More Intel microcode updates released through the Update Catalog

Topic

New Reply

I count 14 separate updates in the Microsoft Update Catalog, all of which are dated “2019-01” but released on Feb. 4. The main ones: Win10 1809 – KB 4
[See the full post at: More Intel microcode updates released through the Update Catalog]

5 users thanked author for this post.

Elly, PhotM, OscarCP, NetDef, Fred

Reply | Quote

Replies

Thanks. Starting from the link on the Home page here, I found the following MS one with what looks like the full  (and also fairly long) list:

https://support.microsoft.com/en-us/help/4465065/kb4465065-intel-microcode-updates

My laptop has a seven-year old “sandy bridge” CPU in it, also in that list, and that means I am also a target for being sent this “update”. So I’ll have to keep an eye on this. Most people would have newer PCs, so it is likely they will also be getting these microcode updates offered, and should be watching out for those as well.

But, reading now the note at the end of that long page, it seems to be a microcode update only for machines running Windows 10. So with Win 7 (and in a 7-year old PC), am I actually being spared from this?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I actually have been letting these microcode updates through for the Sandy Bridge and older Xeon CPU’s, but in “some” cases my teams noticed performance degradation in certain applications (Revit in particular on some CPU/GPU combo’s.)

I’ve been playing with Gibson’s InSpectre mini-tool to experiment with disabling some or all of the microcode updates without having to uninstall them entirely.  Seems to work fine, but his tool was updated last in April 2018.  These new patches might (not sure) need Steve to rework the tool.

https://www.grc.com/inspectre.htm

 

( On a side note, the quote above was via Piter De Vries – a mentat character in Dune. Inspired by Woody’s use of the word to describe us IT security folks. )

 

~ Group "Weekend" ~

3 users thanked author for this post.

Elly, Mele20, admin

Reply | Quote

The code you get from Microsoft is ONLY for Win 10. The manufacturer of your computer may have hardware and/or software patches available for your specific machine. Dell has a support site that should enable you to tell if they (Dell) have any patches for your computer.

Edit: That means you should not be offered any Intel Code patches through Windows Update. Then again, it is MS so,…

Reply | Quote

by the way DrBonzo, here’s the link to that specific Dell page:

https://www.dell.com/support/article/us/en/19/sln309853/microprocessor-side-channel-vulnerabilities-cve-2018-3639-and-cve-2018-3640-impact-on-dell-pcs-and-thin-client-products?lang=en

1 user thanked author for this post.

DrBonzo

Reply | Quote

According to the KB article, these microcode updates are only available from the catalog (i.e. not from WU) and should only be applied to the listed CPU’s.

Reply | Quote

Not sure about Windows 7 and older Intel processors.

Skylake and Windows 10 takes the microcode patches in stride, and InSpectre shows no issues with system degradation or vulnerabilities. I take both the Bios updates and the microcode patches, both for Windows and for Linux. No issues so far in this setup.

I realize this may not be relevant to the Sandy Bridge-Windows 7 combo, but maybe this is just one more data point someone might find useful.

FWIW, Linux has a Bash Script which tests for vulnerabilities and performance impacts. So whichever OS I boot into, I can patch and test using the appropriate tools. The Bios firmware updates are once for all OSes, per machine.

Installing Bios updates does nothing to discourage Windows or Linux from offering their own OS software microcode patches. The testing scripts can tell you whether you can or should turn off either the Bios update features or the OS features. It’s the OS features which InSpectre can turn off or on.

-- rc primak

Reply | Quote

rc primak wrote:

Skylake and Windows 10 takes the microcode patches in stride,

So far my Coffeelake setup hasn’t been offered any. I seem to recall that the Intel i9 z390 series handles at least some of it in firmware.

Asus ROG Maximus XI Code board; Intel i9-9900K CPU; 32 GB DDR4-3600 RAM; Nvidia GTX1080 GPU; 2x512 GB Samsung 970 Pro M.2 NVMe; 2x2 TB Samsung 860 Pro SSDs; Windows 10.1809; Linux Mint 19.1; Terabyte Backup & Recovery

1 user thanked author for this post.

