Microsoft Now Offering Lots of Intel Microcode Patches in Their Update Catalog

DooKey

[H]F Junkie
Joined
Apr 25, 2001
Messages
13,500
Microsoft has decided to step up to the plate and offer Intel microcode patches because some OEMs just aren't doing what they should with BIOS updates. KB4090007 updates the microcode for several Intel processors, but the original Spectre/Meltdown patch has to be in place to install this update. This update must be manually installed so go to the Windows Update Catalog to get it.

Microsoft's custom updates are only meant for Windows 10 version 1709 and Windows Server, version 1709 (Datacenter, Standard) users, and not for Windows 7, 8, and 8.1 machines. Microsoft's original Meltdown and Spectre patches must be already installed.
 
Only available for Windows 10 & Server 2016?

Looks like another way to push people to Windows 10.
Yeah but would you trust MS to get them properly tested in 7, 8, and 10 along with servers 2008, 2012, 2012r2, and 2016 to the point where you would be able to trust them? Win 10 and Server 2016 have some huge changes to the HAL so changes to microcode are less likely to have an adverse impact than on their older OS's.
 
I may end up splicing my own BIOS. Between this Win 10 only nonsense and ASUS being slower than molasses on Mars, it seems the only way. But then I'm still not real worried, for one thing even if I did get infected it would take forever to do a memory dump at my upload speeds (see crapnet does have its advantages).
 
Only available for Windows 10 & Server 2016?

Looks like another way to push people to Windows 10.

Windows 8.1 hit EOL for mainstream support in January, so I doubt they are in a rush to patch.
 
Windows 8.1 hit EOL for mainstream support in January, so I doubt they are in a rush to patch.

Irrelevant. Things like patching exploits fall under extended support - or at least used to when Microsoft was slightly more honorable.
 
Windows 8.1 hit EOL for mainstream support in January, so I doubt they are in a rush to patch.

I saw the writing on wall over a year ago and started moving everything at the office to Server 2016 and Windows 10. Still have a way to go, but I'm probably 80% there.
The lack of a security patch in the older versions might just be enough to finally get the boss to replace the one remaining old app that is forcing me to keep a couple old servers running.
 
Windows 8.1 hit EOL for mainstream support in January, so I doubt they are in a rush to patch.
Last I checked security patches weren't part of mainstream support. What's the point of extended support if they're going to withhold security patches?

All I see here is another weasel way to try pushing an OS on people that don't want it.

First: You want DX12 ->Install 10
Second: You want to run recent(ish) hardware -> Install 10
Now: You want an important security fix -> Install 10 and not any version even.

Well that's just fucked up.
 
Last I checked security patches weren't part of mainstream support. What's the point of extended support if they're going to withhold security patches?

All I see here is another weasel way to try pushing an OS on people that don't want it.

First: You want DX12 ->Install 10
Second: You want to run recent(ish) hardware -> Install 10
Now: You want an important security fix -> Install 10 and not any version even.

Well that's just fucked up.
They would qualify it as a new service as at no other point have they done CPU microcode updates for any other OS release to date. As it is a new service they don't have to roll it back to older OS releases.
I mean really this should be a job done by motherboard manufacturers and Intel themselves Intel should have rolled this stuff into their chipset updates or something. Microsoft is the one who gets a bad reputation because of this issue so they are taking it upon themselves to fix it before it just becomes a security hole they are unequipped to fill.
 
I've done some quick&dirty testing on the machine in my sig.
The test is Spectre And Meltdown vs. Only Meltdown. The Spectre fix being from the Microsoft patch this article references, NOT my BIOS!

Reason being, Meltdown is known not be as complex. So this measures only Spectres impact! I used InSpectre to enable/disable

Hitman Benchmark: Within measuring tolerances, no regression that's measurable @1920x1200.
CPU-Z: 541/2755 (Spectre on, Single/Multi core) vs 558/2838. About 3% loss on single and multi.
ASUS RealBench: Only 'Image Editing' had real differences: 27.7s Spectre on, 24.9s Spectre off, 11% loss (and yeah I know it's not the greatest bench.. sue me ;) )

CrystalDiskMark 6.0.0 was interesting.
Spectre ON:
https://imgur.com/a/7Dr7v

Spectre OFF:
https://imgur.com/a/UWQ0k

On some access patterns, CrystalDiskMark takes a real dive.

TL;DR: Very similar to my results with the initial Spectre fixes via BIOS in January, at least for the Kaby Lake platform. I haven't benchmarked my typical workloads yet, but the disk hits slowed down the Compiling/Build process about 25-30% when I tried the January BIOS fix. I can't say this will be the same, but it sure looks it.
 
