Manage Learn to apply best practices and optimize your operations.

KB 4093836 Summarizes August 2018 Spectre Microcode Updates

On August 21, Microsoft released a spate of Intel-validated microcode updates for various Spectre exploits. These cover the following new items:

  • Spectre Variant 3a (CVE-2018-3640: “Rogue System Register Read (RSRE)”)
  • Spectre Variant 4 (CVE-2018-3639: “Speculative Store Bypass (SSB)”)
  • L1TF (CVE-2018-3615, CVE-2018-3646: “L1 Terminal Fault”)

In fact, KB 4093836 summarizes August 2018 Spectre Microcode Updates, and provides pointers to specific KB items for Windows 10 1803, 1709, 1703, 1607 and the LTSC version.

WU Should Apply Updates from KB 4093836 Summarizes August 2018 Spectre Microcode Updates

Here’s the table of information from KB 4093836. On most affected systems, Windows Update should apply the relevant updates automatically. It did so on all but one of my 8 systems. But the various Win10-specific KB articles that appear in the table also provide links to Windows Catalog items when WU doesn’t pick things up (all entries in column 1 beneath the heading row are hyperlinks; they don’t appear in color because of WordPress weirdnesses).

KB number and description Windows version Source
KB4346084 Intel microcode updates Windows 10, version 1803, and Windows Server, version 1803 Windows Update, Windows Server Update Service, and Microsoft Update Catalog
KB4346085 Intel microcode updates Windows 10, version 1709, and Windows Server 2016, version 1709 Microsoft Update Catalog
KB4346086 Intel microcode updates Windows 10, version 1703 Microsoft Update Catalog
KB4346087 Intel microcode updates Windows 10, version 1607, and Windows Server 2016 Microsoft Update Catalog
KB4346088 Intel microcode updates Windows 10 (RTM) Microsoft Update Catalog

Source: KB4093836; table markup reproduced verbatim.

Who’s Got the Update Ball, This Time?

For previous Spectre (and Meltdown) updates responsibility has ping-ponged around among Intel (and AMD), Microsoft, and motherboard makers. That’s because these exploits occur at the microcode level. Thus, they work on machine-level instructions executed by the processors to exploit certain vulnerabilities. Finally, Microsoft is taking the lead in driving Intel (and AMD also, presumably, and perhaps also ARM as well). They work on patches, then get chipmakers to validate them for new exploits. For now, I’m hopeful this means MS will continue to make new patches as new exploits are discovered. In the ongoing game of “cops-and-robbers” that often characterizes cyber security, somebody has to make sure things stay current!

If you check the individual KBs for specific Windows versions in the preceding table, you’ll soon see if your CPUs are included. If they are, but the corresponding patch doesn’t appear in the update history for related PCs, you’ll want to visit the Microsoft Update Catalog to grab and apply the relevant patch manually.

Note Added Later on 8/24: Intel L1TF Benchmark Results Ban

ZDNet reports in an article entitled “Intel ‘gags’ Linux distros from revealing performance hit from Spectre patches” that the L1TF patch may cause significant enough performance hits that it enjoins software license agreement signatories from publishing benchmark results to document or describe the impact. Guess that means the company’s claim that “there has been no meaningful performance impact observed as a result of mitigations applied” may be in some doubt, eh? You’ll want to keep an eye on this as and when you apply the latest round of microcode updates. But then, you’d planned on testing them in limited in-lab deployment before rolling them out to your users, right?

Note Added 8/25: Users Reporting Patch Targeting Errors & Runtime/Boot Issues

Check out this story: “Windows 10 KB4100347 Spectre patch causing serious issues.” It details some apparent patch targeting errors that lead to boot and other problems at runtime. If this happens to you, remember that you can boot from a recovery disk. Then, use DISM to remove the problem package on the offline image. That works, even if the OS isn’t running well enough to permit an overt uninstall through Windows Update. Wow!

Virtual Desktop