OscarCP

Reply | Quote

Hi everyone,

Microsoft is pushing out Intel’s microcode update mitigations for Spectre and Meltdown only to Windows 10 computers. This is intentional on behalf of Microsoft since Microsoft’s obvious tactic is to use Meltdown and Spectre to push Windows 7 and Windows 8.x users to not only upgrade to Windows 10, but also to upgrade to new hardware. Microsoft is not pushing out any microcode updates for Windows 7 and Windows 8.x computers, even though they easily could since MS has pushed out microcode updates to Windows 7 in the past. It is what it is.

Microsoft is pushing out additional software mitigations for Meltdown and Spectre, via Windows Updates for all OS versions. Yet these software mitigations mostly require that your CPU’s microcode is being automatically updated when you boot Windows. As mentioned above, Microsoft is only doing CPU microcode updates in Windows 10. Again, Microsoft has deliberately chosen to NOT implement Intel’s CPU microcode updates when you boot a Windows 7 or a Windows 8.x computer! Again, it is what it is.

On another note, the VMware team refuses to implement my stupidly simple tweaks for their VMware CPU Microcode Update Driver since the original programmer is no longer with VMware. Yet on the other hand, my tweaks are so d**m simple that all it would take them to do is to replace and use 8.3 file name references within the EXE code, and then to quickly recompile the EXE with a VMware digital signature. This really is all that is necessary in order to get the Driver to successfully load at the split second when the Windows kernel loads. The upshot is that Windows would instantly see that the CPU’s updated and running microcode features Meltdown and Spectre mitigations, and then Windows itself will additionally implement whatever additional software mitigations which have already been installed via Windows Updates.

When the Windows kernel initially loads, only a very rudimentary 8.3 file system is available. These were my changes to the VMware Driver: I simply renamed the files which the EXE calls to load, such that the referenced files within the EXE have 8.3 compatible file names so that they can be loaded by the Driver at the very moment when the Windows Kernel loads and initializes! Nothing more, and nothing less. The upshot is that this works (I already tested it), yet the hacked driver MUST be properly digitally signed. Obviously, hacking the driver breaks the digital signature.

So, does anyone here have contacts with the VMware people? I would love to find a way to get the VMware CPU Microcode Update Driver updated, such that nobody has to risk flashing their computer’s BIOS in order to get the Intel microcode mitigations for Meltdown and Spectre, which Microsoft presently is pushing out to only Windows 10 computers.

Best regards,

–GTP

 

1 user thanked author for this post.

Karlston

Reply | Quote

@OscarCP:

The KB4465065 update is NOT offered thru Windows Update. It can only be obtained thru Microsoft Update Catalog.

also where’s Noel Carboni when we need him to test these new Intel microcode updates (if he even has a Win10 computer)?

Reply | Quote

I trashed a bunch of posts that didn’t add to the discussion.

If you feel wronged, send me a DM or an email.

– Woody

Reply | Quote

While I wish Microsoft would provide this patch to Windows 7, that is unlikely. However, it is possible to create your own BIOS update for many PCs to get the latest microcode. This is not for the faint-of-heart, though, as it is technical and has the potential to brick your motherboard if things go wrong. The guide I found is located here.

I was able to successfully create BIOS images for my ASUS Z87 motherboard and my MSI Z77 motherboard. I have flashed the ASUS and everything seems to be working perfectly. Windows sees the updated microcode and enables the mitigations, and it has been perfectly stable, just as before. I haven’t tried the custom MSI BIOS yet, as I rarely use that PC.

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

I have been following UBU for about a year. UBU v1.70 is still in release candidate stage. Using UBU requires knowing exactly what you are doing. It is very easy to create a bad BIOS flash with UBU which can brick your motherboard when flashed to your motherboard’s BIOS. This is why I wanted VMware to modify their driver so that it can load as service start type of 0x0. This would allow the updated microcode to load into the CPU before the Windows kernel checks the CPU’s microcode, and before Windows makes any decisions about what additional software mitigations for Meltdown and Spectre to additionally employ.

Reply | Quote

GoneToPlaid wrote:

This is why I wanted VMware to modify their driver so that it can load as service start type of 0x0.

Doesn’t that involve some rather tricky issues with the order of kernel mode driver loading?

