Wednesday, February 28th 2018

Intel Finally Ready With Security Microcode Updates for Broadwell, Haswell

Via updated documents on its Microcode Revision guide, Intel has revealed that they have finally developed and started deploying microcode security updates for their Broadwell and Haswell-based microprocessors. The microcode update comes after a flurry of nearly platform-specific updates that aimed to mitigate known vulnerabilities in Intel's CPUs to the exploits known as Spectre and Meltdown.

While that's good news, Intel's patching odyssey still isn't over, by any means. According to Intel's documentation, the Spectre fixes for Sandy Bridge and Ivy Bridge are still in beta and are being tested by hardware partners, so that's two other architectures that still remain vulnerable. Of course, this discussion of who's vulnerable and isn't really can't be reduced to which architectures Intel has released its updates to. Users have to remember that the trickle-down process from Intel's patch validation and distribution through manufacturers to end users' systems is a morose one, and is also partially in the hands of sometimes not too tech-savy users. Time will tell if these flaws will have any major impact in some users or businesses.
Source: Intel Microcode Update Guidance
Add your own comment

35 Comments on Intel Finally Ready With Security Microcode Updates for Broadwell, Haswell

#2
noel_fs
If im getting worse performance with the patch i wont update for sure
Posted on Reply
#3
Tomorrow
Wait what?

Sandy Bridge?

I don't see it in the table. Oldest is see is Ivy Bridge and these appear to be mobile and Xeon variants only - not desktop LGA.
Saying that i'm suprised IB will even get the patch. I thought Haswell would be the oldest one to get it.

EDIT: Never mind. Looks like the linked PDF includes way more models. Some even...ancient like Peryn, Nehalem and Westmere (pre-Sandy Bridge).
Posted on Reply
#4
TheDeeGee
Cool just gotta wait for UBU to be updated then.
Posted on Reply
#5
BadFrog
noel_fs said:
If im getting worse performance with the patch i wont update for sure
Do you plan on bench marking before and after? Would you really want to downgrade ur bios cause ur getting a performance hit? Can you really "feel" a 10% degrade in performance? You rather gain the performance but be vulnerable to exploits from the internet?
Posted on Reply
#6
Upgrayedd
Why does the spectre hold a stick?
Posted on Reply
#7
Red_Machine
With regards to Sandy Bridge and Ivy Bridge, will EVERYBODY get them, or is it entirely dependent on your motherboard manufacturer getting off their lazy asses and writing a new BIOS upgrade?
Posted on Reply
#8
windwhirl
Yeah, because my B85-based motherboard is so gonna get a firmware update two and a half years after the last one... I'd be honestly surprised if that actually happened and didn't screw anything up...
Posted on Reply
#9
xkm1948
So my Pentium 133 will probably take another 5yrs to receive the update on my Windows 98SE? Damn Intel u lazy! /s
Posted on Reply
#10
btarunr
Editor & Senior Moderator
I doubt if any motherboard manufacturer will release BIOS updates for 8-series and 9-series chipset motherboards. Their support cycle ended around 2016.

This is why I miss Intel's Desktop Board brand. They were usually the first to receive new BIOSes and Intel would support them for way longer than someone like ASUS.
Posted on Reply
#11
Red_Machine
I wonder if Intel will work with Microsoft to implement this somehow. I'm somewhat confident my laptop will get it, despite being a generation older than my desktop, because its last BIOS update was only last year.
Posted on Reply
#12
Fierce Guppy
I have to wait for fat arse Asus to provide a BIOS update since Intel is now only handing out the microcode updates to its OEM partners.
Posted on Reply
#13
Readlight
I haw two registry keys who enable, disable them. In my new os install. I not sure what they do.
Posted on Reply
#15
Fierce Guppy
Readlight said:
I haw two registry keys who enable, disable them. In my new os install. I not sure what they do.
Your Anti-Virus publisher should have updated its software to add those keys. Microsoft's "Check for Updates" process now checks for their presence before installing any spectre/meltdown mitigation security updates. It used to not do that, and the result was BSODs. You can use this tool to check if the Microsoft security updates are installed:

