[German]Microsoft has released a set of microcode updates for various Windows 10 builds. These updates are intended to protect various processors against the Spectre V2 vulnerability. Here is some information about the updates, as well as chaos in the KB descriptions. There is also an addendum about WSUS and (revised) microcode updates, which should not have been delivered, but which are now available again.
Microcode updates for Windows 10
I received notifcations from my German blog readers as comments and also e-mails (thanks for that). There are several microcode updates for Intel processors, released from Microsoft. Below are links pointing to Microsoft Update Catalog.
- KB4100347: Windows 10 V1803/ Server 2016 (1803)
- KB4090007: Windows 10 V1709/ Server 2016 (1709)
- KB4091663: Windows 10 V1703
- KB4091664: Windows 10 V1607/ Server 2016
- KB4091666: Windows 10 V1507 (RTM)
Windows 10 V1511 is missing, because it’s out of support. According to this kb article microcode updates has been released for the following Intel processors.
- Broadwell Server E, EP, EP4S
- Broadwell Server EX
- Skylake Server SP (H0, M0, U0)
- Skylake D (Bakerville)
- Skylake X (Basin Falls)
Details on the individual processor variants can be found in the KB articles (hoped that the information is accurate). The microcode updates are intended to mitigate the Spectre Variant 2 (CVE 2017-5715 [“Branch Target Injection”]) vulnerability.
According to the KB article, the standalone update is provided via Windows Update and WSUS, but can also be downloaded from the Microsoft Update Catalog and then installed manually.
Conflicting statements in KB articles
While browsing the Microsoft KB articles I had read the hint at KB4090007 that the microcode updates were ‘standalone’ and only available via Microsoft Update Catalog.
A few lines below the same kb article states, that the update is also available via WSUS and Windows Update. KB4091664, for example, has the same information, but KB4100347 lacks this information – tha’s all confusing in my opinion.
Important: And another very important piece of information for Windows Server. While the microcode updates for the clients become active immediately, Microsoft states in the KB articles that certain registry keys must be set on Windows servers. Blog reader Karl pointed out some time ago in this German comment that the Microsoft information was wrong. I had taken up this on Twitter – here and here are corresponding tweets.
Note: After the installation of the microcode update KB4100347 my Windows 10 V1803 test machine appears to be much slower. It took 10 – 20 seconds after selecting Settings – Update & Security – Update until the right column of the settings page was filled with content. It improved after some time, but the machine feels slower. Also this update for Intel CPU flaws seems to be delivered again also to AMD systems (see this German post).
Microsoft’s Bot (virtual agent)
At this point something funny – Microsoft does AI and rushes bots and agents at all places on the people. Visiting Microsoft’s kb article, I ‘ve had an accounter with thit bot. Here the chat conversion.
The conversion reminds me on talking with a talking doll. The thumb bot didn’t even understand my problem. I was able to select yes or no, but the bot’s questions and answers was really senseless – nothing recognizable from ‘intelligence’. That’s customer service 4.0.
Updates against Spectre V2 for Windows Server 2008 SP2
On this Microsoft page you learn that Microsoft released the update KB4458010 (Windows Server 2008 SP2 Monthly Rollup) or (KB4457984, Security-only) on September 11, 2018 with protection against L1TF (VE-2018-3620 and CVE-2018-3646). I had mentioned the updates in the article Microsoft Patchday: More Updates September 11, 2018. Updates for ARM devices against CVE-2017-5715 – Branch target injection (Spectre, Variant 2) were also released.
Addendum to WSUS and Microcode Updates
At the end of August 2018 I had outlined several issues with microcode updates within my blog post Will Microsoft pull July/August 2018 Microcode updates? Two blog readers, among them Markus B., had pointed out some peculiarities to me. And in the above text I had pointed out the discrepancies in the KB articles regarding the update distribution via WSUS. From blog-reader Markus B. I received today an interesting (supplementary) information:
Last Wednesday was a Microsoft Webcast for the Patchday. It was again mentioned that no microcode updates should come via the WSUS. I then asked MS again and the answer in the chat and on the webcast was that it was a mistake for this [August 2018 Microcode] update to be distributed over the WSUS.
This night these microcode updates were again offered on WSUS – but there was no new revision:
The following picture shows details of one of the last updates, without revision.
According to the change log (which I’ve seen), the update (in the example KB4090007) cannot be removed after the installation. So there it seems to be a lot of confusion at Microsoft. Markus asks: Have others also received messages again? I saw it on 2 WSUS.
Windows 10 users as guinea pigs?
While writing the blog post, I was thinking about whether the Windows 10 users on the clients should serve as guinea pigs. Why?
- According to Microsoft, the microcode updates should not be offered via WSUS, but they are still distributed and installed via Windows Update.
- However, Windows 7/8.1 usually does not get these microcode updates, only Windows 10 is getting updates.
- And on Windows server systems, the administrator must explicitly activate the microcode updates (due to performance problems) via the registry entry.
This makes me wonder about the relevance and importance of these microcode updates against Spectre and Meltdown. I don’t know an attack scenario used ‘in the wild’, which exploits the vulnerabilities. Moreover, the microcode updates makes machines extremely slow – and comes often with trouble on top (some updates are then withdrawn). Also my impression ist, that Apple’s macOS don’t receive patch in that frequency. Or how do you see it?
Adobe Flash Player version 220.127.116.11 released
Microsoft Office-Updates (September 4, 2018)
Microsoft Security Update Summary September 11, 2018
Patchday: Updates for Windows 7/8.1/Server Sept. 11, 2018
Patchday Windows 10-Updates (September 11, 2018)
Patchday Microsoft Office Updates (September 11, 2018)
Microsoft Patchday: Other Updates September 11, 2018