Microsoft Starts Delivering Intel Microcode Patches for Spectre

Microsoft has made available updates for Windows 10 that include Intel CPU microcode patches for the Spectre vulnerability. This allows users to get the fixes even if their computer manufacturers haven’t released BIOS/UEFI updates for their systems yet.

The new update is only available for Windows 10 version 1709 (Fall Creators Update) and Windows Server version 1709 (Server Core) and includes only microcode patches for Intel 6th generation CPUs known as Skylake. It can be obtained from the Microsoft Update Catalog.

“We will offer additional microcode updates from Intel as they become available to Microsoft,” said John Cable, director of program management for Windows Servicing and Delivery at Microsoft, in a blog post. “We will continue to work with chipset and device makers as they offer more vulnerability mitigations.”

Mitigating one of the two variants of Spectre, known as Spectre Variant 2, Branch Target Injection or CVE 2017-5715, requires changes to the way processors operate. These changes are introduced through low-level firmware called CPU microcode that defines the instructions set of the processor.

The problem is that CPUs don’t have non-volatile memory, so any updates to a processor’s original microcode, which is burned into its silicon in the factory, does not persist and needs to be reapplied after every system reboot.

The ideal method to do that is through the UEFI/BIOS, which runs before the operating system and initializes all hardware devices. In this way, when the operating system’s kernel starts, it will already see and use the new microcode version.

However, many computer manufacturers have a poor track record of providing BIOS updates for older systems. So, to ensure that most computers can benefit from the bug fixes and performance enhancements introduced by microcode patches, OS vendors have built their own mechanisms to apply such updates themselves early in the booting sequence.

Linux has a long history of shipping microcode updates and Microsoft has also delivered new microcode versions through Windows Update on various occasions over the years. However, in this particular case, which arguably called for a rapid response to a dangerous security flaw, the company decided to let Intel and hardware vendors deal with the immediate patch delivery.

It’s possible the company anticipated that a large batch of microcode updates being rushed out could cause unexpected issues and didn’t want to take the blame for breaking users’ PCs. That proved partially true as Intel had to withdraw the initial microcode patches for Haswell CPUs because they caused reboots, forcing PC vendors to pull down their already released BIOS updates as well.

Hopefully, in time Microsoft will also deliver the microcode updates for other generations of affected CPUs and make them available for older versions of Windows as well. That would be of great help to a large number of users who have older systems that are unlikely to receive BIOS updates from their manufacturers.

Equifax Identifies 2.4 Million More Americans Affected by Its Data Breach

Equifax has identified an additional 2.4 million American consumers who were affected by the security breach the company suffered last year and which was already known to have impacted 146 million people.

“This is not about newly discovered stolen data,” said Paulino do Rego Barros, Jr., the company’s interim CEO. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”

The new identities surfaced because the company re-examined the data and found consumers who only had their partial driver’s license information stolen, but not their names or Social Security Numbers (SSNs). The methodology used in the original forensic examination used stolen names and SSNs to identify who was affected.

The company will now notify the newly identified 2.4 million victims and offer them free identity theft protection and credit file monitoring services as well.

Sponsored Content
Upcoming Webinar
Improving Software Security in an Agile Environment: A Case Study

Improving Software Security in an Agile Environment: A Case Study

Security often isn’t the top priority for many developers, who already are juggling multiple projects and deadlines. In fact, security seems to get in the way of keeping up with the pace of business. However, developers control a critical piece of the security puzzle and need to be engaged in ... Read More
June 21, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 168 posts and counting.See all posts by lucian-constantin

2 thoughts on “Microsoft Starts Delivering Intel Microcode Patches for Spectre

Comments are closed.