Microsoft Now Offering Lots of Intel Microcode Patches in Their Update Catalog

Discussion in 'HardForum Tech News' started by DooKey, Mar 16, 2018.

  1. DooKey

    DooKey [H]ardness Supreme

    Messages:
    8,034
    Joined:
    Apr 25, 2001
    Microsoft has decided to step up to the plate and offer Intel microcode patches because some OEMs just aren't doing what they should with BIOS updates. KB4090007 updates the microcode for several Intel processors, but the original Spectre/Meltdown patch has to be in place to install this update. This update must be manually installed so go to the Windows Update Catalog to get it.

    Microsoft's custom updates are only meant for Windows 10 version 1709 and Windows Server, version 1709 (Datacenter, Standard) users, and not for Windows 7, 8, and 8.1 machines. Microsoft's original Meltdown and Spectre patches must be already installed.
     
    455olds likes this.
  2. nutzo

    nutzo [H]ardness Supreme

    Messages:
    7,378
    Joined:
    Feb 15, 2004
    Only available for Windows 10 & Server 2016?

    Looks like another way to push people to Windows 10.
     
    Red Falcon and Lakados like this.
  3. viper1152012

    viper1152012 [H]ard|Gawd

    Messages:
    1,025
    Joined:
    Jun 20, 2012
    At least someone if sending out fixes... God knows asrock never will.
     
  4. Lakados

    Lakados [H]ard|Gawd

    Messages:
    1,569
    Joined:
    Feb 3, 2014
    Yeah but would you trust MS to get them properly tested in 7, 8, and 10 along with servers 2008, 2012, 2012r2, and 2016 to the point where you would be able to trust them? Win 10 and Server 2016 have some huge changes to the HAL so changes to microcode are less likely to have an adverse impact than on their older OS's.
     
  5. WhoMe

    WhoMe Gawd

    Messages:
    827
    Joined:
    Jan 3, 2018
    I may end up splicing my own BIOS. Between this Win 10 only nonsense and ASUS being slower than molasses on Mars, it seems the only way. But then I'm still not real worried, for one thing even if I did get infected it would take forever to do a memory dump at my upload speeds (see crapnet does have its advantages).
     
  6. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,223
    Joined:
    Nov 16, 2009
    Windows 8.1 hit EOL for mainstream support in January, so I doubt they are in a rush to patch.
     
  7. odditory

    odditory [H]ardness Supreme

    Messages:
    5,445
    Joined:
    Dec 23, 2007
    Irrelevant. Things like patching exploits fall under extended support - or at least used to when Microsoft was slightly more honorable.
     
  8. nutzo

    nutzo [H]ardness Supreme

    Messages:
    7,378
    Joined:
    Feb 15, 2004
    I saw the writing on wall over a year ago and started moving everything at the office to Server 2016 and Windows 10. Still have a way to go, but I'm probably 80% there.
    The lack of a security patch in the older versions might just be enough to finally get the boss to replace the one remaining old app that is forcing me to keep a couple old servers running.
     
  9. M76

    M76 [H]ardForum Junkie

    Messages:
    9,196
    Joined:
    Jun 12, 2012
    Last I checked security patches weren't part of mainstream support. What's the point of extended support if they're going to withhold security patches?

    All I see here is another weasel way to try pushing an OS on people that don't want it.

    First: You want DX12 ->Install 10
    Second: You want to run recent(ish) hardware -> Install 10
    Now: You want an important security fix -> Install 10 and not any version even.

    Well that's just fucked up.
     
  10. Lakados

    Lakados [H]ard|Gawd

    Messages:
    1,569
    Joined:
    Feb 3, 2014
    They would qualify it as a new service as at no other point have they done CPU microcode updates for any other OS release to date. As it is a new service they don't have to roll it back to older OS releases.
    I mean really this should be a job done by motherboard manufacturers and Intel themselves Intel should have rolled this stuff into their chipset updates or something. Microsoft is the one who gets a bad reputation because of this issue so they are taking it upon themselves to fix it before it just becomes a security hole they are unequipped to fill.
     
  11. lollerwaffle

    lollerwaffle Gawd

    Messages:
    666
    Joined:
    Feb 3, 2008
    I've done some quick&dirty testing on the machine in my sig.
    The test is Spectre And Meltdown vs. Only Meltdown. The Spectre fix being from the Microsoft patch this article references, NOT my BIOS!