Last edited:
They would qualify it as a new service as at no other point have they done CPU microcode updates for any other OS release to date. As it is a new service they don't have to roll it back to older OS releases.
I mean really this should be a job done by motherboard manufacturers and Intel themselves Intel should have rolled this stuff into their chipset updates or something. Microsoft is the one who gets a bad reputation because of this issue so they are taking it upon themselves to fix it before it just becomes a security hole they are unequipped to fill.
O, RLY?

Also their reasoning for not supporting Skylake and newer CPUs on anything but 10 was microcode updates that they wouldn't release for 8 and 7.
 
The corporate world still has large amounts of Win7 deployments. I doubt very much Microsoft will not offer the microcode for them. It's not like the microcode itself would be any different.
 
O, RLY?

Also their reasoning for not supporting Skylake and newer CPUs on anything but 10 was microcode updates that they wouldn't release for 8 and 7.
Not exactly, Windows 7 also has no built-in support for USB 3 and NVMe getting these features working requires changes to the Kernel. Intel's changes to the P-State were also pretty substantial and I think with Kernel 4.13 that shit still isn't 100% yet. In regards to Windows 8 I am a little upset that they didn't add the functionality but I don't fault them for it windows 8 just needs to die.

But windows 7 is in extended support and extended support gets security patches but not new features nor functionality

Didn't MS pull the same thing with SSE3 and Windows XP or did they eventually get that working, I can't remember.
 
Last edited:
Only available for Windows 10 & Server 2016?

Looks like another way to push people to Windows 10.
They didn't have to do anything. It isn't a Windows vulnerability, it is a hardware vulnerability with Intel. So be thankful someone is trying to get this fixed at all, when the HW makers are dragging their feet. UEFI allows OS to interact more closely with the BIOS so it is possible on Windows 8.1 and 10, but not 7.
 
Last I checked security patches weren't part of mainstream support. What's the point of extended support if they're going to withhold security patches?

All I see here is another weasel way to try pushing an OS on people that don't want it.

First: You want DX12 ->Install 10
Second: You want to run recent(ish) hardware -> Install 10
Now: You want an important security fix -> Install 10 and not any version even.

Well that's just fucked up.


OS security updates are included. Adding code changes to fix shit that should be done through a BIOS update would all right into mainstream support.


And people had the same stupid complaints about being forced to upgrade from xp -> 7, 7 -> 8, and now 8 -> 10. Apples/google do the same thing with old OS/hardware, but feel free to focus all that hate on MS.
 
Not exactly, Windows 7 also has no built-in support for USB 3 and NVMe getting these features working requires changes to the Kernel.
What are you talking about? I use USB3 on many computers with Windows7. And as far as I know many people use NVMe as well.

I linked to a previous occasion where they released cpu microcode updates for all their OSes, I don't know if you didn't see that or just ignored it.
 
OS security updates are included. Adding code changes to fix shit that should be done through a BIOS update would all right into mainstream support.


And people had the same stupid complaints about being forced to upgrade from xp -> 7, 7 -> 8, and now 8 -> 10. Apples/google do the same thing with old OS/hardware, but feel free to focus all that hate on MS.
If only there was any other reason to update to windows 10 apart from these forced issues. Apple doing it doesn't make it any better. There was no forced update from 7 to 8. The only forced obsolescence was not releasing dx10 for XP. So far we could easily skip undesirable windows versions, as I skipped ME, then 2K, then Vista, then 8. I don't think even you truly believe this is the same situation we were in previously.
 
  • Like
Reactions: WhoMe
like this
If only there was any other reason to update to windows 10 apart from these forced issues. Apple doing it doesn't make it any better. There was no forced update from 7 to 8. The only forced obsolescence was not releasing dx10 for XP. So far we could easily skip undesirable windows versions, as I skipped ME, then 2K, then Vista, then 8. I don't think even you truly believe this is the same situation we were in previously.


And your example of planned obsolescence does not apply here. This is a patch they don't have to create for non-mainstream support. If you want to stay on an old unsupported/unpatched OS, there is nothing preventing you from doing so. It will just be your fault when you get malware installed on your machine. No software vendor is going to support all version of their product forever. MS has a policy in place and that's what they stick to. Don't like it, there's always linux... But guess what, they don't even support older version for 5 years like MS does.
 
And your example of planned obsolescence does not apply here. This is a patch they don't have to create for non-mainstream support. .
What can be asserted without evidence can be dismissed without evidence.

Is it not a security patch? Then it is supposed to be covered by extended support. That's what their own policy says.
 
