Wednesday, May 15th 2019

Intel Releases CPU Microcode Updates For MDS Vulnerabilities Unearthed on May 14

Intel released CPU microcode updates to address four new security vulnerabilities disclosed by the company on May 14, 2019. These microcode updates can be encapsulated as motherboard UEFI firmware updates, and for some processors even distributed through Windows Update. In its Microcode Revision Guidance document put out on Tuesday, Intel revealed that all Core and Xeon processors going as far as the 2nd generation Core "Sandy Bridge" architecture are eligible for microcode updates.

2nd generation Core is roughly the time when motherboard vendors were forced to adopt UEFI (unrelated to these vulnerabilities). A number of low-power microarchitectures, such as "Gemini Lake," "Cherry View," "Apollo Lake," and "Amber Lake," which are basically all low-power processors released after 2012-13, also receive these updates. Until you wait for your motherboard vendor or PC/notebook OEM to pass on these microcode updates, Intel advises you to disable HyperThreading if your processor is older than 8th gen "Coffee Lake," and seek out the latest software updates.
Additional slides follow.

Add your own comment

19 Comments on Intel Releases CPU Microcode Updates For MDS Vulnerabilities Unearthed on May 14

#1
SDR82
No update for Coffee Lake R? Clearly, according to the reports on the mdsattacks website, the 9900K (Coffee Lake R family) is impacted.
Posted on Reply
#2
trparky
Where is the Intel Microcode Microsoft KB article?
Posted on Reply
#3
Chomiq
Come on guys, it's called Zombieload, MDS is just Intel's PR naming game to ease people into it.
Posted on Reply
#4
Caqde
SDR82, post: 4047817, member: 177992"
No update for Coffee Lake R? Clearly, according to the reports on the mdsattacks website, the 9900K (Coffee Lake R family) is impacted.
Check the second to last entry in the slide 3/14 it's there but isn't called Coffee Lake R. Intel calls it Coffee Lake S (8+2)
Posted on Reply
#5
Upgrayedd
Does anyone know the specific Windows Update for this so we can disable said update?
Posted on Reply
#8
lemonadesoda
Upgrayedd, post: 4047892, member: 148293"
Does anyone know the specific Windows Update for this so we can disable said update?
This. Never mind the technical vulnerability, how many PCs will bluescreen after another forced W10 update, or firmware update, and what is the performance impact after update?
Posted on Reply
#10
Aquinus
Resident Wat-man
Hey, look at that, a microcode update.
code:

intel-microcode/bionic-updates,bionic-security 3.20190514.0ubuntu0.18.04.2 amd64 [upgradable from: 3.20180807a.0ubuntu0.18.04.1]


I feel like I should run a benchmark or something before installing this. :P
Posted on Reply
#12
Caring1
Good to see my XEON is OS update capable, I don't want to stuff around doing it myself.
Posted on Reply
#14
R-T-B
Chomiq, post: 4047849, member: 185703"
Come on guys, it's called Zombieload, MDS is just Intel's PR naming game to ease people into it.
Even the researchers who discovered it are now calling it MDS.

Zombieload is too sensationalist and is best left to die, regardless of the fact the vulnerability is real. Scary names serve no one.
Posted on Reply
#15
trparky
R-T-B, post: 4048134, member: 41983"
Scary names serve no one.
Just like how it's said that "sex sells", scary words sell as well. It brings in the clicks, hence the fact that it's often called clickbait.
Posted on Reply
#18
Upgrayedd
If you did a fresh install after this update has been put live will the fresh install already have this update implemented? and if doing a fresh install can these various past updates be disabled.

Intel can put out whatever benchmark they want showing insignificant figures, I feel like this is them showing just the recent impact of a single patch and not the impact of all the patches combined. I want to see benchmarks of a fresh Win10 naked (completely free of any patches that have fixed all the recent Spectre flaws and whatever else you want to name) vs a Win10 fully patched.
Posted on Reply
#19
R-T-B
trparky, post: 4048262, member: 170376"
Just like how it's said that "sex sells", scary words sell as well. It brings in the clicks, hence the fact that it's often called clickbait.
And it still serves no one, save the people selling you an agenda.
Posted on Reply
Add your own comment