ASRock reaction to Meltdown and Spectre Vulnerabilities

Why ASROCK? ASROCK is not a chip maker. This only affect chip manufacturers like INTEL, ARMS AND AMD..

I would bet my left eye any response you'll get will just be PR nonsense, like 'We are aware of the problem and working on it as fast as we can'

I'm pretty sure it's been stated that Spectre/Meltdown can't be fixed through FW, and must be fixed through SW (OS). Hence Windows/Linux/etc patches coming out to address the issue. I haven't seen anything about a BIOS update being released in tandem to address these vulnerabilities.

@beard55 for Microcode and Bios Updates yes, But System updates are only made available by system manufacturers and operating system providers. ASROCK is not a system manufacturer or a operating system provider, but they could do is provide you with a link to an actual microsoft patch(but no need for that since microsoft updates are mostly automatic)

Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers and device manufacturers have indicated that they have already updated their products and services. Microsoft is actually the one giving the most end support since they are the ones releasing the patches.
Intel encourages computer users worldwide to utilize the automatic update functions of their operating systems and other computer software to ensure their systems are up-to-date. Make sure windows is set to receive automatic updates.

@YoAndy the fix for these vulnerabilities on Intel platforms is a OS and FW patch in tandem. The OS patch would have to come through MS, but the FW (BIOS) would come through your mobo manufacturer, i.e. ASRock.

Edit: https://support.microsoft.com/en-hk/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
"Customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer."

Yes for bios and microcode update that's correct.

MSI gives BIOS updates too: https://www.msi.com/news/detail/rKUC2bI3D7-qQwKu2sMknN64chmZ522Lud9g_cONY0PNhahW-TFJ96dI7K7NA9rKUsihP5smlrCseaHQstFxJw~~

To ensure any system powered by MSI Z370-series motherboards is operating securely, Intel® and MSI have been working around the clock to prepare updated microcode and release new BIOS updates, which will be available for download. More information from Intel® on the updated microcode can be found here.

Click to expand...

Furthermore, MSI is preparing updates for its X299-series, 200-series, 100-series and X99-series motherboards. For these platforms, BIOS versions containing similar security patches are expected to be ready very soon. Keep an eye on the product pages to check for their availability.

Click to expand...

Just admit you were wrong.

About what? We are having a conversation, And no I'm not wrong I know that you don't know but "Windows can update CPU microcode on boot" and it actually does I'm not sure about you but we all know that most security updates are at the OS level and windows is releasing all the updates and doing it automatically(if windows update is enabled).

Patching operating systems and i did agree that the Microcode updates can be loaded onto the CPU by firmware (usually called BIOS) and yes those could be downloaded manually by going to the computer manufacturer site like Dell or HP, or motherboard manufacturers.
Microcode updates can be loaded onto the CPU by firmware (usually called BIOS even on computers that technically have UEFI firmware instead of old-style BIOS) or by the operating system. Microcode updates do not persist across reboot, so in the case of a dual-boot system, if the microcode update isn't delivered via BIOS, both operating systems have to provide the update. So we can always let windows do it for us and that's what most people are doing, so doing manually trough a motherboard manufacturer still makes no sense to me.
To allow Windows to load updated microcode onto the CPU, we have to make sure Windows Update is enabled and set to install updates. Is that simple..
Microsoft says firmware updates are only required to protect against what’s being described as Spectre variant 2. For Meltdown and Spectre variant 1, Microsoft has isolated kernel and user mode page tables and hardened Edge and Internet Explorer 11 to protect against JavaScript exploits. Windows updates for 41 editions of the operating system are now available, and Microsoft expects the four remaining supported editions will be patched soon

Now there is a side story if you are using older computers with older hardware, if system received patches for the Meltdown bug, but has received incomplete patches for the Spectre bug.

This was to be expected, as Google said last month that Spectre is harder to exploit, but also harder to patch.

What this means is that you need additional chipset firmware updates. Microsoft and Google say that OEMs will need to provide users with these additional firmware updates to complete the Windows OS-level Spectre patches. Depending on your computer's age, some OEM might not make these firmware updates available, meaning you'll be stuck with an incomplete Spectre patch.

http://www.techradar.com/how-to/how-to-protect-against-the-meltdown-and-spectre-cpu-security-flaws

You wrote: "Why ASROCK? ASROCK is not a chip maker."

Asrock does provide Microcode updates. Just like all the other mainboard manufacturers.

That's why you should admit you were wrong.

I'm telling the same. But YoAndy said Asrock should not do anything. I reflected to that statement.

Personally I think it's worth to install both the Microsoft (or whatever OS) Microcode update and the mainboard aswell. It's better to have the update in the UEFI aswell in case you tear your PC apart and start using the mainboard with a totally different non-updated CPU from scratch. But the Microsoft update is the easiest one, I agree.

And that's correct ASROCK is actually not doing anything, they only build the motherboard, because even their BIOS are made by Phoenix and American Megatrends companies, Asrock is getting the information and the software straight from Intel and then passing it to their costumers.. So if you want the update first hand, you follow the chip Makers Intel or AMD because they are the ones making the software and coming up with the news and the updates.
Like this link here provided by intel on December 27 with each motherboard manufacturer included on their update https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

The ME vulnerability and associated ME update was a different issue, unrelated to Spectre/Meltdown.

I'll rather wait for Intel and AMD to figure it out first, all the new updates are horrible for both Intel and AMD. Sometimes making the system crash or and can't boot into bios and or a performance hit.

Yes and that proves my point. At the moment of the question the only patches related to SPECTRE and MELTDOWN where at the OS level and they still that way, Meltdown, a bug that could allow an attacker to read kernel memory (the protected core of an operating system)

No, when the OP first asked the question Asus had already released new BIOSs addressing Spectre. Other manufacturers had not yet released them, but it was already known that they would be, hence the OP asking when ASRock would be releasing them. So yes, your initial responses were wrong (as was mine).

That's right must of us had no idea other than the ones been released by microsoft. But like I said, intel will always have the updates listed first.

Meltdown, a bug that could allow an attacker to read kernel memory (the protected core of an operating system) is only fixed at the os level.

The other bug, Spectre, involves two known attack strategies so far, and is far more difficult to patch. (And in fact, it may be impossible to defend against it entirely in the long term without updating hardware.) It affects processors from Intel, AMD, ARM, and Qualcomm. Browsers like Chrome, Firefox, and Edge/Internet Explorer all have preliminary Spectre patches, as do some operating systems. But Apple, for example, has said it is still working on its Spectre patches, and hopes to release them within a few days.
And regardless of what AMD says all modern processors are affected by SPECTRE..


Which systems are affected by Spectre? https://meltdownattack.com/
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.

https://blog.barkly.com/meltdown-spectre-patches-list-windows-update-help