    Reason being, Meltdown is known not be as complex. So this measures only Spectres impact! I used InSpectre to enable/disable

    Hitman Benchmark: Within measuring tolerances, no regression that's measurable @1920x1200.
    CPU-Z: 541/2755 (Spectre on, Single/Multi core) vs 558/2838. About 3% loss on single and multi.
    ASUS RealBench: Only 'Image Editing' had real differences: 27.7s Spectre on, 24.9s Spectre off, 11% loss (and yeah I know it's not the greatest bench.. sue me ;) )

    CrystalDiskMark 6.0.0 was interesting.
    Spectre ON:
    https://imgur.com/a/7Dr7v

    Spectre OFF:
    https://imgur.com/a/UWQ0k

    On some access patterns, CrystalDiskMark takes a real dive.

    TL;DR: Very similar to my results with the initial Spectre fixes via BIOS in January, at least for the Kaby Lake platform. I haven't benchmarked my typical workloads yet, but the disk hits slowed down the Compiling/Build process about 25-30% when I tried the January BIOS fix. I can't say this will be the same, but it sure looks it.
     
    Last edited: Mar 16, 2018
  12. M76

    M76 [H]ardForum Junkie

    Messages:
    9,196
    Joined:
    Jun 12, 2012
    O, RLY?

    Also their reasoning for not supporting Skylake and newer CPUs on anything but 10 was microcode updates that they wouldn't release for 8 and 7.
     
  13. lollerwaffle

    lollerwaffle Gawd

    Messages:
    666
    Joined:
    Feb 3, 2008
    The corporate world still has large amounts of Win7 deployments. I doubt very much Microsoft will not offer the microcode for them. It's not like the microcode itself would be any different.
     
  14. Lakados

    Lakados [H]ard|Gawd

    Messages:
    1,569
    Joined:
    Feb 3, 2014
    Not exactly, Windows 7 also has no built-in support for USB 3 and NVMe getting these features working requires changes to the Kernel. Intel's changes to the P-State were also pretty substantial and I think with Kernel 4.13 that shit still isn't 100% yet. In regards to Windows 8 I am a little upset that they didn't add the functionality but I don't fault them for it windows 8 just needs to die.

    But windows 7 is in extended support and extended support gets security patches but not new features nor functionality

    Didn't MS pull the same thing with SSE3 and Windows XP or did they eventually get that working, I can't remember.
     
    Last edited: Mar 16, 2018
  15. jardows

    jardows [H]ard|Gawd

    Messages:
    1,615
    Joined:
    Jun 10, 2015
    They didn't have to do anything. It isn't a Windows vulnerability, it is a hardware vulnerability with Intel. So be thankful someone is trying to get this fixed at all, when the HW makers are dragging their feet. UEFI allows OS to interact more closely with the BIOS so it is possible on Windows 8.1 and 10, but not 7.
     
  16. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,223
    Joined:
    Nov 16, 2009

    OS security updates are included. Adding code changes to fix shit that should be done through a BIOS update would all right into mainstream support.


    And people had the same stupid complaints about being forced to upgrade from xp -> 7, 7 -> 8, and now 8 -> 10. Apples/google do the same thing with old OS/hardware, but feel free to focus all that hate on MS.
     
  17. M76

    M76 [H]ardForum Junkie

    Messages:
    9,196
    Joined:
    Jun 12, 2012
    What are you talking about? I use USB3 on many computers with Windows7. And as far as I know many people use NVMe as well.

    I linked to a previous occasion where they released cpu microcode updates for all their OSes, I don't know if you didn't see that or just ignored it.
     
  18. M76

    M76 [H]ardForum Junkie

    Messages:
    9,196
    Joined:
    Jun 12, 2012
    If only there was any other reason to update to windows 10 apart from these forced issues. Apple doing it doesn't make it any better. There was no forced update from 7 to 8. The only forced obsolescence was not releasing dx10 for XP. So far we could easily skip undesirable windows versions, as I skipped ME, then 2K, then Vista, then 8. I don't think even you truly believe this is the same situation we were in previously.
     
    WhoMe likes this.
  19. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,223
    Joined:
    Nov 16, 2009

    And your example of planned obsolescence does not apply here. This is a patch they don't have to create for non-mainstream support. If you want to stay on an old unsupported/unpatched OS, there is nothing preventing you from doing so. It will just be your fault when you get malware installed on your machine. No software vendor is going to support all version of their product forever. MS has a policy in place and that's what they stick to. Don't like it, there's always linux... But guess what, they don't even support older version for 5 years like MS does.
     
