Confused about Spectre/Meltdown and BIOS/Firmware/Microcode updates

S

st4rk

Gawd
Joined
Sep 19, 2003
Messages
1,013
At work, machines are either HP or Dell. Easy to go to their website and download the latest BIOS to update the microcode. Install the OS patch, then use the speculation powershell cmdlet to verify protection - all green.

Now what about ancient CPUs like Q6600? What about custom build machines? Gigabyte probably isn't on the ball like HP/Dell with their BIOS updates. And HP will only update BIOSes back to certain generation machines (makes sense; why update out of support models).

I'm guessing if you have an older HP machine and HP doesn't update the BIOS for it, then you're SOL? It sounds like just having the KB4056890 installed will not keep you fully mitigated - you need a bios/firmware update too.
 
Microcode will later be supplied by Microsoft as well as usual. Just like other OSes.

Q6600 is very likely out of luck. I think the plan is to supply atleast 5 years back, but perhaps as much as 10.

In reality dont expect anything before SB and FX to get updates.
 
st4rk said:
At work, machines are either HP or Dell. Easy to go to their website and download the latest BIOS to update the microcode. Install the OS patch, then use the speculation powershell cmdlet to verify protection - all green.

Now what about ancient CPUs like Q6600? What about custom build machines? Gigabyte probably isn't on the ball like HP/Dell with their BIOS updates. And HP will only update BIOSes back to certain generation machines (makes sense; why update out of support models).

I'm guessing if you have an older HP machine and HP doesn't update the BIOS for it, then you're SOL? It sounds like just having the KB4056890 installed will not keep you fully mitigated - you need a bios/firmware update too.
Click to expand...

I'm wondering about the same thing. The majority of the PCs being used are old CPU on old Mobo out warranty and support. There's no way the system and mobo manufacturers would issue the bios update for them. Basically, everyone with older cpu and mobo is screwed.
 
If Microsoft is going to release a microcode update themselves, why would the OEMs bother doing BIOS updates?

Also, the average home user doesn't know what a BIOS is and that it needs to be updated ASAP right now to mitigate Spectre. So basically everyone is still vulnerable even with the OS patch. Unless I'm understand this all wrong and the OS patch is sufficient?
 
No you are right, there has to be a BIOS patch along with the OS patch.
From what I am hearing there are two exploits to Spectre, and one part can never be patched.
The good news is that part is very hard to exploit.
So much information, misinformation and speculation.
What gets me is, from what I understand, this has been this way for 20 years. We are just finding it out now.
I am not really worried at this point, they say no one has ever been exploited by any of this. Yet, as far as they know.
 
There is several sites that do BIOS mods, like NVME support for older MB
Maybe one or some of them will take the Intel microcode and update the BIOS for people with the older hardware.
 
st4rk said:
If Microsoft is going to release a microcode update themselves, why would the OEMs bother doing BIOS updates?

Also, the average home user doesn't know what a BIOS is and that it needs to be updated ASAP right now to mitigate Spectre. So basically everyone is still vulnerable even with the OS patch. Unless I'm understand this all wrong and the OS patch is sufficient?
Click to expand...

Because MS is very slow in that process. It tends to be done 2 times a year only and that´s faster than it used to be.

It has been a huge problem for ages, on Linux they do it monthly or even faster.

Hopefully MS will yet again speed this process up.
 
Also more confusion for me. Here's the article on how to check mitigation:
https://support.microsoft.com/en-us...ive-execution-side-channel-vulnerabilities-in

Walks you through the PowerShell and whatnot. But at the end it tells you about some regkeys you can add to enable/disable mitigation. But it doesn't say if it's enabled by default (after installing the patch, those regkeys didn't exist).

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

So why would we have to go back and add regkeys after installing the security patch? Why wouldn't the patch add them after installing? So weird.

*edit* the PowerShell cmdlet comes back all green whether you have the regkeys or not, which is why I'm confused.
 
Update: I don't think adding the registry keys matters unless you're testing something and need to enable/disable mitigation on the fly. I added the keys and set them to disable, restarted (required to take effect), the PoSH returned red. I deleted the keys, restarted, then the PoSH came back green.

They need to word the support article better.
 
You must log in or register to reply here.
Back
Top