Last edited:
What are you talking about? I use USB3 on many computers with Windows7. And as far as I know many people use NVMe as well.

I linked to a previous occasion where they released cpu microcode updates for all their OSes, I don't know if you didn't see that or just ignored it.
I was under the impression that NVME and USB3 were done by 3'rd party drivers and not done by naively by windows, I stand corrected
And no I didn't see that previous link, but I still think this is an issue that should be handled by Intel and the various motherboard manufacturers.
 
I was under the impression that NVME and USB3 were done by 3'rd party drivers and not done by naively by windows, I stand corrected
And no I didn't see that previous link, but I still think this is an issue that should be handled by Intel and the various motherboard manufacturers.
You do need third party drivers, I don't get what you're saying then or how is it relevant to cpu microcode updates.
 
If only there was any other reason to update to windows 10 apart from these forced issues. Apple doing it doesn't make it any better. There was no forced update from 7 to 8. The only forced obsolescence was not releasing dx10 for XP. So far we could easily skip undesirable windows versions, as I skipped ME, then 2K, then Vista, then 8. I don't think even you truly believe this is the same situation we were in previously.
IF you are in large scale environments MS has provided some nice reasons to go to 10 and server 2016, for home users it really depends on the users, moving my mom to win10 was the best thing I have ever done for my weekends... Anecdotal I know but I think it holds. And I was upset about DX10 not coming to XP but I am pretty sure it was for the best XP was finally working and stable and I doubt making the required changes to internals would have been a smooth experience. And its not like much came of DX10, with 0 console support it died a short painful death and practically it offered very little over DX9 while consuming a large amount of overhead it was a dud DX 10.1 finally delivered a usable product but honestly by then it was too late and I don't recall it having a huge amount of support and somebody correct me if I am wrong but most of the games only did DX10 support as a function of DX11.
 
You do need third party drivers, I don't get what you're saying then or how is it relevant to cpu microcode updates.
I was originally saying adding that adding USB3 and NVME support to windows 7 had nothing to do with microcode updates and was a kernal update issue and that was some of the big changes that Kabby Lake was adding that MS was not supporting in older OS's I was trying (badly I guess) to provide examples of the features the new processors were adding that MS couldn't support on windows 7 and 8 with out making large changes under the hood. It's been a long day and I suppose I got off on a tangent.
 
I was originally saying adding that adding USB3 and NVME support to windows 7 had nothing to do with microcode updates and was a kernal update issue and that was some of the big changes that Kabby Lake was adding that MS was not supporting in older OS's I was trying (badly I guess) to provide examples of the features the new processors were adding that MS couldn't support on windows 7 and 8 with out making large changes under the hood. It's been a long day and I suppose I got off on a tangent.
I understand what you meant now but nvme and usb support are features, and not security issues. So none can blame them for not adding native support for them. But this is a security patch they choose to only deploy on the latest version of windows 10. Unless they're going to release it for other versions later, I think they're very much in the wrong here, and are exploiting a serious security hole to further their own interests.
 
I understand what you meant now but nvme and usb support are features, and not security issues. So none can blame them for not adding native support for them. But this is a security patch they choose to only deploy on the latest version of windows 10. Unless they're going to release it for other versions later, I think they're very much in the wrong here, and are exploiting a serious security hole to further their own interests.
Yes and no.... I understand the business case for not doing it, it just sucks and after reading into it they are only releasing the microcode updates for Kabby, Coffee, and Sky so its not the whole Intel catalog which as mentioned previously they don't technically support for the older OS's

Edit.

Microsoft has also announced it is working with Intel on future updates for additional Windows versions and Intel processors.
 
Is it not a security patch? Then it is supposed to be covered by extended support. That's what their own policy says.

I'm pretty sure their policy doesn't cover every security flaw that's introduced by 3rd parties though, no one is going to take on that liability. But don't get me wrong, they should do what they can to help mitigate this particular issue in 7 and 8.x.
 
At this point it would be easier for me to quit Intel, than it would be for me to quit Microsoft.

Someone should probably tell Intel that.
 
still no BIOS update for my i7 980X...c'mon Intel it's not that ancient of a CPU...

The x58 platform is pretty old now, about a decade? These flaws effected so much hardware for so long that it was never going to be an easy thing to deal with.
 
The x58 platform is pretty old now, about a decade? These flaws effected so much hardware for so long that it was never going to be an easy thing to deal with.

in one of their earlier pdf's they said they would be releasing updates for Gulftown which was surprising...I think it's last on their list so I'll be waiting awhile :D
 
not only that, extended support does include critical patches...
In the article it says that they are working with Intel to get it for more CPU’s and more windows versions. It looks like they just started with the current hardware/software and are working backwards.
 
