Skip to main content

Microsoft Microcode Updates Defend Intel CPUs Against Spectre

Microsoft released a patch that delivers Intel’s microcode updates for Spectre to Windows 10 systems with certain 6th-gen (Skylake) CPUs. You should know, however, that this patch isn't as permanent a solution as patching via BIOS updates.

Intel has made a lot of progress on creating new microcode updates to protect its CPUs against the Spectre vulnerability. The company said it has released updates for 4th-gen (Haswell), 5th-gen (Broadwell), 6th-gen (Skylake), 7th-gen (Kaby Lake), and 8th-gen (Coffee Lake) CPUs to system and motherboard OEMs. So far, it’s been the OEMs’ job to package the new microcode into BIOS updates for their products. However, Microsoft has decided to also distribute the new microcode through Windows.

To be clear, the Meltdown/Spectre vulnerabilities require fixes at multiple levels of the system. Individual software, the OS, and hardware all have a role to play in mitigating the problem as a whole. Microsoft has already issued many Windows updates with regards to the issue, but until now, those updates all pertained to the operating system itself. That has changed now that Microsoft has made available a Windows patch that delivers Intel’s new microcode to systems with CPUs in the following table:

Product Names (CPU)Public NameCPUIDIntel Microcode Update RevisionMicrosoft Update Standalone Package Version
Skylake H/S6th Generation Intel Core Processor Family506E30xC2V1.001
Skylake U/Y & Skylake U23e6th Generation Intel Core m Processors406E30xC2V1.001

The patch isn’t being delivered via Windows Update, and we don’t know if it ever will be. Currently, it can only be downloaded, and you'll have to install it manually. Also, the update will install only if your system is running Windows 10 version 1709 (Fall Creators Update). But don’t fret: You don’t really have to worry about applying the patch on an incompatible system, because the patch will check all the conditions for you. Microsoft said it will soon be distributing Intel’s new microcode for other CPUs in the same way but didn’t offer any additional information about its plans.

This development raises some questions on the overall Meltdown/Spectre mitigation initiative. As stated earlier, we understood that Intel’s microcode updates were to be distributed to end users on a per-product basis via BIOS updates. BIOS updates are able to rewrite ROM that holds a permanent copy of system firmware. We confirmed with Microsoft that the Windows patch is not doing the same thing; instead, it applies the new microcode at a different level in the system, overwriting the default provided by the BIOS ROM. The distinction is that one method is permanent and persists even if you install another OS, whereas the other applies only within the context of the OS. Microsoft confirmed that this means if you reinstall your Windows OS without reapplying the Windows update, then your system will revert to being unprotected.

To be clear, regardless whether you apply the BIOS update or the Windows patch to your system, the end result is that your Windows system is protected. If you go the latter route, just remember to reapply the Windows patch if you reinstall your OS.

The fact that this option of distributing microcode is a possibility at all, though, raises a question: If Microsoft had the ability to fully protect all Windows systems all along, why has it only come forward to do so now?

Considering how Intel’s first round of microcode updates for Spectre turned out, it’s actually fortunate that Microsoft didn't distribute them. We asked Microsoft if it had ever intended to distribute Intel’s original microcode updates, before it was known they were defective, but we don’t have an answer yet.

Given that a Windows-applied microcode patch wouldn’t have permanently modified anyone’s BIOS ROM, rolling it back when it was discovered to be defective would have been much easier. It certainly would have saved Microsoft the trouble of releasing the Spectre-fix kill-switch patch. We’re extrapolating, but this all evokes the picture painted by the recently published response letters from the U.S. government’s inquiry into Meltdown/Spectre.

In January, Congress asked tech giants, including Intel, Microsoft, Amazon, Google, and Apple, questions pertaining to whether they had evaluated the risk of Meltdown/Spectre and why they had chosen to embargo information on it. Google, which discovered the vulnerabilities, was an exception, but finger-pointing by the remaining software companies clearly showed that they would rather not entangle themselves in what has largely been an issue focused around hardware manufacturers.