Intel security update KB4346084 for Windows 10 released - gHacks Tech News

Intel security update KB4346084 for Windows 10 released

Will it ever end? Microsoft released new Intel microcode updates for Windows 10 that install or update protections against various Spectre variants.

The updates are available for Windows 10 versions 1803, 1709, 1703, 1607 and 1507, and currently only available on the Microsoft Update Catalog website.

Günter Born notes that the update will also become available through Windows Update and WSUS, but this does not appear to be the case at this point in time.

The updates KB4346084, KB4346085, KB4346086, KB4346087, KB4346087 and KB4346088 update protections against attacks targeting vulnerabilities in Intel processors that affect most Intel processors.

If you don't know whether your Intel processor is affected try the free tool InSpectre for Windows to find out about it.  You may also run commands from a PowerShell prompt to display vulnerability information.

microsoft intel microsoft update kb4346084

The summary page highlights what the update does:

Intel recently announced that they have completed their validations and started to release microcode for recent CPU platforms that are related to Spectre Variant 3a (CVE-2018-3640: "Rogue System Register Read (RSRE)"), Spectre Variant 4 (CVE-2018-3639: "Speculative Store Bypass (SSB)"), L1TF (CVE-2018-3615, CVE-2018-3646: "L1 Terminal Fault"). In addition to microcode updates previously released in KB4100347​ to address Spectre Variant 2 (CVE 2017-5715: "Branch Target Injection"), this update also includes microcode updates from Intel for the following CPUs.

In other words, the new update adds protection against Spectre variants 3a and 4, and includes previous updates as well that Intel and Microsoft released earlier.

The updates are standalone updates for the version of Windows 10 they have been created for. The mitigations are active immediately on client systems; Server administrators need to make modifications to systems they administrate to apply the protections according to Microsoft.

Windows 10 version 1803 users who check Windows Update may get an updated version of KB4100347 at this point in time. It is unclear why this update is delivered since it has been replaced by the update mentioned below.

Closing Words

I wish Microsoft would make it easier for users and administrators to follow what is going on. Why is there no page on the Microsoft website that lists operating system versions and the patches available for them to deal with Spectre threats?

Summary
Intel security update KB4346084 for Windows 10 released
Article Name
Intel security update KB4346084 for Windows 10 released
Description
Will it ever end? Microsoft released new Intel microcode updates for Windows 10 that install or update protections against various Spectre variants.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Constance said on August 22, 2018 at 10:32 am
    Reply

    How about Windows 7 and 8.1 ? :/

    They’re still eligible to security updates, and can handle CPU microcode updates too, since it has been done before (see KB3064209).

    1. Yuliya said on August 22, 2018 at 10:51 am
      Reply

      They will either release them at a later date or in the next month’s security update pack.

      1. A different Martin said on August 23, 2018 at 8:34 pm
        Reply

        One hopes…

      2. Yuliya said on August 24, 2018 at 10:33 am
        Reply

        A different Martin, by the looks of it this patch has a significant performance impact. For something which is not that easily exploitable (and really if you end up in your system with such malware in the first place, it means you have bigger problems to concern about), I honestly don’t know if it’s worth it.

  2. TelV said on August 22, 2018 at 10:46 am
    Reply

    No need to run any (free) tools. CPUs affected by the vulnerabilities are listed on this Intel site: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

    1. Karol said on August 22, 2018 at 6:24 pm
      Reply

      These list only points to CPUs vulnerable to security advisory INTEL-SA-00161, i.e. L1 Terminal Fault. Also, it does not detect whether your OEM manufacturer has released new BIOS version updating it via CPU microcode, so OS patch is not required.

  3. anonymat said on August 22, 2018 at 11:13 am
    Reply

    I installed KB4346084, and rebooted the machine. They’re both listed.
    Should I remove KB4346084, or leave it?

    1. Martin Brinkmann said on August 22, 2018 at 2:06 pm
      Reply

      Good question: I’m not sure to be honest but would probably remove the replaced update as it is no longer needed or keep it if you don’t notice any issues.

    2. anonymat said on August 22, 2018 at 2:30 pm
      Reply

      Meant to say, should I remove KB4100347 or leave it*

  4. pHROZEN gHOST said on August 22, 2018 at 2:36 pm
    Reply

    The 5MHz Z80c processor in my 1982 Kaypro II is not vulnerable.

    Chuckles …

  5. Kofi said on August 22, 2018 at 3:50 pm
    Reply

    Thanks for posting the past version of all these KB updates.
    Interesting that 1511 isn’t there, but 1507 is. (Not that it should matter, most of us have updated anyway)

    1. EP said on August 22, 2018 at 6:57 pm
      Reply

      that’s because the v1511 release of Win10 Home/Pro ended October 2017 and the v1511 release of Win10 Education/Enterprise ended April 2018, Kofi. MS did not bother offering new microcode updates for 1511 at all.

  6. seeprime said on August 22, 2018 at 4:02 pm
    Reply

    Woody, of Ask Woody, says there is no need to install these updates as there are zero instances of the specific vulnerabilities being exploited.

