Microsoft Microcode Updates Defend Intel CPUs Against Spectre

By Leon Chan
published

Microsoft released a patch that delivers Intel’s microcode updates for Spectre to Windows 10 systems with certain 6th-gen (Skylake) CPUs. You should know, however, that this patch isn't as permanent a solution as patching via BIOS updates.

Intel has made a lot of progress on creating new microcode updates to protect its CPUs against the Spectre vulnerability. The company said it has released updates for 4th-gen (Haswell), 5th-gen (Broadwell), 6th-gen (Skylake), 7th-gen (Kaby Lake), and 8th-gen (Coffee Lake) CPUs to system and motherboard OEMs. So far, it’s been the OEMs’ job to package the new microcode into BIOS updates for their products. However, Microsoft has decided to also distribute the new microcode through Windows.

To be clear, the Meltdown/Spectre vulnerabilities require fixes at multiple levels of the system. Individual software, the OS, and hardware all have a role to play in mitigating the problem as a whole. Microsoft has already issued many Windows updates with regards to the issue, but until now, those updates all pertained to the operating system itself. That has changed now that Microsoft has made available a Windows patch that delivers Intel’s new microcode to systems with CPUs in the following table:

Swipe to scroll horizontally
Product Names (CPU)Public NameCPUIDIntel Microcode Update RevisionMicrosoft Update Standalone Package Version
Skylake H/S6th Generation Intel Core Processor Family506E30xC2V1.001
Skylake U/Y & Skylake U23e6th Generation Intel Core m Processors406E30xC2V1.001

The patch isn’t being delivered via Windows Update, and we don’t know if it ever will be. Currently, it can only be downloaded, and you'll have to install it manually. Also, the update will install only if your system is running Windows 10 version 1709 (Fall Creators Update). But don’t fret: You don’t really have to worry about applying the patch on an incompatible system, because the patch will check all the conditions for you. Microsoft said it will soon be distributing Intel’s new microcode for other CPUs in the same way but didn’t offer any additional information about its plans.

This development raises some questions on the overall Meltdown/Spectre mitigation initiative. As stated earlier, we understood that Intel’s microcode updates were to be distributed to end users on a per-product basis via BIOS updates. BIOS updates are able to rewrite ROM that holds a permanent copy of system firmware. We confirmed with Microsoft that the Windows patch is not doing the same thing; instead, it applies the new microcode at a different level in the system, overwriting the default provided by the BIOS ROM. The distinction is that one method is permanent and persists even if you install another OS, whereas the other applies only within the context of the OS. Microsoft confirmed that this means if you reinstall your Windows OS without reapplying the Windows update, then your system will revert to being unprotected.

To be clear, regardless whether you apply the BIOS update or the Windows patch to your system, the end result is that your Windows system is protected. If you go the latter route, just remember to reapply the Windows patch if you reinstall your OS.

The fact that this option of distributing microcode is a possibility at all, though, raises a question: If Microsoft had the ability to fully protect all Windows systems all along, why has it only come forward to do so now?

Considering how Intel’s first round of microcode updates for Spectre turned out, it’s actually fortunate that Microsoft didn't distribute them. We asked Microsoft if it had ever intended to distribute Intel’s original microcode updates, before it was known they were defective, but we don’t have an answer yet.

Given that a Windows-applied microcode patch wouldn’t have permanently modified anyone’s BIOS ROM, rolling it back when it was discovered to be defective would have been much easier. It certainly would have saved Microsoft the trouble of releasing the Spectre-fix kill-switch patch. We’re extrapolating, but this all evokes the picture painted by the recently published response letters from the U.S. government’s inquiry into Meltdown/Spectre.

In January, Congress asked tech giants, including Intel, Microsoft, Amazon, Google, and Apple, questions pertaining to whether they had evaluated the risk of Meltdown/Spectre and why they had chosen to embargo information on it. Google, which discovered the vulnerabilities, was an exception, but finger-pointing by the remaining software companies clearly showed that they would rather not entangle themselves in what has largely been an issue focused around hardware manufacturers.

Leon Chan
13 Comments Comment from the forums
  • gdmaclew
    Why are there no comments allowed for the following story?

