Intel Releases Microcode Update

[Fabricio20]

As spotted by grsecurity on Twitter:

 

 

Intel seems to have released a Microcode update yesterday (8th) that covers almost all of their range of processors, including a range of server processors like 64-bit Intel® Xeon(s).

 

It's still unclear as to what this update addresses exactly (confirmed via multiple news sources) but one can speculate, based on TechCrunch's citation of Intel's CEO, Brian Krzanich (quoted below), that these updates will be addressing the previously disclosed CVE-2017-5753, CVE-2017-5715 (Spectre 1, 2) and CVE-2017-5754 (Meltdown).

Quote

Intel expects to issue updates to its processors soon. More than 90 percent will be getting them within the week, and the rest by the end of January.

 

This microcode update comes as a "handy tool" for system administrators managing the Linux platform as it features an after-boot update mechanism:

Quote

The Linux* operating system has a mechanism to update the microcode after booting. For example, this file will be used by the operating system mechanism if the file is placed in the /etc/firmware directory of the Linux system.

Update (11th): Several performance impact reports have been made so far about this and other kernel/bios updates released across the board, most of them show a decrease of up to 6% in performance on (new) Intel Hardware (6th Gen+) and some bigger impacts on older platforms (5th Gen and Below).

[AlTech]

6 minutes ago, Fabricio20 said:

snip

Typo in the title and post.

 

*Microcode

[Mira Yurizaki]

Just now, AluminiumTech said:

Typo in the title.

Not just the title, but everywhere "microcode" should be.

 

Is "micronode" the "labtop" of "microcode"?

[Fabricio20]

Good lord, fixed, thanks for informing me of my stupidity.

[NumLock21]

Where is the windows version? 

[RadiatingLight]

1 hour ago, NumLock21 said:

Where is the windows version? 

Won't work for windows, since windows can't update microcode while it's running AFAIK

[8uhbbhu8]

8 minutes ago, RadiatingLight said:

Won't work for windows, since windows can't update microcode while it's running AFAIK

hmm so I need to boot into my linux live cd then and use that to update the microcode then...  Now that's annoying

[leadeater]

lol so yep the reports of this going back REALLY far is true, microcode updates for Pentium II. I'm surprised Intel even gave a damn about something that old.

 

https://downloadcenter.intel.com/product/49976/Mobile-Intel-Pentium-II-Processor-233-MHz-512K-Cache-66-MHz-FSB

 

Edit:

Even older, Pentium I. https://downloadcenter.intel.com/product/49961/Intel-Pentium-Processor-75-MHz-50-MHz-FSB

[NumLock21]

55 minutes ago, RadiatingLight said:

Won't work for windows, since windows can't update microcode while it's running AFAIK

So got to wait for mobo to release a new bios with microcode update then.

[leadeater]

6 minutes ago, NumLock21 said:

So got to wait for mobo to release a new bios with microcode update then.

If you're on a older system it's going to be rather likely you will not get a bios update and you will need to use a Linux Live CD.

[TetraSky]

So, how do I know if it's installed or not?
I followed the steps to install it through VMware CPU Microcode Update Driver, it said it was successful with 0 error, but, how do I check that.

In HWiNFO, I get this : 
Microcode Update Revision:  7

[TheCherryKing]

Will this work with qualified sample processors(not engineering samples)?

[NumLock21]

44 minutes ago, leadeater said:

If you're on a older system it's going to be rather likely you will not get a bios update and you will need to use a Linux Live CD.

Didn't Win10 include linux built in or something. Maybe I can use that to update.

[elkenrod]

why are we trying to update microcode on every processor from the past 20 years again?

[PianoPlayer88Key]

Hmm ... Any chance it could be run in a Linux VM inside Windows?  I'm guessing not, so looks like I might have to make a bootable Linux USB for my laptop to update its i7-6700K.  (I have a partition set aside for Linux, but it's not installed.  I had Linux on a Seagate HDD, but it suddenly developed a lot of bad sectors, so I took it out of service.)

 

I have Linux installed on my desktop, though, so I should be able to update the i7-4790K that way.

 

Or, what's the chance Clevo or ASRock might push BIOS updates for the P750DM-G and Z97 Extreme6, respectively...

[Sniperfox47]

12 hours ago, 8uhbbhu8 said:

hmm so I need to boot into my linux live cd then and use that to update the microcode then...  Now that's annoying

 

10 hours ago, NumLock21 said:

Didn't Win10 include linux built in or something. Maybe I can use that to update.

