Intel releases more Meltdown/Spectre firmware fixes, Microsoft feints an SP3 patch
Credit to Author: Woody Leonhard| Date: Wed, 21 Feb 2018 07:56:00 -0800
One month ago today, Intel told the world that their Meltdown/Spectre patches were a mess. Their advice read something like, “Ooopsie. Those extremely important BIOS/UEFI firmware updates we released a coupla weeks ago are causing Intel machines to drop like bungee cows. In spite of what we told you then, stop installing them now. And if you installed a bad BIOS/UEFI patch, well golly, contact your PC manufacturer to see if they know how to get you out of the mess.”
Intel now says it has released really new, really good firmware versions for most of its chips.
Scanning the official Microcode Revision Guidance February 20, 2018 (pdf), you can see that Coffee Lake, Kaby Lake, Bay Trail and most Skylake chips are covered. On the other hand, Broadwell, Haswell, and Sandy Bridge chips still leave brown skid marks.
Security Advisory INTEL-SA-00088 has been updated with this squib:
We have now released new production microcode updates to our OEM customers and partners for Kaby Lake, Coffee Lake, and additional Skylake-based platforms. As before, these updates address the reboot issues last discussed here, and represent the breadth of our 6th, 7th and 8th Generation Intel® Core™ product lines as well as our latest Intel® Core™ X-series processor family. They also include our recently announced Intel® Xeon® Scalable and Intel® Xeon® D processors for datacenter systems. We continue to release beta microcode updates for other affected products so that customers and partners have the opportunity to conduct extensive testing before we move them into production.
Intel goes on to recommend basically the same stuff they recommended last time, with a specific call-out:
The “For most users” update is KB 4078130, the surprise Friday evening patch, released on Jan. 26, which I discussed almost a month ago:
On Friday night, Microsoft released a strange patch called KB 4078130 that “disables mitigation against Spectre, variant 2.” The KB article goes to great lengths describing how Intel’s the bad guy and its microcode patches don’t work right:
There aren’t any details, but apparently this patch — which isn’t being sent out the Windows Update chute — adds two registry settings that “manually disable mitigation against Spectre Variant 2”
Rummaging through the lengthy Microsoft IT Pro Guidance page, there’s an important warning:
Customers who only install the Windows January and February 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January and February security updates, a processor microcode, or firmware, update is required. This should be available through your OEM device manufacturer.
In what must be an amazing coincidence, last night Microsoft released a firmware update for the Surface Pro 3. It’s currently available as a manual download (“MSI format”) for Surface Pro 3. I haven’t seen it come down the Windows Update chute. Perhaps Microsoft is beta testing it once again. Per Brandon Records on the Surface blog:
We’ve released a new driver and firmware update for Surface Pro 3. This update includes new firmware for Surface UEFI which resolves potential security vulnerabilities, including Microsoft security advisory 180002.
This update is available in MSI format from the Surface Pro 3 Drivers and Firmware page at the Microsoft Download Center.
Except, golly, the latest version of the patch on that page (as of 10 am Eastern US time) is marked “Date Published 1/24/2018.” The official Surface Pro 3 update history page lists the last firmware update for the SP3 as being dated Oct. 27, 2017.
And, golly squared, Microsoft Security Advisory 180002 doesn’t even mention the Surface Pro 3. It hasn’t been updated since Feb. 13. It links to the Surface Guidance to protect against speculative execution side-channel vulnerabilities page, KB 4073065, which doesn’t mention the Surface Pro 3 and hasn’t been updated since Feb. 2.
You’d have to be incredibly trusting — of both Microsoft and Intel — to manually install any Surface firmware patch at this point. Particularly when you realize that not one single Meltdown or Spectre-related exploit is in the wild. Not one.
Thx Bogdan Popa Softpedia News.
Fretting over Meltdown and Spectre? Assuage your fears on the AskWoody Lounge.