Most Intel processors* released in the past decade are vulnerable to the recently disclosed Meltdown and Spectre security vulnerabilities, and that’s a problem. But shortly after Intel released a microcode update to mitigate the risk, users started noticing that their computers were unexpectedly shutting off (crashing) more often than before.
Intel’s solution: don’t install that update, and instead wait for a newer update that’s less likely to crash your PC.
Now Microsoft has released a Windows update designed to remove that Intel fix from most computers running Windows 7 Service Pack 1 or later. It’s available from the Microsoft Update Catalog (meaning that it’s not rolling out through automatic updates yet, but you can download and install it manually).
This is a rare “out of band” update from Microsoft, which means that it’s an unscheduled, emergency software update.
If you’re worried that your PC will be less secure after removing Intel’s patch, that may actually be true… but so far there’s no evidence that anyone has successfully leveraged the Spectre vulnerability to create malware that can steal data from your PC yet.
Meltdown and Spectre both take advantage of a feature in modern PCs called speculative execution that effectively have the chip guess what your next move may be based on your current request. But security researchers discovered last year that the way this is carried out could allow some data to be “leaked” to software that isn’t properly authorized to access that data.
Researchers say Spectre attacks are theoretically more difficult to carry out. But just because nobody has reported a case of a Spectre-based attack doesn’t mean there isn’t one in the wild yet.
So it makes perfect sense for Intel (and Microsoft) to roll back a buggy update that can make PCs unstable. Microsoft notes that unexpected reboots and shutdowns aren’t the only problem… because they can also lead to data loss.
But there is still some risk that removing the patch could leave a computer vulnerable… at least until Intel and Microsoft can release the next update.
Meanwhile, other developers have been building Spectre and Meltdown mitigations into vulnerable software including Google Chrome and Firefox.
*While the Spectre vulnerabilites also affect AMD and ARM chips, the Meltdown vulnerability primarily affects Intel processors, although some ARM-based designs could also be affected.
via The Verge