must be downloaded manually from the company's Windows Update catalog. They do not apply to Meltdown, the other major Intel chip bug.
Following reports of issues with its initial fixes, Intel last week advised hardware and software vendors and partners to stop rolling out those patches to customers. Microsoft's patches are designed to resolve problems in machines that have already received the Intel patch and to prevent unpatched devices from installing Intel's patch.
While year-end financial results released last week show Intel enjoyed record earnings in 2017, the company could yet see long-term fallout from the Spectre and Meltdown hardware bugs. Further fallout could likely be in relation to reports that Intel CEO Brian Krzanich sold millions of dollars' worth of personal stock before the public was made aware of the vulnerabilities, and that Intel notified a select group of customers, including Chinese tech firms, about the bugs before informing U.S. officials.
Software and Firmware Updates Required
Upon announcing its patches on Friday and Saturday, Microsoft said affected customers will also need to deploy processor microcode, or firmware, updates through their device manufacturers. Microsoft added that it was also working on mitigations to prevent Intel-related problems with its Internet Explorer and Edge Web browsers.
"While Intel tests, updates, and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 -- 'Branch target injection vulnerability,'" Microsoft said in its patch announcement. "In our testing, this update has been found to prevent the behavior described."
Intel's initial patch for Spectre was found to causes unexpected reboots and "other unpredictable system behavior" in some devices that could also lead to corruption or loss of data.
Intel is "working around the clock to ensure we are addressing these issues," Navin Shenoy, executive vice president and general manager of Intel's Data Center Group, said in an update last week.
Questions about Who Intel Notified of Bugs
In other developments related to Spectre and Meltdown, which also affect many CPUs made by ARM and AMD, The Wall Street Journal reported yesterday that Intel's initial disclosures about the vulnerabilities were made to "a small group of customers, including Chinese technology companies, but left out the U.S. government."
Even before that news emerged, Intel and other technology companies were already under scrutiny for working quietly behind the scenes to resolve the chip-level flaws without notifying the public. On Wednesday, members of the U.S. House Energy and Commerce Committee sent letters to Intel, Amazon, AMD, ARM, Apple, Google, and Microsoft expressing concern about "the information embargo instituted by the limited number of companies originally informed about the vulnerabilities in June 2017."
Several different groups of independent researchers discovered Spectre and Meltdown last year, but their work was not publicly disclosed until earlier this month. However, there is no evidence to date that either vulnerability has been exploited by hackers in the wild, according to Intel, Microsoft, and other companies.