Microcode Updates & the Master Patch List

Topic

New Reply

Over time, I have hidden several microcode updates because in principle I install only Week “B” Patch Tuesday patches when MS-DEFCON is 3+. The only exception to that has been a recent a Week “C” OOB Optional Update that superseded a Week “B” CU that had printer problems.

I’ve just seen the advice on the Master Patch List to install microcode updates and then to use the Inspectre Tool to disable the impact.  I just downloaded and ran Inspectre and it says that my system is Meltdown- and Spectre-protected and my performance is good (and this is without any microcodes installed).  I don’t do any high-powered stuff on my machine and I am happy with the performance.

So, does this Inspectre report mean that there is no need to install those microcodes, although the Master Patch List suggests it?

1 user thanked author for this post.

opti1

Reply | Quote

Replies

Please let me know where you saw an install recommendation for microcode (assume you are referring to 4589212). I don’t see any reference to it on the latest Master Patch List dated 3/26/21.

 

Thanks!

Reply | Quote

It’s on the patches to avoid list in the master patch list section.

Because it’s hard to CONSTANTLY say no to them as they get re-released, I’ve decided to try another tack… let them install and then use the inspectre tool to disable the impact.

The inspectre tool is telling you they are installed. I then use the tool to turn them off.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

And the reason you turn them off is to improve performance??

Or the reason you turn them off is that you are already protected by virtue of having a BIOS installed that provides the protection??

Reply | Quote

Or that they are not a security risk for users and browsers already mitigate the issue?

cheers, Paul

Reply | Quote

They impact performance and I don’t believe that attackers will use it to go after me when there are so many easier ways to attack me.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

So, if you are already Meltdown- and Spectre-protected by virtue of having a BIOS that provides the protection and/or by virtue of having a browser that mitigates the issue (see Paul T’s reply), why would you install the microcodes and then turn them off so that they don’t affect performance?

You already have performance that is not affected by the microcodes, because you didn’t install them, and you didn’t install them because your BIOS and your browser are protecting you from Meltdown and Spectre.

What am I missing in the reason to install the microcodes, then?

Reply | Quote

Given that Microsoft republish them and then offer them up again, given that I’m trying to make it simpler to manage patching, I let the microcode updates install. This keeps them from being reoffered over and over again. Then I use the inspectre tool to disable the performance hit.

 

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

WCHS

Reply | Quote

I am clearly missing something. I can’t find a “patches to avoid list” in the Master Patch List spreadsheet.

Reply | Quote

Use one of the links after “Listings of updates I want you to avoid:”, not “Listings of just March’s updates:”.

Reply | Quote

Thanks Susan! I never actually noticed that link before. Got it now.

1 user thanked author for this post.

b

Reply | Quote

[Alex5723]

Susan Bradley wrote:

The inspectre tool is telling you they are installed. I then use the tool to turn them off.

I always install Intel’s Microcode updates and was never hit with performance degrade.

The app state that there is a microcode update, but there is none as KB4589212 has been installed.

• This reply was modified 4 years ago by Alex5723.

Reply | Quote

Susan Bradley wrote:

Given that Microsoft republish them

Susan, by republish you mean that the microcode updates are same with every release ? I don’t think so.
I think Intel’s microcode fix new found security bugs.

https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-new-windows-10-intel-cpu-microcode-updates/

Reply | Quote

What typically happens is that Microsoft will change detection. They will publish them to WSUS whereas they didn’t before. They then come back out on the MU channel and you have to avoid them all over again.  I’m getting tired in my old age of trying to dodge them and have decided that this is a better long term solution.  I have some apps that have sql databases and I do find some perf hits.  As with everything in computing your personal experience may, and often does, vary.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Alex5723

Reply | Quote

I have a rather old but still very useful Lenovo T61 laptop on Windows 10 20H2 Build 19042.1110;  the CPU is Intel Core 2 Duo Mobile T9300 ‘Penryn’

Steve Gibson’s GRC InSpectre utility says that this system is protected from Meltdown,  but not from Spectre, and there will never be any microcode update for this processor.  InSpectre also says that performance is “slower”.  Apparently Meltdown protection provided by the OS incurs a performance penalty and he says this “can be quite expensive on older systems.”  We still use this machine frequently.

Is it true that the risk of Meltdown to an old non-corporate machine like this is minimal?

The InSpectre tool has a button to Disable Meltdown Protection, which I think changes some registry settings.

How can I measure the system performance before and after clicking that button?

Thank you for any advice.

Reply | Quote

Meltdown/Spectre exploits are mitigated by your browser and AV. There is little chance you will encounter one in the wild so I would backup and relax.

cheers, Paul

1 user thanked author for this post.

AlphaCharlie

Reply | Quote