Asus ROG Maximus XI Code board; Intel i9-9900K CPU; 32 GB DDR4-3600 RAM; Nvidia GTX1080 GPU; 2x512 GB Samsung 970 Pro M.2 NVMe; 2x2 TB Samsung 860 Pro SSDs; Windows 10.1809; Linux Mint 19.1; Terabyte Backup & Recovery

Reply | Quote

Not when the service type is set to 0x0. I tested it. The driver loads the split second after the kernel loads. Except of course the driver doesn’t work because it calls files whose file names are not 8.3 compliant. When the kernel loads and is in the 0x0 stage, only a rudimentary 8.3 DOS file system is supported. There is no long file name support when the kernel is in the 0x0 stage. Long file name support doesn’t occur until the kernel is in the 0x1 stage.

Reply | Quote

Keep in mind, that some of the older Intel CPUs have not and will NEVER get an Intel microcode update. The best resource is the Intel site. While some chips in a given CPU family may get updated, others may not. The InSpectre applet shows there is a firmware update for my CPU, but Intel specifically says no, and never. The issue is that there is a firmware update that was released in 2018 that did cover some of the CPUs, but not specifically my CPU, which is a Bloomfield family CPU. The Intel site shows Bloomfield in red, i.e., work stopped and no update is planned. When I opened that 2018 update and looked for my specific CPU, the most recent file had a file date of 2012.

Also, are there even any Spectre attacks reported in the wild yet?

Reply | Quote

Maybe, maybe not. There is an updated microcode for Meltdown and Spectre for the Bloomfield CPUs with a CPUID of 106A5. This microcode was released on 2018-05-11 as a production microcode, and Intel’s docs indicate that 106A5 microcode should be used. However, a some Bloomfield series CPUs have a CPUID of 106A4, for which there is no microcode update for Meltdown and Spectre. What does InSpectre show for your CPU’s ID?

1 user thanked author for this post.

Bill C.

Reply | Quote

My CPU ID is 106A5 according to InSpectre_r8, the Intel Processor ID Utility, and CPUID_v1.87.

The Intel Guidance listed for 4/2/2018 showed red for my current i7-960 CPU:
Stopped – After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons including, but not limited to the following:
• Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
• Limited Commercially Available System Software support
• Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of
exposure to these vulnerabilities.

I did look at which CPUs my MB would support and it included selected E (Nehelem) and W (W3565 (Nehelem); and W3670 (Westmere); W3690 (Gulftown) series Xeon CPUs listed as supported. However in the Intel Guidance List of 8-8-2018, only the Xeon W3670 (CPUID 206C2) is shown as having released microcode. None of the Xeon CPUs on the August 8 list with the ID of 106A5 are supported on my MB.

If a Xeon W3670 could be found, it would give a boost with 6/12 cores and hyperthreading. 🙂

If this is inaccurate, it is probably a fault of my research not having the totality of info, but I used the OEM (Intel) MB documention, Intel archives, and info on the website CPU-Upgrade.com, as well as the CPU Guidance pieces from Intel.

The real questions are is the threat active in the wild, and more importantly, with the EOL of Win7 and the age of this PC, is it worth it? Once the new PC is finished, and the current desktop is retired from first line service, it might be worth trying to find the Xeon chip as a project.

Reply | Quote

Hi Bill,

In my opinion, it’s not worth the hassle to look for another CPU since I am not overly concerned about Meltdown and Spectre at the present time. Here is why…

Meltdown is much easier to exploit, yet fortunately Microsoft has implemented really good OS based mitigations for Meltdown in Win7 through Win10. Recall that Meltdown can run in Javascript in older unpatched web browsers. Patched web browsers disable Javascript pooling and reduce the timing precision of all running Javascript. This effectively prevents Meltdown code from being successful. The Meltdown code still will merrily run, but it won’t be successful. It would collect useless garbage in terms of data. Graphics drivers theoretically could be used to try to exploit Meltdown. Nvidia has updated their drivers to prevent their drivers from being used to exploit Meltdown. I am pretty sure that Intel and AMD have done the same for their graphics drivers. The upshot is that Meltdown is being very effectively addressed by the combination of these software mitigations.

Spectre is different. Spectre can not be exploited via Javascript. Instead, Spectre has to be delivered in some other way to a user’s computer. Fortunately the consensus is that Spectre style attacks are considerably harder to successfully exploit. Be careful about any new programs which you install on your computer. Only install programs from trusted vendors and sources. If Spectre somehow got onto your computer and you didn’t install any new programs, then it must have been delivered by malware. In this case, you have both Spectre and a malware infection on your computer. You would deal with this just like any other malware infection — restore from an offline backup. That is the only way to be sure that the malware and any Spectre code truly is eradicated.