The Meltdown side will be green if the relevant MS security updates have been installed. The Spectre side will remain red until your motherboard's BIOS is updated to include Intel's latest CPU microcode patch.
Posted on Reply
#16
TheOne
I'm still waiting for Gigabyte to release the BIOS update for my Z170 board.
Posted on Reply
#17
cucker tarlson
TheOne said:
I'm still waiting for Gigabyte to release the BIOS update for my Z170 board.
If you need it badly then email them,I know they provide bios updates for some mobos per user request.
Posted on Reply
#18
phanbuey
gonna wait a month or two before updating...

they never get the first bios right.
Posted on Reply
#19
_JP_
Delivering on their word...I'm not used to this :p
TheMailMan78 said:
AMD?
Busy with Ryzen 2.0. Less R&D budget, remember?
Tomorrow said:
EDIT: Never mind. Looks like the linked PDF includes way more models. Some even...ancient like Peryn, Nehalem and Westmere (pre-Sandy Bridge).
Spectre reaches any CPU with VT-x, hence why Core 2 is affected. I still use laptops/desktops with those chips, so I'm glad Intel is doing an effort for what is now Legacy.
Upgrayedd said:
Why does the spectre hold a stick?
Because one of the variants is described as "Branch target Injection"
Red_Machine said:
With regards to Sandy Bridge and Ivy Bridge, will EVERYBODY get them, or is it entirely dependent on your motherboard manufacturer getting off their lazy asses and writing a new BIOS upgrade?
You will probably have to salvage the microcode form somewhere and then BIOS mod into your motherboard. I'm sure some communities will hop in to help :)
btarunr said:
I doubt if any motherboard manufacturer will release BIOS updates for 8-series and 9-series chipset motherboards. Their support cycle ended around 2016.

This is why I miss Intel's Desktop Board brand. They were usually the first to receive new BIOSes and Intel would support them for way longer than someone like ASUS.
Those were Foxconn sourced, weren't they? I also wondered why they stopped, the extreme models were very very good.
phanbuey said:
gonna wait a month or two before updating...

they never get the first bios right.
First version were really rushed, these are out of beta, so we can attest nothing major should come up.
Posted on Reply
#20
R-T-B
TheMailMan78 said:
AMD?
Yeah, as far as I can tell that's never coming... lol. Funny because they promised microcode in a "week or less" like a month ago...
Posted on Reply
#21
Vlada011
noel_fs said:
If im getting worse performance with the patch i wont update for sure
Posted on Reply
#22
lexluthermiester
so that's two other architectures that still remain vulnerable.
To a set of vulnerabilities that are so complicated & difficult to pull off in the real-world that they're effectively a non-issue. The group of general consumers have very little to fear if they don't patch.
Posted on Reply
#23
R-T-B
lexluthermiester said:
To a set of vulnerabilities that are so complicated & difficult to pull off in the real-world that they're effectively a non-issue. The group of general consumers have very little to fear if they don't patch.
I don't know that they are that hard to exploit given example toolkits are in the wild, frankly.
Posted on Reply
#24
phanbuey
_JP_ said:

First version were really rushed, these are out of beta, so we can attest nothing major should come up.
I'm more talking about my motherboard maker than the actual microde update... last time i updated a bios for x299 from MSI all of my system fan headers stopped being able to control PWM fans.

Bios updates in general for me have become "do it only if broken, or if there is extra performance". I like to give them like 2-3 revisions before i update.
Posted on Reply
#25
lexluthermiester
R-T-B said:
I don't know that they are that hard to exploit given example toolkits are in the wild, frankly.
There are several requirements that have to be met in order for an exploit to work. Either direct physical access to subject system, or direct remote access. Trojan's will work but have to be constructed and configured very carefully. And that is just for starters. While these things are possible, they are very improbable. If someone is using a good computing ethic and methodology the chances are minimal at best of a directed attack succeeding.
Posted on Reply
Add your own comment