Microsoft said today that it would take Intel CPU microcode updates meant to fix the Spectre v2 vulnerability and ship these updates to users via a Windows update package.
The announcement is a change of direction in regards to Microsoft’s position towards the Meltdown and Spectre patching process.
The complicated Spectre v2 patching process
Meltdown and Spectre (v1 and v2) are three vulnerabilities that affect a large number of modern CPUs.
Microsoft (and other OS makers) have supplied OS-level updates to address the Meltdown and Spectre v1 vulnerabilities and said that CPU makers, such as Intel, must issue so-called microcode (CPU firmware) updates that will need to be installed separately.
PC owners have been waiting for these updates since early January when the Meltdown and Spectre flaws became public. Intel (and other CPU makers) were supposed to release these microcode updates so that OEMs would integrate them as motherboard firmware updates that users could download and install.
Intel released an initial batch of microcode updates but was forced to withdraw them after reports of increased system reboots.
Starting February, Intel began releasing new microcode updates meant to fix Spectre v2. It first released updates for some Skylake CPUs, then followed with a second batch for Kaby Lake, Coffee Lake, and more Skylake processors, and this week with a third batch for Broadwell and Haswell processors.
But applying these updates will be a hell for many users because they’ll either need to download them manually from Intel’s site, or wait for a motherboard firmware update from their OEM (PC/notebook seller). Most users are unaware they have to do this.
Microsoft steps in to save the day
This is where Microsoft has decided to step in. The company announced today that it will help deliver some of these microcode updates to Windows users.
Microsoft released today the first of such updates —KB4090007. This update package deploys Intel microcode updates that fix the Spectre Variant 2 vulnerability (CVE 2017-5715 [Branch Target Injection]).
KB4090007 is only available for Windows 10 version 1709 (Fall Creators Update) & Windows Server version 1709 (Server Core). The update package is for Intel Skylake CPU owners only.
To read the original article: