Post by PeterC Post by MowGreen
From what I've seen and read so far, this month's Win 7 security
'rollup' update KB4088875, is causing blue screens -
The state of the update after its post-reboot operation has completed is
Noshit, Sherlock !
Happened to my Win x86 box, which resulted in a 'Start up repair' that
brought it back to life.
Then Windows Update offered the February 'Quality' Rollup, which
AskWoody has a thread on the issues with KB4088875 but I can't access
it due to a 'Gateway failure' which, I'm assuming, is being caused by
too many web site visitors.
A Googley search shows MS has stopped pushing the patch via WU and will
most likely pull it, quietly. Like a 'one cheek sneak'.
Hold off on that patch as it's still showing in the WU Catalog. It bit
me, don't let it byte you. ;)
Looking at KB4088875, I decided not to get it as I don't have Internet
Explorer - not even the .exe on the disk
I installed KB4088878 yesterday and it seems to be OK. Apparently it can
break networky-thingys but I don't have those.
According to InSpectre I'm now patched against Meltdown but not against
The microcode is out for Broadwell but still not on Gigabyte's site.
You don't have to wait for a BIOS flash update.
The OS can install one for you, after OS bootup. Right now
this says Windows 10, so in a Windows 7 group, we can stop
reading right here.
Skylake, Kaby Lake, Coffee Lake (no broadwell, haswell, ivy bridge quite yet)
Those are *not* being put in Windows Update. They're
for private consumption. Like moonshine.
The microcode loader in Windows has *always* been loading
one of those, but at the current time, it's using out of date
versions. Because this particular patch could be performance-affecting,
they're not being forced on people.
Using Linux, you can learn where the master file is located.
At the moment, Linux is using the older monolithic release mechanism,
where the master Intel file with a couple hundred processors in it
is loaded via the microcode loader.
As Windows users, we don't want the whole file.
We want the README :-) The releasenote tells us what
has changed since the last (stable) release November 17
of last year. Presumably Microsoft has been running
November 17 versions on all our computers (via Windows Update)
since last year. November 17 covers any hardware bugs
in CPUs, but has no Meltdown/Spectre coverage.
"RELEASENOTE from microcode-20180312.tgz"
== Updates upon 20171117 release ==
MODEL STEP f-mm-s:pf version
-- New Platforms --
BDX-DE EGW A0 6-56-5:10 e000009
SKX B1 6-55-3:97 1000140
-- Updates --
SNB D2 6-2a-7:12 29->2d
JKT C1 6-2d-6:6d 619->61c
JKT C2 6-2d-7:6d 710->713
IVB E2 6-3a-9:12 1c->1f
IVT C0 6-3e-4:ed 428->42c <=== my processor
IVT D1 6-3e-7:ed 70d->713
HSW Cx/Dx 6-3c-3:32 22->24
HSW-ULT Cx/Dx 6-45-1:72 20->23
CRW Cx 6-46-1:32 17->19
HSX C0 6-3f-2:6f 3a->3c
HSX-EX E0 6-3f-4:80 0f->11
BDW-U/Y E/F 6-3d-4:c0 25->2a \
BDW-H E/G 6-47-1:22 17->1d \
BDX-DE V0/V1 6-56-2:10 0f->15 \___ five Broadwells
BDW-DE V2 6-56-3:10 700000d->7000012 /
BDW-DE Y0 6-56-4:10 f00000a->f000011 /
SKL-U/Y D0 6-4e-3:c0 ba->c2
SKL R0 6-5e-3:36 ba->c2
KBL-U/Y H0 6-8e-9:c0 62->84
KBL B0 6-9e-9:2a 5e->84
CFL D0 6-8e-a:c0 70->84
CFL U0 6-9e-a:22 70->84
CFL B0 6-9e-b:02 72->84
SKX H0 6-55-4:b7 2000035->2000043
So that gives a hint as to how much progress Intel
made this week.
This is the version Intel had to pull, because of
problems with a few of them.