  20. M76

    M76 [H]ardForum Junkie

    Messages:
    9,196
    Joined:
    Jun 12, 2012
    What can be asserted without evidence can be dismissed without evidence.

    Is it not a security patch? Then it is supposed to be covered by extended support. That's what their own policy says.
     
    Last edited: Mar 16, 2018
  21. Lakados

    Lakados [H]ard|Gawd

    Messages:
    1,569
    Joined:
    Feb 3, 2014
    I was under the impression that NVME and USB3 were done by 3'rd party drivers and not done by naively by windows, I stand corrected
    And no I didn't see that previous link, but I still think this is an issue that should be handled by Intel and the various motherboard manufacturers.
     
  22. M76

    M76 [H]ardForum Junkie

    Messages:
    9,196
    Joined:
    Jun 12, 2012
    You do need third party drivers, I don't get what you're saying then or how is it relevant to cpu microcode updates.
     
  23. Lakados

    Lakados [H]ard|Gawd

    Messages:
    1,569
    Joined:
    Feb 3, 2014
    IF you are in large scale environments MS has provided some nice reasons to go to 10 and server 2016, for home users it really depends on the users, moving my mom to win10 was the best thing I have ever done for my weekends... Anecdotal I know but I think it holds. And I was upset about DX10 not coming to XP but I am pretty sure it was for the best XP was finally working and stable and I doubt making the required changes to internals would have been a smooth experience. And its not like much came of DX10, with 0 console support it died a short painful death and practically it offered very little over DX9 while consuming a large amount of overhead it was a dud DX 10.1 finally delivered a usable product but honestly by then it was too late and I don't recall it having a huge amount of support and somebody correct me if I am wrong but most of the games only did DX10 support as a function of DX11.
     
  24. Lakados

    Lakados [H]ard|Gawd

    Messages:
    1,569
    Joined:
    Feb 3, 2014
    I was originally saying adding that adding USB3 and NVME support to windows 7 had nothing to do with microcode updates and was a kernal update issue and that was some of the big changes that Kabby Lake was adding that MS was not supporting in older OS's I was trying (badly I guess) to provide examples of the features the new processors were adding that MS couldn't support on windows 7 and 8 with out making large changes under the hood. It's been a long day and I suppose I got off on a tangent.
     
  25. M76

    M76 [H]ardForum Junkie

    Messages:
    9,196
    Joined:
    Jun 12, 2012
    I understand what you meant now but nvme and usb support are features, and not security issues. So none can blame them for not adding native support for them. But this is a security patch they choose to only deploy on the latest version of windows 10. Unless they're going to release it for other versions later, I think they're very much in the wrong here, and are exploiting a serious security hole to further their own interests.
     
  26. Lakados

    Lakados [H]ard|Gawd

    Messages:
    1,569
    Joined:
    Feb 3, 2014
    Yes and no.... I understand the business case for not doing it, it just sucks and after reading into it they are only releasing the microcode updates for Kabby, Coffee, and Sky so its not the whole Intel catalog which as mentioned previously they don't technically support for the older OS's

    Edit.

    Microsoft has also announced it is working with Intel on future updates for additional Windows versions and Intel processors.
     
  27. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    I'm pretty sure their policy doesn't cover every security flaw that's introduced by 3rd parties though, no one is going to take on that liability. But don't get me wrong, they should do what they can to help mitigate this particular issue in 7 and 8.x.
     
  28. mrwizardno2

    mrwizardno2 Limp Gawd

    Messages:
    191
    Joined:
    Jan 20, 2012
    I can't help but laugh at the people bitching about MS not releasing patches for Windows 3.1! :-P
     
    heatlesssun likes this.
  29. Krazy925

    Krazy925 2[H]4U

    Messages:
    2,826
    Joined:
    Sep 29, 2012
    At this point it would be easier for me to quit Intel, than it would be for me to quit Microsoft.

    Someone should probably tell Intel that.
     
    heatlesssun likes this.
  30. polonyc2

    polonyc2 [H]ard as it Gets

    Messages:
    16,522
    Joined:
    Oct 25, 2004
    still no BIOS update for my i7 980X...c'mon Intel it's not that ancient of a CPU...
     
