Microsoft Rolls Out Software And Firmware Updates To Foil Spectre And Meltdown


Microsoft Thursday announced the availability of mitigations against the Spectre and Meltdown processor vulnerabilities for additional devices and versions of Windows 10.

Microsoft, Redmond, Wash., said the updates include both software and firmware/microcode updates, and also said progress has been made to ensure that anti-virus from major security vendors is compatible with the Windows mitigations against Spectre and Meltdown.

[Related: Intel Rolls Out Spectre Mitigations For Newer Processors To OEMs And Partners]

On the software front, Microsoft said that x86 editions of Windows 10 are now covered by updates containing protections against the processor vulnerabilities. A prior Windows 10 update related to Spectre and Meltdown had addressed 64-bit editions of the software.

Sponsored post

In terms of firmware/microcode, Microsoft is making available microcode updates to devices running the Windows 10 Fall Creators Update and Intel's sixth-generation processors, dubbed Skylake. The Fall Creators Update is the most widely installed Windows 10 version, Microsoft said.

Intel initially had released the new microcode updates for Skylake on Feb. 21. The update can be downloaded from Microsoft's Update Catalog site, although Windows manufacturers such as HP, Dell and Lenovo will be doing much of the distribution for the firmware updates.

Microsoft is not yet making available microcode updates for devices running Intel's eighth-generation (Coffee Lake) and seventh-generation (Kaby Lake) processors, which Intel also had released Feb. 21. "We will continue to work with chipset and device makers as they offer more vulnerability mitigations," wrote John Cable, Microsoft's director of program management for Windows servicing and delivery, in a blog post.

"We were excited to see that additional microcode updates were released by Microsoft, and that Intel continues to work hard to cover additional scenarios," said Reed Wiedower, CTO of New Signature, a Washington, D.C.-based Microsoft partner.

All commercial businesses, he said, should be taking advantage of the new Windows Analytics functionality that Microsoft launched earlier in February, which provides guidance to organizations through the Upgrade Readiness tool.

"As more and more of these firmware updates are released, a properly configured organization will begin to see their Upgrade Readiness portal indicate greater levels of protection in real time, restoring confidence they are safe," Wiedower told CRN. "Larger organizations in particular, with a diverse set of devices and firmware updates, are best served through a tool such as this, especially when it is included in the cost of Windows itself, and not through an additional charge."

Meanwhile, Microsoft also has been "working closely with our anti-virus [AV] partners on compatibility with Windows updates, resulting in the vast majority of Windows devices now having compatible AV software installed," Cable wrote.

"The continued focus of our work with our AV partners and customers is to manage the risk of compatibility issues, especially those that result from AV software that makes unsupported calls into Windows kernel memory," he wrote. "Due to this potential risk, we require that AV software is up to date and compatible. We will continue to require that an AV compatibility check is made before delivering the latest Windows security updates via Windows Update until we have a sufficient level of AV software compatibility."

The Spectre and Meltdown vulnerabilities were revealed at the beginning of January and affect chips from vendors including Intel, AMD and ARM.

The flaws account for three variants of a side-channel analysis security issue in server and PC processors and potentially could enable hackers to access protected data.

Microsoft has been quick to provide information and transparency in its efforts throughout the process of addressing Spectre and Meltdown, according to Ric Opal, senior director at Oak Brook, Ill.-based SWC Technology.

At the same time, "the partner has to own part of this," Opal told CRN previously.

"You have to be in tune as a partner for all the guidance and capabilities Microsoft is delivering you. There's an enormity of data. You as a partner have to recognize this is important," Opal said.

While vendors such as Intel and Microsoft continue to work on software and firmware mitigations for the vulnerabilities, Intel has acknowledged that it will take a hardware fix to fully solve the issue for its processors, which is expected to be available toward the end of 2018.