Microsoft Offers Resources To Block Flawed Intel Firmware Updates

Microsoft on Friday published a software update and guidance on how to block Intel's flawed firmware updates for potential Spectre variant 2 attacks.

At issue is a broad security problem affecting most CPUs, generally known as the "Meltdown" and "Spectre" attack methods. No known attacks have been publicized yet using those techniques but the flaws were openly documented by researchers, so systems are thought to be vulnerable. Industry has generally responded to the potential threats by issuing both operating system patches (for instance, from Microsoft and Apple) and CPU firmware updates (also known as "microcode") from chipmakers Intel, AMD and ARM.

Intel admitted last week that firmware updates it released for its Broadwell and Haswell processors to block these types of attacks were causing reboot issues for some users. It suggested that its OEM partners should stop issuing these flawed updates and wait for new updates from Intel.

A description of which Intel processors were issued the potentially flawed microcode is available in Intel's Microcode Revision List document. Not all Intel Broadwell processors were issued the revised microcode. Intel had previously said that other processors were affected by the reboot problems, too, namely "Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms." When asked about those processors last week, an Intel spokesperson indicated that Intel was prioritizing its Broadwell and Haswell fixes with OEMs first.

Late last week, Microsoft issued Knowledge Base article KB4078130 to give organizations some tools to block the flawed Intel firmware updates from arriving. One of the tools is a standalone out-of-band update (KB4078130) that's available for download from the Microsoft Update Catalog. Users wanting it have to go and get it. This update for Intel-based systems will disable the "mitigation against CVE-2017-5715 -- 'Branch target injection vulnerability,'" which is the Spectre variant 2 attack method. The update addresses the reboot issue apparently by blocking the fix.

For "advanced users," Microsoft is also offering manual workarounds via registry edits, namely:

Those workarounds disable the Spectre variant 2 attack mitigations for Intel systems. The idea is to disable the mitigations until Intel delivers the fixed microcode. At that time, users presumably would have to remove the blocks they had set, perhaps by uninstalling KB4078130 or undoing registry edits. Update 1/30: A Microsoft spokesperson clarified that if KB4078130 gets installed, then organizations wanting to get the updated microcode from Intel when it's ready will have to make a registry change. Here's how the spokesperson described it:

For clarification, KB4078130 will not have to be uninstalled. It simply automated the manual steps outlined in Microsoft's guidance. Once Intel provides a microcode update, the mitigation will need to be enabled via the registry key as described in Microsoft's customer guidance.

Microsoft recommends enabling Intel's code when ready: "We recommend that Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device."

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Gears

    Top 10 Microsoft Tips and Analyses of 2018

    Here are the year's most popular explainers and how-to columns -- along with some plain, old "Why did Microsoft do that?" musings thrown in.

  • Sign

    2018 Microsoft Predictions Revisited

    From guessing the fate of Windows 10 S to predicting Microsoft's next big move with Linux, Brien's predictions from a year ago were on the mark more than they weren't.

  • Microsoft Recaps Delivery Optimization Bandwidth Controls for Organizations

    Microsoft expects organizations using its Delivery Optimization peer-to-peer update scheme will optimally see 60 percent to 70 percent improvements in terms of network bandwidth use.

  • Getting a Handle on Hyper-V Virtual NICs

    Hyper-V usually makes it easy to configure virtual network adapters within VMs. That is, until you need to create a VM containing multiple virtual NICs.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.