    Krazy925 likes this.
  31. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    The x58 platform is pretty old now, about a decade? These flaws effected so much hardware for so long that it was never going to be an easy thing to deal with.
     
  32. polonyc2

    polonyc2 [H]ard as it Gets

    Messages:
    16,522
    Joined:
    Oct 25, 2004
    in one of their earlier pdf's they said they would be releasing updates for Gulftown which was surprising...I think it's last on their list so I'll be waiting awhile :D
     
    heatlesssun likes this.
  33. YeuEmMaiMai

    YeuEmMaiMai [H]ardForum Junkie

    Messages:
    14,611
    Joined:
    Jun 11, 2004
    not only that, extended support does include critical patches...
     
  34. Lakados

    Lakados [H]ard|Gawd

    Messages:
    1,569
    Joined:
    Feb 3, 2014
    In the article it says that they are working with Intel to get it for more CPU’s and more windows versions. It looks like they just started with the current hardware/software and are working backwards.
     
  35. M76

    M76 [H]ardForum Junkie

    Messages:
    9,196
    Joined:
    Jun 12, 2012
    It's a pre-existing issue, it wasn't introduced, it was revealed recently. "The butler did it" doesn't seem to be a valid defense. This is the equivalent of a security guard saying that he is not responsible for thieves because he didn't manufacture the locks on the doors.

    This is a case of using a crisis to herd even more people to 10. And it seems to me, also a statement to people who are holding off of "creators updates" because they prefer a stable environment over an ever changing one. And this after they already got a pass for things like making users their QA staff, and "accidentally" upgrading people against their wishes. This is a new low for them.
     
    ncjoe likes this.
  36. Absalom

    Absalom Gawd

    Messages:
    642
    Joined:
    Oct 3, 2007
    I'm curious as to what this specifically means. I installed KB4090007, but it did not complain about any prerequisite patch. Other than being updated to 1709, I have not opt'ed into a previous Meltdown and Spectre patch. So now I'm wondering if this latest KB is doing anything at all?

    Edit: Nevermind, I've verified it's working. For those wondering what this KB actually does and who it's targeting MS has a page dedicated for that:

    https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates

    Also, if you're new to patching against these vulnerabilities and curious as to whether you're fully protected, follow the guide here:

    https://support.microsoft.com/en-us...ive-execution-side-channel-vulnerabilities-in
     
    Last edited: Mar 17, 2018
  37. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,223
    Joined:
    Nov 16, 2009

    No it's not.... This is a case of MS sticking to its OS life-cycle, and not putting money into adding a security 'feature' to older OS's..... This is NOT a flaw in the OS, hence not a security patch. This is a flaw in Intels hardware, that SHOULD be patched at the BIOS level. Since that is not happening, MS is releasing an 'update' to the OS's still in MAINSTREAM SUPPORT to work around the fix.

    Why should they dedicate ANY resources to add this 'update' to OS's outside of the mainstream support? This update does NOT apply to extended support, so they have zero obligation to back port it. And if they did release it without adequate testing and broke something, you guys would lose your shit about MS rushing out patches without testing etc.....
     
  38. M76

    M76 [H]ardForum Junkie

    Messages:
    9,196
    Joined:
    Jun 12, 2012
    Well that's exactly their problem. "We're not obligated to give you shit, so screw you user" meanwhile decent companies are familiar with the concept of fairness.
    Your attitude is just to obvious. Basically you're saying, MS is right whatever they do or don't do.
     
  39. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,223
    Joined:
    Nov 16, 2009

    Again, no..... They have set lifecycles for their OS's, and list exactly when each OS will hit different EOL and what is included at that time. They are following those cycles, just like google and apple (and pretty much any other software company). This is NOT a security patch, so they have no obligation to go above and beyond and back port those updates to OS's no longer supported. Just like every other software company. Old version of software/hardware get retired and no longer patched or supported. You want to assume the risk and keep using them? Go right ahead. But don't whine about MS not spending money to create a non-security patch for a product outside of mainstream support.

    And just like all other software companies, yes, they want you to move to the current supported/patched OS..... That's not a MS trying to fuck you thing.



    BTW, your post sounds exactly like all those memes about entitled millennials. "It doesn't matter what the page says about EOL, I want this patch on my unsupported OS and MS is an asshole for not giving me what I want"
     
  40. jolli

    jolli Gawd

    Messages:
    763
    Joined:
    Dec 17, 2010