Just to be clear, it's not something where you just update it and it's good. The update needs to be either embedded into the UEFI or BIOS of your motherboard so it can be loaded into your processor when it powers on, or it needs to be patched into the CPU at runtime every time the system is rebooted.

 

Windows versions since at least Windows 7 (possibly Vista? Appreciate clarification.) have supported live Microcode updates the same way as the Linux Firmware Tool does. These used to be distributed automatically via Windows update, but they haven't been used in a few years afaik.

 

Can someone with the January 9 Security update but no UEFI update check their Microcode Version inside Windows? With the seriousness of this issue, I would be surprised if MS didn't distribute updated Microcode for post-boot.

[Donut417]

If I can use Linux to update my older i5 3570K system then cool. I have 50GB set a side on my SSD for a Linux install. Just trying to find the right distro. Any one use the new Version of Ubuntu since they returned to GNOME? 

[AshleyAshes]

14 hours ago, leadeater said:

lol so yep the reports of this going back REALLY far is true, microcode updates for Pentium II. I'm surprised Intel even gave a damn about something that old.

Despite it's age, there's likely Pentium II's and other weirdly old hardware out there running in 'turn key' type systems and failing to release an update when they are able to do so could potentially open them up to additional legal consequences.  I imagine their lawyers are busy enough without dealing with more ramifications if Intel half asses it.

[Zodiark1593]

12 hours ago, elkenrod said:

why are we trying to update microcode on every processor from the past 20 years again?

I've seen the DMV fairly recently still using DOS systems.

[Donut417]

12 hours ago, elkenrod said:

why are we trying to update microcode on every processor from the past 20 years again?

Before I left my job at Sam's Club in 2015, they were still using Windows XP. My friend used to do tech support for Sears/KMart Stores, they were using Windows 3.11. So yeah, lots of business rely on old hardware. 

[AnonymousGuy]

5 minutes ago, AshleyAshes said:

Despite it's age, there's likely Pentium II's and other weirdly old hardware out there running in 'turn key' type systems and failing to release an update when they are able to do so could potentially open them up to additional legal consequences.  I imagine their lawyers are busy enough without dealing with more ramifications if Intel half asses it.

As someone with a Pentium 2 running right now, believe me those machines are highly unlikely to be exposed to any attack vectors.  You can't run anything > Windows XP on them, and the vast majority of modern browsers also will not work due to the CPU's lack of modern instruction sets.

 

100% this is a "because then in court we can say we were thorough"

[AshleyAshes]

Just now, AnonymousGuy said:

As someone with a Pentium 2 running right now, believe me those machines are highly unlikely to be exposed to any attack vectors.  You can't run anything > Windows XP on them, and the vast majority of modern browsers also will not work due to the CPU's lack of modern instruction sets.

 

100% this is a "because then in court we can say we were thorough"

Yes but you also have to considder how many turn key POS, buisness, and industrial systems run old computer systems because the machines that did their job fine 20 years ago, still work, so replacing them is simply a waste of money because the job has never changed.  All of them could potentially be targets for a wide range of reasons.

 

This isn't at time for 'Yeah, but what are the odds?' unless the odds are literally zero.

[AnonymousGuy]

4 minutes ago, AshleyAshes said:

Yes but you also have to considder how many turn key POS, buisness, and industrial systems run old computer systems because the machines that did their job fine 20 years ago, still work, so replacing them is simply a waste of money because the job has never changed.  All of them could potentially be targets for a wide range of reasons.

 

This isn't at time for 'Yeah, but what are the odds?' unless the odds are literally zero.

The only attack vector, I'm saying, would basically be someone physically sitting in front of these machines.  Even if they're connected to the internet, which is unlikely due to the difficulty I describe, there's a very low chance they're even running a browser capable of loading the scripts that would be needed to deliver one of these exploits.  Not to mention why would anyone even be browsing the internet from a machine that old?

[AshleyAshes]

1 minute ago, AnonymousGuy said:

The only attack vector, I'm saying, would basically be someone physically sitting in front of these machines.

Never heard of industrial and corporate espionage or sabotage?  The attract vector very well COULD be someone in the physical location.  When you say there is 'a very low chance' what you are also saying is 'There is a chance'.

[Matu20]

So why is this bug so important now? It's been there for years and suddenly every third news topic is about that.