Optional Windows update disables crash-causing Spectre mitigations

If you're one of the unlucky few affected by "higher than expected reboots and other unpredictable system behavior" as a result of a security patch for your Intel system, rejoice. You can now disable the patch, restoring at least a modicum of sanity to your machine. Microsoft just issued update KB4078130 that specifically disables only the mitigation against CVE-2017-5715—better known as "Spectre, variant 2."

Of course, disabling the mitigation will make you vulnerable to that exploit. As Microsoft itself points out, there are no reports of this exploit being used in the wild so far. When the vulnerabilities were initially revealed, researchers did say that Spectre would be very difficult to attack, so it's possible this mitigation isn't necessarily critical on client machines for now. We'd probably still go on ahead and install the fixed fix whenever that comes around, though.

You won't get KB4078130 from Windows Update since it's an out-of-band update. If you want it, head to the Microsoft Update Catalog site and grab it there. Alternatively, if you're a power user who would rather muck about with the registry, hit this link to head to Microsoft's "Client Guidance for IT Pros" on the topic. Down the page a bit, there's a new "Disable mitigation" section that explains how to disable the patch.

Comments closed
    • tootercomputer
    • 2 years ago

    Given that one or both of these “security flaws” occur across OSes, might Intel have a case to tell MS to back off, this is a hardware problem? From my humble enthusiast perspective, this all kind of begs the question of where is the line between software and hardware.

      • K-L-Waster
      • 2 years ago

      With something like this, there isn’t really a line — it’s more like a blend area.

      • IGTrading
      • 2 years ago

      It is incredible how this article doesn’t even mention Intel’s name.

      Despite the fact that Microsoft is disabling Intel’s patch which caused tens of thousands of problems for Intel users and was characterized by Linus Torvalds as “complete and utter garbage” .

      All the “Internet” , be it IT related or Stock Market related, call this news piece like it is :

      Emergency Windows Update Removes Intel’s Buggy Spectre Patch

      [url<]https://www.extremetech.com/computing/263020-microsoft-removes-intels-buggy-spectre-patch-emergency-windows-update[/url<] INTC : Microsoft update disables Spectre patch [url<]https://seekingalpha.com/news/3326265-microsoft-update-disables-spectre-patch?app=1&uprof=45&dr=1#email_link[/url<] Windows emergency patch: Microsoft's new update kills off Intel's Spectre fix [url<]http://www.zdnet.com/article/windows-emergency-patch-microsofts-new-update-kills-off-intels-spectre-fix/[/url<] TechReport acts like Intel doesn't even have anything to do with this. You even forget about how Intel mocked us : Intel alerted Chinese cloud giants 'before US govt' about CPU bugs [url<]https://www.theregister.co.uk/2018/01/29/intel_disclosure_controversy/[/url<]

        • just brew it!
        • 2 years ago

        Uhh… Intel is mentioned in the very first sentence?

    • chµck
    • 2 years ago

    What is the impetus for applying these updates for the average user?
    As far as I know, these exploits can only be done in research labs by overly-ambitious computer science PhDs.

      • mudcore
      • 2 years ago

      There were PoCs out in the wild within hours of the research papers being released. The entire situation, the pace of reaction (and not just because of that one AMD guy “leaking” it via the LKML), the rush on the fixes and the apparent need to get them out and ignore regular quality testing only makes sense if the security risks are extremely high.

        • chµck
        • 2 years ago

        [quote] ignore regular quality testing only makes sense if the security risks are extremely high[/quote}
        or if the reports caused the stock price to drop 10% right? lol

        • exilon
        • 2 years ago

        PoCs were for Spectre variant 1 (application attacking its own process) and Meltdown.

        • Wirko
        • 2 years ago

        Within hours … or years earlier. The possibility of cache-related attacks has been at least [i<]speculated[/i<] since cache has existed (and branch predictors do maintain a kind of cache of their own). Why does everybody think that no spy agency in the world, ever, connected the dots?

      • Krogoth
      • 2 years ago

      Vendors are covering their legal butts from future lawsuits.

      The whole thing is way overblown for mainstream market. Potential attackers are going to opt for more dependable tactics like phishing and social engineering.

    • Waco
    • 2 years ago

    The Spectre/Meltdown update has made my barely-passable netbook (HP x360 quad core Atom) into an unusable mess that freezes consistently for seconds at a time.

    Since it’s purely a media consumption and indie-game machine, I’ll be disabling this garbage.

      • shank15217
      • 2 years ago

      I didn’t even think Atoms had speculative execution!

        • Waco
        • 2 years ago

        Unless MS released an update in the past few weeks that just absolutely fubars performance in another way, I have to assume its this update set.

        EDIT: I hate the Atom lineup. Mine is a “Pentium” quad core that is Atom based but I don’t recall the exact model. It may very well have speculative execution, but without it sitting in front of me I don’t recall what core type it is.

        EDIT2: It’s an N3700U quad, so Braswell? I guess it’s vulnerable.

          • swaaye
          • 2 years ago

          I have a Cherry Trail miniPC with the update and it’s been fine. I think the Baytrail netbook at work is ok too.

          But maybe there’s different behavior depending on some other factor.

    • sweatshopking
    • 2 years ago

    No wonder the wintel relationship is stressed these days.

      • shank15217
      • 2 years ago

      I think all OS vendors and HW vendors relationship is stressed right now, its been a very knee-jerk reaction so far from all parties involved.

        • Chrispy_
        • 2 years ago

        I still think the average user’s daily habits and ignorance of scam/phishing/malicious links are a greater security risk than Meldown and Spectre.

          • willmore
          • 2 years ago

          In aggregate, I agree with you. I think the difference is the difference in the attackers which will use the different methods.

          • K-L-Waster
          • 2 years ago

          True, but…

          Physical intruders are more likely to try to break into my house through the doors, but that doesn’t mean I shouldn’t also have latches on the windows.

            • Chrispy_
            • 2 years ago

            That’s not what I’m getting at.

            I’m saying that latches on the windows are pointless if the doors are left not just unlocked, but wide open and banging in the wind to draw attention.

            Average users are slowly getting smarter about security, but the bad guys are getting smarterer fastererer.

Pin It on Pinterest

Share This