Windows 10 Microcode updates KB4090007, KB4091663, KB4091664 and KB4091666
Microsoft has updated several microcode updates for the company's Windows 10 operating system that push so-called microcode updates to devices the update is installed on which protect against attacks targeting Spectre Variant 2.
Spectre and Meltdown are vulnerabilities that affect a wide range of devices. Microsoft released patches in early January 2018 but they caused all kinds of issues on some devices running Windows. To make matters worse, manufacturers such as Intel had to provide updates as well and these needed to be installed to protect systems effectively.
Tip: You can run InSpectre or Ashampoo Spectre Meltdown Checker on Windows to find out if a Windows PC is vulnerable to attacks.
KB4090007, KB4091663, KB4091664 and KB4091666
Microsoft released KB4090007, KB4091663, KB4091664 and KB4091666 in March 2018 but the initial versions of the updates did not support all processors that Intel created microcode updates for.
Microsoft lists all processors that the patches support. The April 24, 2018 update adds support for the following processor families: Broadwell DE A1, Broadwell DE V1, Broadwell DE V2,V3, Broadwell DE Y0, Broadwell H 43e, Broadwell U/Y, Broadwell Xeon E3, Haswell (including H, S), Xeon E3, Haswell Perf Halo, Haswell Server E, EP, EP4S, Haswell ULT (thanks Deskmodder and Günter Born)
Skylake, Kaby Lake and Coffee Lake processor families were supported already.
Tip: Run InSpectre if you want to know if microcode updates are available. That is a lot easier than having to figure that out on your own.
The microcode updates from Intel protect various versions of Windows 10 from attacks but they are not available on Windows Update or WSUS yet.
Microsoft published the updates on the Microsoft Update Catalog website from where they can be downloaded and installed.
Here are the manual download links:
Note that there is no update for Windows 10 version 1511.
Windows 10 users and administrators may want to download the updates and install them on machines provided that they are powered by processors that microcode updates are available for.
Yesterday's microcode updates cover most processor families that Intel wants to support with microcode updates. If you check the master list that Intel released, you will notice that some products are still missing and that some (older) processors won't receive the updates at all.
It is likely that Microsoft will update the updates to integrate support for processor families that are not supported yet. I suggest you monitor the relevant KB article pages so that you know when updates are released.
Now You: are your systems protected against Meltdown or Spectre attacks?
the InSpectre tool has not been updated to work correctly with the 1803 release to determine whether or not the spectre vulnerability has been patched or not. wait for release 9 of that tool to see if that one will work with the 1803 version.
Thanks for your comment. Anyway, Microsoft does not have a microcode update for the 1803: https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates
KB4090007 update for 1709 was installed with the Intel microcode to mitigate Spectre. I just installed the 1803 and, after using the InSpectre tool, I see that I am vulnerable again and there is no update available from Microsoft.
I really don’t understand it: is my E3-1245 v3 Xeon compatible with KB4090007? Can I install that patch without any harm for my Windows 10?
I installed KB4090007 on my Windows 10 x64 Version 1709 (US build 16299-402) for chip 306D4 (Inspectre version 8) and per Belarc Advisor saying I have 1000 megahertz Intel Core M -5Y10c. Everything seems working well.
No matter how many software patches they send out to “protect” against a failed hardware architecture it can be exploited.
What about all backdoors in the hardware we use ? Why isn’t that “patched” ?
Still no microcode updates for Windows 7 and 8.1 even though MS said they would ship them. Windows 7 is used far more than 10 so that should have been the priority.
@Jeff: “Still no microcode updates for Windows 7 and 8.1 even though MS said they would ship them. Windows 7 is used far more than 10 so that should have been the priority.”
“Should have been the priority” from whose perspective? Microsoft’s customers? Public consumer-protection enforcement authorities, like the Federal Trade Commission? Or Microsoft’s shareholders? The respective answers are “Yes,” “Go away and quit bugging us,” and “Are you kidding me?” (The second and third answers are actually closely related.)
Indeed. I raise my hat to that.
It may be my mis-interpretation, but if the InSpectre tool says that my system is protected from both, then even if it also says that Microcode is available, I don’t need to download the Microsoft update – correct?
The system in question was a very recent fresh install of MS Win 10.
So, if correct, presumably, with both vulnerabilities identified as “protected”, the update was captured in the install, or recent update from MS (though none are labelled KB40900007).
Just want to make sure I am clear on this before I’d jump on a manual install of that update (running Win10 update check does not flag any missing updates).
I’m not 100% sure but if you see protected for both, you should be all set.
Martin. Thanks. What I expected but wanted to be sure.
I have an Ivy Bridge processor, which is not on the list in this batch Microsoft updates.
However Intel published a guidance document back in March ( this one https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf ) where Ivy Bridge and some other processors in the box for the “Production Status” column has the word “Production” and a yellow background. Some other processors like Kaby Lake one’s also has the word “Production” but with a green background.
Does anyone know what that color difference means? Does the yellow mean Intel is still working on it? Or something else.
Intel now says that Ivy Bridge (CPUID 306A9) is in production — green. Will Microsoft re-issue KB4090007 or give us a new update?
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf
That is great news! I suppose there is some delay due to testing between when Intel has given the microcode a green light and when Microsoft (hopefully) can push out an update. I hope Ghacks continues to cover this issue.
“Production” with a yellow background means that the chipset is now ready to be patched when it previously wasn’t available.
As of the time of this comment, Windows hasn’t added Ivy Bridge to its microcode KB yet.
Thank you very much !
2018-04 Update for Windows 10 Version 1709 for x64-based Systems (KB4090007).
This looks good. And … under description it says …
Architecture: AMD64 (KORNfusing?!?!?!?)
Meanwhile, the help link mentions Intel processors supported. It does not support my Xeon E5.
I’ll pass on this one.
Regardless of the situation, using AMD in the name is quite confusing.
AMD developed the 64-bit CPU. Intel’s designs are based on AMD’s work. So, it’s often referred to as AMD64. At one time AMD was ahead of Intel, technology-wise.
It’s also because the IA64 moniker (Intel Architecture 64) was already in use at the time and referred to Itanium. Hence with AMD designing the 64bit extensions for x86, it is sometimes referred to a AMD64, in much the same way that the 32bit version of x86 has the moniker IA32 (Intel Architecture 32).