Best regards,

–GTP

 

3 users thanked author for this post.

BigBadSteve, Karlston, Bill C.

Reply | Quote

Your best bet is to check the manufacturer’s site for the latest BIOS release. I’ve found a few machines that had new firmware releases that were not widely announced.

Group A | Windows 7 Pro 64-bit | Windows 10 Pro 1809 64-bit

Reply | Quote

Hi everyone,

It turns out that Intel has been updating uCode for Meltdown and Spectre, yet Intel has not published any revised versions of their Microcode Revision Guidance since August 8, 2018. If they have, I can’t find it. Moreover, Intel’s Linux Processor Microcode Data File hasn’t been updated since August 7, 2018. Here is a list of uCodes which have again been updated (some of which already were updated post August 2018), and a list of new uCodes for new Intel CPUs:

2019-02-06 Updated and new Intel Meltdown and Spectre PRD Microcodes

Updated:

cpu306F2_plat6F_ver0000003D_2018-04-20_PRD_A5D0CFB1.bin >>>
cpu306F2_plat6F_ver00000041_2018-11-20_PRD_C3A11E45.bin

cpu406F1_platEF_ver0B000031_2018-09-05_PRD_BB03FDF6.bin >>>
cpu406F1_platEF_ver0B000033_2018-10-22_PRD_D206AB6E.bin

cpu50654_platB7_ver02000055_2018-10-08_PRD_43EA874C.bin >>>
cpu50654_platB7_ver02000059_2018-12-20_PRD_D2B4FBC1.bin

cpu50655_platB7_ver0300000B_2018-04-27_PRD_2CD37A5C.bin >>>
cpu50655_platB7_ver03000010_2018-11-16_PRD_7587C182.bin

cpu806EB_platC0_ver0000009A_2018-07-16_PRD_BA3B71D5.bin >>>
cpu806EB_platD0_ver000000A4_2018-10-25_PRD_CEFB81AB.bin

cpu906EA_plat22_ver0000009A_2018-07-16_PRD_6EF96FE7.bin >>>
cpu906EA_plat22_ver000000AA_2018-12-12_PRD_7D298E0D.bin

cpu906EB_plat02_ver000000A4_2018-10-24_PRD_EDDD5F72.bin >>>
cpu906EB_plat02_ver000000AA_2018-12-12_PRD_287F7318.bin

New (no previous PRD ucode versions):

cpu50656_platBF_ver04000014_2018-12-17_PRD_6AC0F5A2.bin
cpu50657_platBF_ver05000014_2018-12-17_PRD_E1FFC46B.bin
cpu706E0_platC0_ver0000002A_2018-05-28_PRD_7BB6D287.bin
cpu706E1_plat80_ver0000002E_2018-11-19_PRD_97A57C58.bin
cpu706E2_plat80_ver0000002E_2018-11-19_PRD_97A57C57.bin
cpu806EC_plat90_ver000000AA_2018-11-29_PRD_D5273BEF.bin

My definition of Meltdown and Spectre ucodes: All Intel ucodes which Intel released anytime after January 1, 2018.

Given that Intel obviously is still quietly updating its uCodes for Meltdown and Spectre, it would appear that Intel is trying to fly under the radar in the sense of not informing the public about further revised and updated CPU uCodes for mitigating Meltdown and Spectre. It appears that after August 2018, Intel has stopped further informing the public about their uCode mitigations for Meltdown and Spectre.

As you can see from the above list, four pre-August 2018 Meltdown and Spectre ucodes have been updated post-August 2018, and three post-August 2018 Meltdown and Spectre uCodes have also been further updated. The new uCodes obviously are for Intel’s latest CPUs.

Link for Intel’s last August 8, 2018 Microcode Revision Guidance document (PDF):

https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf

Link for Intel’s last August 7, 2018 Linux Processor Microcode Data File:

https://downloadcenter.intel.com/download/28087/Linux-Processor-Microcode-Data-File?product=873

Best regards,

–GTP

 

2 users thanked author for this post.

Karlston, Bill C.

Reply | Quote