Microsoft has released additional Windows 10 mitigations for the Spectre side-channel flaw revealed in January, with an expanded lineup of firmware (microcode) updates for Intel CPUs that include the Broadwell and Haswell chipsets.
The company released two Windows Update packages addressing Spectre, KB4091666 and KB4078407, both available as manual downloads from the Microsoft Update Catalog portal. The former contains the Intel microcode updates.
RSAC 2018: Tech Giants Form Cybersecurity Tech Accord
AMD Rolls Out Spectre Fixes
Microsoft Fixes 66 Bugs in April Patch Tuesday Release
These latest releases come on the heels of Microsoft’s initial debut of Intel CPU microcode fixes in March, KB4090007, which addressed some Skylake devices running the most broadly installed version of Windows 10. With these additional updates, the firmware lineup now covers most Skylake, Haswell and Broadwell chips.
Microsoft’s decision to help distribute available Intel firmware through Windows updates adds another layer of security for Intel-based processors on top of Intel’s reliance on motherboard and system vendors to package the microcode into BIOS updates for products.
“Windows devices need both software and firmware updates to help protect them against these new vulnerabilities,” John Cable, Microsoft director of Program Management for Windows Servicing and Delivery, wrote in a post in March. “Intel recently announced that they have completed their validations and started to release microcode for newer CPU platforms.”
Earlier in April, Microsoft released operating system updates addressing Spectre for AMD in its Patch Tuesday updates. These Spectre mitigations are for AMD users running Windows 10 (version 1709).
The Spectre and Meltdown security flaws, which were first disclosed by Google Project Zero in early January, impact a range of processors, including those from Intel, ARM and AMD. They could potentially allow hackers to access users’ protected data. In the months since they were publicized, both software and hardware companies have been rushing to figure out the best strategies for issuing patches around the security flaws.
Companies like Intel and Microsoft have hit road bumps along the way. One researcher for instance alleged that the Microsoft January Patch Tuesday update actually made security matters worse. Intel meanwhile in January acknowledged that some companies were reporting reboot issues with both older and newer chips (for both client compute and data center environments) after they patched their devices.