One month ago today, Intel told the world that their Meltdown/Spectre patches were a mess. Their advice read something like, “Ooopsie. Those extremely important BIOS/UEFI firmware updates we released a coupla weeks ago are causing Intel machines to drop like bungee cows. In spite of what we told you then, stop installing them now. And if you installed a bad BIOS/UEFI patch, well golly, contact your PC manufacturer to see if they know how to get you out of the mess.”
Intel now says it has released really new, really good firmware versions for most of its chips.
Intel chips covered, and those not covered
Scanning the official Microcode Revision Guidance February 20, 2018 (pdf), you can see that Coffee Lake, Kaby Lake, Bay Trail and most Skylake chips are covered. On the other hand, Broadwell, Haswell, and Sandy Bridge chips still leave brown skid marks.
Security Advisory INTEL-SA-00088 has been updated with this squib:
We have now released new production microcode updates to our OEM customers and partners for Kaby Lake, Coffee Lake, and additional Skylake-based platforms. As before, these updates address the reboot issues last discussed here, and represent the breadth of our 6th, 7th and 8th Generation Intel® Core™ product lines as well as our latest Intel® Core™ X-series processor family. They also include our recently announced Intel® Xeon® Scalable and Intel® Xeon® D processors for datacenter systems. We continue to release beta microcode updates for other affected products so that customers and partners have the opportunity to conduct extensive testing before we move them into production.
Intel goes on to recommend basically the same stuff they recommended last time, with a specific call-out:
We continue to recommend that OEMs, cloud service providers, system manufacturers, software vendors, and end users stop deployment of previously released versions of certain microcode updates addressing variant 2 (CVE-2017-5715), as they may introduce higher-than-expected reboots and other unpredictable system behavior.
We also continue to ask that our industry partners focus efforts on evaluating the beta microcode updates.
For those concerned about system stability while we finalize these updated solutions, earlier this week we advised that we were working with our OEM partners to provide BIOS updates using previous versions of microcode not exhibiting these issues, but that also removed the mitigations for ‘Spectre’ variant 2 (CVE 2017-5715)
Microsoft also provided two resources for users to disable original microcode updates on platforms exhibiting unpredictable behavior:
For most users – An automatic update available via the Microsoft® Update Catalog which disables ‘Spectre’ variant 2 (CVE 2017-5715) mitigations without a BIOS update. This update supports Windows 7 (SP1), Windows 8.1, and all versions of Windows 10 – client and server
For advanced users – Refer to the following Knowledge Base (KB) articles
KB4073119: IT Pro Guidance
KB4072698: Server Guidance
Both of these options eliminate the risk of reboot or other unpredictable system behavior associated with the original microcode update and retain mitigations for ‘Spectre’ variant 1 and ‘Meltdown’ variant 3 until new microcode can be loaded on the system.
The “For most users” update is KB 4078130, the surprise Friday evening patch, released on Jan. 26, which I discussed almost a month ago:
On Friday night, Microsoft released a strange patch called KB 4078130 that “disables mitigation against Spectre, variant 2.” The KB article goes to great lengths describing how Intel’s the bad guy and its microcode patches don’t work right:
There aren’t any details, but apparently this patch — which isn’t being sent out the Windows Update chute — adds two registry settings that “manually disable mitigation against Spectre Variant 2”
Rummaging through the lengthy Microsoft IT Pro Guidance page, there’s an important warning:
Customers who only install the Windows January and February 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January and February security updates, a processor microcode, or firmware, update is required. This should be available through your OEM device manufacturer.
Microsoft firmware update for Surface Pro 3
In what must be an amazing coincidence, last night Microsoft released a firmware update for the Surface Pro 3. It’s currently available as a manual download (“MSI format”) for Surface Pro 3. I haven’t seen it come down the Windows Update chute. Perhaps Microsoft is beta testing it once again. Per Brandon Records on the Surface blog:
We’ve released a new driver and firmware update for Surface Pro 3. This update includes new firmware for Surface UEFI which resolves potential security vulnerabilities, including Microsoft security advisory 180002.
This update is available in MSI format from the Surface Pro 3 Drivers and Firmware page at the Microsoft Download Center.
Except, golly, the latest version of the patch on that page (as of 10 am Eastern US time) is marked “Date Published 1/24/2018.” The official Surface Pro 3 update history page lists the last firmware update for the SP3 as being dated Oct. 27, 2017.
And, golly squared, Microsoft Security Advisory 180002 doesn’t even mention the Surface Pro 3. It hasn’t been updated since Feb. 13. It links to the Surface Guidance to protect against speculative execution side-channel vulnerabilities page, KB 4073065, which doesn’t mention the Surface Pro 3 and hasn’t been updated since Feb. 2.
You’d have to be incredibly trusting — of both Microsoft and Intel — to manually install any Surface firmware patch at this point. Particularly when you realize that not one single Meltdown or Spectre-related exploit is in the wild. Not one.