Microsoft Starts Delivering Intel Microcode Patches for Spectre
Microsoft has made available updates for Windows 10 that include Intel CPU microcode patches for the Spectre vulnerability. This allows users to get the fixes even if their computer manufacturers haven’t released BIOS/UEFI updates for their systems yet.
The new update is only available for Windows 10 version 1709 (Fall Creators Update) and Windows Server version 1709 (Server Core) and includes only microcode patches for Intel 6th generation CPUs known as Skylake. It can be obtained from the Microsoft Update Catalog.
“We will offer additional microcode updates from Intel as they become available to Microsoft,” said John Cable, director of program management for Windows Servicing and Delivery at Microsoft, in a blog post. “We will continue to work with chipset and device makers as they offer more vulnerability mitigations.”
Mitigating one of the two variants of Spectre, known as Spectre Variant 2, Branch Target Injection or CVE 2017-5715, requires changes to the way processors operate. These changes are introduced through low-level firmware called CPU microcode that defines the instructions set of the processor.
The problem is that CPUs don’t have non-volatile memory, so any updates to a processor’s original microcode, which is burned into its silicon in the factory, does not persist and needs to be reapplied after every system reboot.
The ideal method to do that is through the UEFI/BIOS, which runs before the operating system and initializes all hardware devices. In this way, when the operating system’s kernel starts, it will already see and use the new microcode version.
However, many computer manufacturers have a poor track record of providing BIOS updates for older systems. So, to ensure that most computers can benefit from the bug fixes and performance enhancements introduced by microcode patches, OS vendors have built their own mechanisms to apply such updates themselves early in the booting sequence.
Linux has a long history of shipping microcode updates and Microsoft has also delivered new microcode versions through Windows Update on various occasions over the years. However, in this particular case, which arguably called for a rapid response to a dangerous security flaw, the company decided to let Intel and hardware vendors deal with the immediate patch delivery.
It’s possible the company anticipated that a large batch of microcode updates being rushed out could cause unexpected issues and didn’t want to take the blame for breaking users’ PCs. That proved partially true as Intel had to withdraw the initial microcode patches for Haswell CPUs because they caused reboots, forcing PC vendors to pull down their already released BIOS updates as well.
Hopefully, in time Microsoft will also deliver the microcode updates for other generations of affected CPUs and make them available for older versions of Windows as well. That would be of great help to a large number of users who have older systems that are unlikely to receive BIOS updates from their manufacturers.
Equifax Identifies 2.4 Million More Americans Affected by Its Data Breach
Equifax has identified an additional 2.4 million American consumers who were affected by the security breach the company suffered last year and which was already known to have impacted 146 million people.
“This is not about newly discovered stolen data,” said Paulino do Rego Barros, Jr., the company’s interim CEO. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”
The new identities surfaced because the company re-examined the data and found consumers who only had their partial driver’s license information stolen, but not their names or Social Security Numbers (SSNs). The methodology used in the original forensic examination used stolen names and SSNs to identify who was affected.
The company will now notify the newly identified 2.4 million victims and offer them free identity theft protection and credit file monitoring services as well.
Pingback: Microsoft Starts Delivering Intel Microcode Patches for Spectre | Atlantic Tagmata AI Security Feed
Pingback: Microsoft Offers $250K Bounty for Meltdown-Like Bugs in CPUs - Security Boulevard