Intel says its new Spectre-busting Skylake firmware patch is ready

Topic

New Reply

Oh boy. I love the smell of fresh bricked PCs in the morning. Yesterday, Intel said it has released new firmware that — this time, really, for sure,
[See the full post at: Intel says its new Spectre-busting Skylake firmware patch is ready]

12 users thanked author for this post.

HiFlyer, Fred, OscarCP, JDeC, Elly, Pepsiboy, lurks about, SueW, dgreen, AJNorth, WildBill, The Surfing Pensioner

Reply | Quote

Replies

Let’s wait for Linus to speak.

4 users thanked author for this post.

HiFlyer, OscarCP, lurks about, WildBill

Reply | Quote

I rather enjoy waiting and watching. This website’s getting more poular than Facebook!

2 users thanked author for this post.

Fred, JDeC

Reply | Quote

woody wrote:

Oh boy. I love the smell of fresh bricked PCs in the morning.

Reply to #165970

Noooooo, but noooooo.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

“…Research tells us there is frequently a substantial lag between when people receive updates and when they actually implement them. In today’s environment, that must change.”

I guess Navin Shenoy and team is/are quite blind to the real world.

Can you blame anyone these days for waiting to install any patch of any sort?

6 users thanked author for this post.

Fred, OscarCP, JDeC, Elly, woody, SueW

Reply | Quote

I like mine medium rare thank you. After the last month or so update follies I think I will sit tight on any firmware updates.

Reply | Quote

I’m sure they are fine. (Wink)

Reply | Quote

I think the quote is “fool me once, shame on you”…  : )

1 user thanked author for this post.

woody

Reply | Quote

I love this part from their little speech:
“According to the Department of Homeland Security’s cyber-emergency unit, US-CERT, as many as 85 percent of all targeted attacks can be prevented with – among other things – regular system updates.”

It turns out that citation in itself cites another page which lists updates as #2 for applications and #3 for operating systems. #1 is listed as “Use application whitelisting”.  Hardware / firmware patches are not even listed.  Even this source cites another group in itself (source here).

Maybe I should blacklist Intel patch software until it proves okay to whitelist 🙂

Reply | Quote

The Wall Street Journal reported a week ago that Intel had also provided an early disclosure to Chinese tech giants Alibaba Group and Lenovo, yet failed to inform the Department of Homeland Security’s US-CERT, which only learned of the bugs after Google’s disclosure.

The disclosure to Chinese tech firms raises the possibility that the Chinese government was aware of the vulnerabilities before the US government and the National Security Agency.

Yep, Intel doing Intel things. Of course, nothing could go wrong doing that, right?

Right???

5 users thanked author for this post.

HiFlyer, Fred, OscarCP, Elly, SueW

Reply | Quote

Has anyone yet seen anything resembling real world benchmarks for system performance degradation after installing the Meltdown/Spectre patches? The OEM vendors will likely not push out BIOS/UEFI updates to any Haswell CPUs and older anyway. And, it probably does not matter as I think these exploits might be slow to materialize in the wild.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Hello Intel, know your customer, or should I say, understand your client’s business and their expectations. Skylake systems installed in the enterprise will not have support staff scheduling firmware updates with any sense of urgency. Maybe even ever. The security guys and sysadmins will be watching out for Spectre/meltdown exploits in the wild before a call is made. Management could delay any decision due to business commitments or internal processing schedules.

Consumers with Sky Lake systems are the crash test dummies for these updates. The OEMs have to deal directly with their customers and bricked systems become their problem. They’ve already been burned once, so they are going to go slow on this. No rush at all.

Consumers are going to have to be very cautious. If they got a Sky Lake in August-December 2015, it is probably no longer be under warranty. Maybe someone can answer this, is the customer 100% covered under the warranty, if the system gets bricked?

Reply | Quote

All this makes me wonder…

What is the expected / design lifetime of a computer system? I sense the industry wants us to believe more and more that a computer can be viable for a year or at most two.

That’s just ridiculous.

I have what I consider a pretty new system – a Dell PowerEdge T20 with a Haswell CPU bought new and put into service in April 2015. To read the various sources, Haswell is now old tech, barely worthy of updating. Implication: No longer worth having. That couldn’t be further from the truth. It does its job without fuss or muss, and I don’t see that changing for at least 3 more years.

Another system I have, a Dell Precision T5500, new in 2012, is Westmere-based. Ancient tech by all standards, yet since it was a top-of-the-line workstation, augmented with newer hardware (video card, SSDs) since then it’s actually pretty darned decent. But clearly considered too old to worry about, as no one has ever mentioned any possibility of a BIOS / microcode update.

Sure, I understand Intel’s unwillingness to spend money to service every chip they’ve ever built. But on the other hand, a concerted marketing campaign to make people think their Haswell computer is already obsolete seems, well, pretty devious.

-Noel

6 users thanked author for this post.

HiFlyer, Sueska, Sessh, flackcatcher, MrBrian, AJNorth

Reply | Quote

Can updating the BIOS void a hardware warranty?
– Read the warranty or call the OEM help line and ask them what their policy is.

