Microsoft releases Spectre variant 2 microcode patches

Microsoft has been working to release the Intel microcode fixes for the Meltdown and Spectre vulnerabilities through Windows Update packages, and the latest updates aim to patch Spectre variant 2 on more devices.

The road to proper patches for Meltdown and Spectre has been long, beginning with initial releases when the issues were first announced in early January. The flaws, which affects speculative execution in Intel, AMD and ARM processors, allows unauthorized users to access sensitive data in memory. Hardware manufacturers had been expected to push out Intel's microcode updates, but Microsoft has been taking on the task of protecting users with Windows updates.

Microsoft released two updates to address Spectre variant 2 (CVE-2017-5715). The software updates apply the Intel microcode patches for the issue to Windows 10 and Windows Server 2016 (KB4078407), as well as fixes to cover more Intel CPU families (KB4091666).

Spectre variant 2 has previously been the focus of failed patches; Microsoft had to rush out a hotfix in late January as Intel's microcode update was found to cause reboot issues on Broadwell and Haswell chipsets. Spectre variant 2 has also been notable because the patches merely protect against the known attack method rather than fixing the underlying issue.

Paul Kocher, an independent security researcher who co-discovered the Spectre flaws, spoke at RSA Conference 2018 about why the vulnerabilities posed significant challenges for mitigation efforts. Kocher said software companies like Microsoft must place "speculation barriers" in source code to prevent attackers from accessing privileged memory, but placing too many barriers in the code will crush performance.

To truly mitigate against Spectre variant 2, Intel has promised hardware changes coming to new chipsets in the second half of 2018. Kocher said during his session at RSA Conference that even those hardware changes might not be enough because chip makers won't full remove speculative execution from their process design because that would drastically impact performance.

In March, Microsoft began releasing patches for Spectre variant 2 beginning with some systems running on Intel's three newest generation processors -- Skylake, Kaby Lake and Coffee Lake. With KB4091666, Microsoft has added more Skylake CPU models as well as Broadwell and Haswell chipsets in the Intel Pentium, Celeron, Core and Xeon lines.

Microsoft noted that advanced users could enable the Spectre variant 2 mitigations with manual registry edits and suggested that users check device manufacturer's and Intel's websites for microcode recommendations "before applying this update to your device."