RELEASENOTE(pulled).txt from microcode-20180108.tgz file
-- Updates upon 20171117 release --
IVT C0 (06-3e-04:ed) 428->42a <=== my processor
SKL-U/Y D0 (06-4e-03:c0) ba->c2
BDW-U/Y E/F (06-3d-04:c0) 25->28
HSW-ULT Cx/Dx (06-45-01:72) 20->21
Crystalwell Cx (06-46-01:32) 17->18
BDW-H E/G (06-47-01:22) 17->1b
HSX-EX E0 (06-3f-04:80) 0f->10
SKL-H/S R0 (06-5e-03:36) ba->c2
HSW Cx/Dx (06-3c-03:32) 22->23
HSX C0 (06-3f-02:6f) 3a->3b
BDX-DE V0/V1 (06-56-02:10) 0f->14
BDX-DE V2 (06-56-03:10) 700000d->7000011
KBL-U/Y H0 (06-8e-09:c0) 62->80
KBL Y0 / CFL D0 (06-8e-0a:c0) 70->80
KBL-H/S B0 (06-9e-09:2a) 5e->80
CFL U0 (06-9e-0a:22) 70->80
CFL B0 (06-9e-0b:02) 72->80
SKX H0 (06-55-04:b7) 2000035->200003c
GLK B0 (06-7a-01:01) 1e->22
And I observed in January, using a recent enough Ubuntu distro,
my processor go from 428->42a and applying the March 12 one
as well, the progression would be 428->41a->42c.
So you can see the version number continues to be bumped.
My BIOS loads 416 on my processor. In Windows I would see
428. In Linux in the middle of January, it read out as 42a.
In March in Linux, it went back to 428 (Linux pulled the
bad one). If I were to do some Linux experiments in the
next few weeks, the Linux one would go to 42c.
If you have a Pentium 4 processor, their release number
hasn't moved since 20171117 and if you checked the microcode
in either file, it's probably the same as a file from 2015.
The newer processors are getting patched first. And they will
work their way back. However, some of the patched processors,
will have absolutely no delivery mechanism. (Motherboard company
won't do it, Microsoft won't provide patch for all OSes.)
So now, even though Windows users can "smell and touch" the
bytes of the updated Microcode, the download file on the
Windows side ("tested") is still "Skylake, Kaby Lake, Coffee Lake".
Microsoft is taking their time. Microsoft is making this an
optional download for people who need the "assurance" of
Spectre protection in hardware via Microcode, to do it
from the OS level.
If your motherboard maker releases Broadwell before Microsoft
does, then sure, you can do it via a BIOS update. For my
Pentium 4 machine, no, no BIOS update will ever be offered,
so that Microsoft download page would be my only option.
And since right now, only Windows 10 gets the microcode
(on that page at the moment), my Pentium 4 is surely...
out of luck. Only the last model or so of Pentium 4 is
Windows 10 compatible. Practically nobody owns one of those :-)
Now, even if you bodge that Microcode into an OS, can the
OS even use it ? Intel was proposing some silly knobs to
twiddle with respect to that Microcode, and even if you
hack the file into your OS, the OS won't really use it unless
say, the kernel is modified to use it or something.
There are more details involved than just "delivery",
there are also "usage" issues. And we don't know since the
squabble between Linus Torvalds and Intel, whether Intel
budged on their control mechanism for enabling protection.
For everyone else, go back to updating your Facebook
page now. Nothing to see... Move along... Move along.
At the current time, only around 200 test samples of
malware from Black Hats have been spotted via Virustotal.
The Black Hats are still working on their Meltdown/Spectre
code and have not perfected really good exploits as
of yet. If you use a really up-to-date browser, you
have already received some "timing attack protection"
how Pentium 4 owners running Vista will get their
I'm personally going to feel "warm and fuzzy", right
up until the day the Black Hats tip over my machine :-)
At that point, I won't be able to update my Facebook page.