I'm pretty sure their policy doesn't cover every security flaw that's introduced by 3rd parties though, no one is going to take on that liability. But don't get me wrong, they should do what they can to help mitigate this particular issue in 7 and 8.x.
It's a pre-existing issue, it wasn't introduced, it was revealed recently. "The butler did it" doesn't seem to be a valid defense. This is the equivalent of a security guard saying that he is not responsible for thieves because he didn't manufacture the locks on the doors.

This is a case of using a crisis to herd even more people to 10. And it seems to me, also a statement to people who are holding off of "creators updates" because they prefer a stable environment over an ever changing one. And this after they already got a pass for things like making users their QA staff, and "accidentally" upgrading people against their wishes. This is a new low for them.
 
  • Like
Reactions: ncjoe
like this
Microsoft's original Meltdown and Spectre patches must be already installed.

I'm curious as to what this specifically means. I installed KB4090007, but it did not complain about any prerequisite patch. Other than being updated to 1709, I have not opt'ed into a previous Meltdown and Spectre patch. So now I'm wondering if this latest KB is doing anything at all?

Edit: Nevermind, I've verified it's working. For those wondering what this KB actually does and who it's targeting MS has a page dedicated for that:

https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates

Also, if you're new to patching against these vulnerabilities and curious as to whether you're fully protected, follow the guide here:

https://support.microsoft.com/en-us...ive-execution-side-channel-vulnerabilities-in
 
Last edited:
It's a pre-existing issue, it wasn't introduced, it was revealed recently. "The butler did it" doesn't seem to be a valid defense. This is the equivalent of a security guard saying that he is not responsible for thieves because he didn't manufacture the locks on the doors.

This is a case of using a crisis to herd even more people to 10. And it seems to me, also a statement to people who are holding off of "creators updates" because they prefer a stable environment over an ever changing one. And this after they already got a pass for things like making users their QA staff, and "accidentally" upgrading people against their wishes. This is a new low for them.


No it's not.... This is a case of MS sticking to its OS life-cycle, and not putting money into adding a security 'feature' to older OS's..... This is NOT a flaw in the OS, hence not a security patch. This is a flaw in Intels hardware, that SHOULD be patched at the BIOS level. Since that is not happening, MS is releasing an 'update' to the OS's still in MAINSTREAM SUPPORT to work around the fix.

Why should they dedicate ANY resources to add this 'update' to OS's outside of the mainstream support? This update does NOT apply to extended support, so they have zero obligation to back port it. And if they did release it without adequate testing and broke something, you guys would lose your shit about MS rushing out patches without testing etc.....
 
No it's not.... This is a case of MS sticking to its OS life-cycle, and not putting money into adding a security 'feature' to older OS's..... This is NOT a flaw in the OS, hence not a security patch. This is a flaw in Intels hardware, that SHOULD be patched at the BIOS level. Since that is not happening, MS is releasing an 'update' to the OS's still in MAINSTREAM SUPPORT to work around the fix.

Why should they dedicate ANY resources to add this 'update' to OS's outside of the mainstream support? This update does NOT apply to extended support, so they have zero obligation to back port it. And if they did release it without adequate testing and broke something, you guys would lose your shit about MS rushing out patches without testing etc.....
Well that's exactly their problem. "We're not obligated to give you shit, so screw you user" meanwhile decent companies are familiar with the concept of fairness.
Your attitude is just to obvious. Basically you're saying, MS is right whatever they do or don't do.
 
Well that's exactly their problem. "We're not obligated to give you shit, so screw you user" meanwhile decent companies are familiar with the concept of fairness.
Your attitude is just to obvious. Basically you're saying, MS is right whatever they do or don't do.


Again, no..... They have set lifecycles for their OS's, and list exactly when each OS will hit different EOL and what is included at that time. They are following those cycles, just like google and apple (and pretty much any other software company). This is NOT a security patch, so they have no obligation to go above and beyond and back port those updates to OS's no longer supported. Just like every other software company. Old version of software/hardware get retired and no longer patched or supported. You want to assume the risk and keep using them? Go right ahead. But don't whine about MS not spending money to create a non-security patch for a product outside of mainstream support.

And just like all other software companies, yes, they want you to move to the current supported/patched OS..... That's not a MS trying to fuck you thing.



BTW, your post sounds exactly like all those memes about entitled millennials. "It doesn't matter what the page says about EOL, I want this patch on my unsupported OS and MS is an asshole for not giving me what I want"
 
Back
Top