  7. dmacleo said on August 22, 2018 at 4:19 pm
    Reply

    not in wsus yet will wait and see then test

  8. John Fenderson said on August 22, 2018 at 4:55 pm
    Reply

    “Will it ever end?”

    No, it won’t, at least until the compromised Intel chips are physically replaced. The thing is that no microcode changes can eliminate the underlying flaw. All that can be done is to prevent specific ways to leverage that flaw — but there are so many different specific ways that all Intel can do is play a constant game of wack-a-mole.

  9. John said on August 22, 2018 at 6:18 pm
    Reply

    “Windows 10 versions 1803, 1709, 1703, 1607 and 1507″… five versions in three years. All of them plenty of cumulative problems and never ending freak and unexpected issues. And this september 1809, another one to the hall of fame of ridiculousness and hilarious Microsoft’s history. Please, someone to stop this madness and let common users to have an LTSB W10 free, please!

  10. Karol said on August 22, 2018 at 6:32 pm
    Reply

    Martin, this is not complete as you missed L1TF:
    In other words, the new update adds protection against Spectre variants 3a and 4, and includes previous updates as well that Intel and Microsoft released earlier.

    To correct this fact and bring some light (as part of my work is securing our HW against these vulnerabilities), there were only 3 waves of CPU vulnerabilities that you have to fix on hardware CPU level (we skip IME portion of its own vulnerabilities).

    1 – Spectre AKA Variant 2 (CVE 2017-5715), BIOSes released in December with fixes in February
    2 – Variant 3a and Variant 4 (Intel-SA-00115), BIOSes released in July (our DELL stock has them)
    3 – L1 Terminal Fault (Intel-SA-00161), BIOSes not yet available

    First one requires OS hotfix as well to fully mitigate the vulnerability. As mentioned, OEM manufacturer released CPU microcode updates via BIOS firmware to address them.

    Instead of waiting for your OEM to release BIOS update to fix it on HW level, Microsoft released above software patches that update microcode before booting into Windows. So BIOS update is not required.

    It does have a catch.
    – Is only for Windows 10
    – Is only for 6th generation of HW (Skylake and above)

    So for production machines out there you still need BIOS update to fix it on hardware level.

  11. gnu said on August 22, 2018 at 6:52 pm
    Reply

    This is great, But GNU/Linux etc are left out of the article.

  12. pHROZEN gHOST said on August 23, 2018 at 2:14 am
    Reply

    Be scared. Be very scared!

    Intel will release new chips which do not have the current issues.
    Many of us will rush out and buy them. Good move right?
    Then a new flaw will be discovered.

    1. John Fenderson said on August 27, 2018 at 5:10 pm
      Reply

      @pHROZEN gHOST: “Many of us will rush out and buy them.”

      Intel won’t be coming out with “fixed” chips in the near future, though. Personally, I’ve begun the process of replacing all of my machines that run on Intel chips with ones that don’t (and that don’t engage in speculate execution). This replacement process will probably take me a couple of years, but will be worth it in the end, and I don’t have to wait around for Intel. Plus it will be nice to stop relying on Intel — given how they’ve handled this fiasco, that can’t be a bad thing.

  13. Bill said on August 23, 2018 at 3:29 am
    Reply

    When will it end? Well Intel says they are releasing the new processors by the end of the year, but the old processors will linger for decades to come. Cross your fingers that the new processors don’t have hidden security issues.

  14. John said on August 23, 2018 at 8:15 am
    Reply

    I wonder how many more of these performance sapping updates to Intel CPUs it will take before they perform like my overclocked FX6300. :)

  15. A different Martin said on August 23, 2018 at 8:33 pm
    Reply

    What’s the status of Spectre patches for AMD systems?

  16. here it comes said on August 24, 2018 at 4:50 am
    Reply

    @ gnu

    >This is great, But GNU/Linux etc are left out of the article.

    Perens: Intel Publishes Microcode Security Patches, No Benchmarking Or Comparison Allowed
    https://lwn.net/Articles/763284/

    “Bruce Perens looks at the license agreement for Intel’s latest CPU microcode update and does not like what he sees. “So, lots of people are interested in the speed penalty incurred in the microcode fixes, and Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license. Bad move.””

    https://perens.com/2018/08/22/new-intel-microcode-license-restriction-is-not-acceptable/

  17. CalixtoVWR1 said on August 25, 2018 at 9:32 pm
    Reply

    I don’t think it is a good idea to run InSpectre to find out about one’s protection status in regards to these new flaws, namely 3a, 4, L1TF. GRC has not updated its little app (InSpectre) for a while now, so I don’t think it can give one a fair account of what one is up against.

    1. WasItMe said on August 27, 2018 at 9:48 am
      Reply

      Right, especially because Microsoft updated the SpeculationControl PowerShell script to include the latest checks.

      1. CalixtoVWR1 said on August 28, 2018 at 6:36 pm
        Reply

        In other words and in a nutshell, one is better off running the updated Speculation control PowerShell from Microsoft to have a sound evaluation of one’s protection against these new flaws. I wish I could have the link to the Microsoft’s page for this..

        Maybe Martin can help or anyone else reading this article.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.