    Dell Quietly Releases Inspiron 17 5000 Laptops With AMD Ryzen/Vega APUs

    All other News items allow comments.
    Reply
  • LORD_ORION
    Welcome to secret Tom's Limbo GDMACLEW
    Only people also in secret Tom's Limbo can see your post.

    It's probably a baby boomer conspiracy
    Reply
  • adrian.byszuk
    On Linux microcode update via OS is a standard, well known mechanism used for *many* years.
    Most distributions provided microcode updates very quickly (i.e. 1-2 days after Intel release) via standard update channels.
    Why this procedure is so complicated on Windows is beyond my understanding. This is simply disappointing.
    Reply
  • BulkZerker
    "only if your system is running Windows 10 version 1709"

    Rip buissness
    Reply
  • alextheblue
    20765459 said:
    "only if your system is running Windows 10 version 1709"

    Rip buissness
    That might be annoying if you are running legacy code that won't work on Win10 AND your system OEM won't release a BIOS update with the new microcode. Realistically though most people (including MANY "buissness"es) are better off running Win10 over WinXP/7/8 if security is your top concern. Use VMs whenever possible for legacy crap so you're not downloading random emails on an old unprotected OS, just because you've got a program that doesn't work.
    Reply
  • alextheblue
    You should know, however, that this patch isn't as permanent a solution as patching via BIOS updates.
    What about those with older chips that eventually are patched by Intel, but your motherboard vendor/system builder no longer supports your board (and thus does not release a new BIOS). You might have to make it your permanent solution. They've already said they're going to add more of these patch-at-OS-boot updates.

    The fact that this option of distributing microcode is a possibility at all, though, raises a question: If Microsoft had the ability to fully protect all Windows systems all along, why has it only come forward to do so now?

    Considering how Intel’s first round of microcode updates for Spectre turned out, it’s actually fortunate that Microsoft didn't distribute them.
    This raises another question: Why would you ask a question that you already know the answer to? Why not write this in the form of a statement? For example: The reason Microsoft has only offered this solution now was because they were leery of Intel's initial microcode updates. Not to mention they actually DO NOT have the ability to protect ALL Windows systems at a microcode level. Intel hasn't even released microcode updates for many architectures yet!

    Anyway, they have their reasons for not distributing them through Windows Update to systems en masse. They could do so at any time, if they were so inclined. Maybe some day they will go that route, but it definitely has some risks (as seen by Intel's fustercluck with their first round of highly unstable microcode fixes).
    Reply
  • termathor
    Is it me, or it is really strange that MS is offering a patch (presumably something running very early in the boot sequence, just after UEFI), for something which belongs to UEFI ?

    Or is it that MS knows already the mobo OEMs don't give a <BIP>, and is offering a plan B to keep WIN10 safe ?
    Reply
  • gdmaclew
    Tom's fixed the story entitled "Dell Quietly Releases Inspiron 17 5000 Laptops With AMD Ryzen/Vega APUs" so comments could be accepted...,
    Then they promptly removed that ability after a few comments were entered.
    I have never seen that before.
    Dell is obviously handicapping their AMD products and this should be announced publicly - ExtremeTech has already at least one article on this.
    What's going on Tom's?
    Reply
  • dave_trimble
    "You should know, however, that this patch isn't as permanent a solution as patching via BIOS updates."

    I have a Haswell-based system (4790K), and wasn't planning to upgrade for some time yet because I still get all the performance I need from my system. But the last BIOS update made available for my system came out in 2014. What am I supposed to do to protect myself? Am I going to have to upgrade to a new MB/CPU now in order to be safe?
    Reply
  • alextheblue
    20767802 said:
    "You should know, however, that this patch isn't as permanent a solution as patching via BIOS updates."

    I have a Haswell-based system (4790K), and wasn't planning to upgrade for some time yet because I still get all the performance I need from my system. But the last BIOS update made available for my system came out in 2014. What am I supposed to do to protect myself? Am I going to have to upgrade to a new MB/CPU now in order to be safe?
    If your vendor doesn't release a BIOS update, MS will likely release a microcode patch for Haswell soon. When they do just install it and keep it in mind that you need to reinstall it (outside of win update) if you reinstall the OS. It's just as permanent as any other software-based solution, you just have to be aware that it's not part of regular Windows Update patches. The preferred solution is UEFI based patches but for older hardware that just may not happen.
    Reply