Intel CPU

Microsoft said today that it would take Intel CPU microcode updates meant to fix the Spectre v2 vulnerability and ship these updates to users via a Windows update package.

The announcement is a change of direction in regards to Microsoft's position towards the Meltdown and Spectre patching process.

The complicated Spectre v2 patching process

Meltdown and Spectre (v1 and v2) are three vulnerabilities that affect a large number of modern CPUs.

Microsoft (and other OS makers) have supplied OS-level updates to address the Meltdown and Spectre v1 vulnerabilities and said that CPU makers, such as Intel, must issue so-called microcode (CPU firmware) updates that will need to be installed separately.

PC owners have been waiting for these updates since early January when the Meltdown and Spectre flaws became public. Intel (and other CPU makers) were supposed to release these microcode updates so that OEMs would integrate them as motherboard firmware updates that users could download and install.

Intel released an initial batch of microcode updates but was forced to withdraw them after reports of increased system reboots.

Starting February, Intel began releasing new microcode updates meant to fix Spectre v2. It first released updates for some Skylake CPUs, then followed with a second batch for Kaby Lake, Coffee Lake, and more Skylake processors, and this week with a third batch for Broadwell and Haswell processors.

But applying these updates will be a hell for many users because they'll either need to download them manually from Intel's site, or wait for a motherboard firmware update from their OEM (PC/notebook seller). Most users are unaware they have to do this.

Microsoft steps in to save the day

This is where Microsoft has decided to step in. The company announced today that it will help deliver some of these microcode updates to Windows users.

Microsoft released today the first of such updates —KB4090007. This update package deploys Intel microcode updates that fix the Spectre Variant 2 vulnerability (CVE 2017-5715 [Branch Target Injection]).

KB4090007 is only available for Windows 10 version 1709 (Fall Creators Update) & Windows Server version 1709 (Server Core). The update package is for Intel Skylake CPU owners only. The update will not be delivered automatically to all users, but they'll have to visit the Windows Update Catalog, download the approparite package and run it on their PCs.

Product Names (CPU) Public Name CPUID Intel Microcode Update Revision Microsoft Update Standalone Package Version
Skylake H/S 6th Generation Intel Core Processor Family 506E3 0xC2 V1.001
Skylake U/Y & Skylake U23e 6th Generation Intel Core m Processors 406E3 0xC2 V1.001

Microsoft exec John Cable (Director of Program Management, Windows Servicing and Delivery) also said Microsoft and Intel are working on other Windows updates for more microcode fixes, for other Windows versions and processor series.

Related Articles:

Windows 10 KB4100347 Intel CPU Update Causing Boot Issues & Pushed to AMD Users

Researchers Disclose New Foreshadow (L1TF) Vulnerabilities Affecting Intel CPUs

Microsoft September 2018 Patch Tuesday Fixes 16 Critical Vulnerabilities

Microsoft Releases Windows 10 Cumulative Updates KB4346783 and KB4343893

Microsoft Plans to Make Monthly Windows 10 Updates Smaller in Size