• Patch Lady – Microcode confusion

    Patch Lady here on the Microcode updates.

    So here’s my take on all of this:

    Unless you are a nation state, have a key asset in a cloud server, or are running for a government office, I think we are spending way way more time worrying about this than we should.  I still think that attackers will nail me with malware, attack me with phishing, ransomware, etc etc, way more than someone will use these side channel attacks to gain information from me.  Remember that the attacker has to get on your system first and I still think they will use the umpteen other ways to attack me easier than this attack.  Also keep in mind that we won’t really have a full fix for this issue for several years.  Intel and AMD will need to redesign the chips to ultimately get fixed.

    That said… if you are as confused as I am about all these updates, join the club.  There are a few facts to keep in mind:

    You need two updates to ultimately be patched.  An operating system update (of which the August patches have the latest updates that include L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646) aka the latest ones.

    You then need EITHER a firmware patch from your OEM vendor or one of these Microcode updates that Microsoft have been offering up.

    You don’t need both a firmware and a Microcode.  It’s probably wiser to get a firmware update as I’ve found in patching windows 10 and getting all the feature updates on, that machines really need a firmware update to patch well in general.

    In my office where we have standardized on HP, I am making sure that all machines have the HP support assistant to monitor firmware updates.  On my Lenovo laptops I’ve made sure they have the solution center installed.

    If you have a relatively recent Windows 10 OEM build computer, look to the vendor for a firmware update.

    If you want a Microcode update keep in mind that Microsoft released in August to the MU channel *just* for 1803.  Per this page:  https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates  1803 is getting them from Windows Update, Windows Server Update Service, and Microsoft Update Catalog.  The other versions are only getting them from the catalog.

    For those folks that run WSUS servers, you saw a bunch of Microcode updates out yesterday.  Those are JULY versions of the Microcode update, not the same as the AUGUST ones out yesterday.  Notice the 2018-07 dates on the updates that came out on WSUS, not the 2018-08.

    Took me a while to figure out that these AREN’T the same updates even though they came out on the same day.

    They did come out on the C week. They are not replacing the cumulative update of August 14th.

    Unfortunately, I’m rating these Microcode updates as not simple.