Depending on the circumstances a firmware update can brick a system and the system can be recovered. If the motherboard is damaged, nothing will revive it. OEM policy will determine if the warranty is considered void. There is CID (Customer Induced Damage) and ADP (Accidental Damage Protection) in a warranty (or hardware support policy).

Some OEMs support an automated BIOS update procedure. It comes down the chute and installs itself without any user intervention. Unless there was a power interruption during the BIOS update, a hardware failure due to a BIOS update, should be covered under warranty. Though best to check with your OEM first, rather than assume it is so.

Out of warranty – you have an interesting boat anchor or door stop.

OEMs will not cover a bricked system, still under warranty if the update came from another site other than their own. It is considered improper maintenance.

1 user thanked author for this post.

MrBrian

Reply | Quote

As posted by Anonymous #166065 :

“Some OEMs support an automated BIOS update procedure. It comes down the chute and installs itself without any user intervention. Unless there was a power interruption during the BIOS update, a hardware failure due to a BIOS update, should be covered under warranty. Though best to check with your OEM first, rather than assume it is so.
Out of warranty – you have an interesting boat anchor or door stop.”

This can be a real worry, as the implicit assumption is a bricked PC, unless one knows for sure that the OEM is not capable to do so without first asking.

If is not possible, or very hard, to learn about that, is there a way to preemptively stop this from happening: to block the OEM from accessing my PC, so to speak, but without entirely isolating the PC from the Internet for that?

By way of example — and perhaps not a very good one: PC makers usually preinstall an Agent or Assistant on the machines they sell. So, could one prevent the manufacturer from making BIOS or UEFI updates one has not asked for, or may not even want, by simply uninstalling the Agent?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Dell has Dell Update that does exactly what your describing. I got my BIOS flashed several weeks ago, with no bad after affects ( Lucky ). I have Skylake and I went into services and disabled it and haven’t heard a peep out of it since. It doesn’t even load at startup like it used to. I didn’t want to uninstall it because after the dust settles, I may want to use it again.

Reply to # 166105

Reply | Quote

witp wrote:

Let’s wait for Linus to speak.

He won’t…at least not yet.  The new Microcode has been released to the MB makers for further testing on their end then packaging into bios updates for their motherboards.

Intel has not (to date and time of this post) put up / released the new Microcode as a “Linux Processor Microcode Data File” here:

https://downloadcenter.intel.com/download/27337/Linux-Processor-Microcode-Data-File?product=873

Windows Server and Linux powered servers (that is darn near all servers and server farms on the planet) rarely if ever update microcode by via a bios update initially. They typically they get nicrocode updates by directly injecting the new code into their Operating Systems, be that Win Server or Linux, using one of the available data files as the code source from the link above.  Done that way the Microcode change can be easily and quickly (file change and reboot) reversed if things go sour.

Viper

Reply | Quote

woody wrote:

Oh boy. I love the smell of fresh bricked PCs in the morning. Yesterday, Intel said it has released new firmware that — this time, really, for sure,[See the full post at: Intel says its new Spectre-busting Skylake firmware patch is ready]

Woody,

Maybe just follow what I said in another thread about this stuff? Don’t patch for now, as nothing is happening. And I forgot who said it first, “Much ado about nothing”. Nothing happens, nothing to get excited about.

Dave

Reply | Quote

I don’t know why everyone is so worried about flashing firmware (intel: do it or you will be insecure, us: but it might brick or systems with no recovery).

There is such a thing as a microcode update which applies to the CPU on boot (by the OS) and is 100% temporary (lost during power cycle). If the microcode update doesn’t do what it is supposed to the worse case scenario is the OS is broken (reinstall windows — or a better OS). If you can revert the update the OS isn’t even broken.

Why does this seem to be taking the form of a firmware flash which permanently changes/updates the microcode with unclear options to revert?

Reply | Quote

Interesting article in today’s SecurityWeek detailing the patch:

Intel Releases New Spectre Patches for Skylake CPUs
http://www.securityweek.com/intel-releases-new-spectre-patches-skylake-cpus

Reply | Quote

The list of different CPU models for PCs that Intel has brought to market over the years is impressively long. According to the news relayed here by Woody, the latest BIOS, UEFI updates are only for those of some recent models.

(For information on how to patch the BIOS or UEFI, read this — and despair:

https://www.pcworld.com/article/187437/software/how-to-update-your-bios.html )

So: how are the top managers at Intel planning to handle a general update?

Employ a lot more people? Crowdsource?

If the latter, are they going to pay well to those that deliver patches when they accept them (and before, or as, they distribute them to the OEMs that, in turn, can offer those patches to all PC users)?

I wouldn’t mind making a little extra cash, in whatever spare time I may have. Of course, on my side at least, the licensing terms shall make it very clear that the patch is given on a strictly “PROVIDED “AS IS” ” basis, and also on  an equally strict “I AM NOT RESPONSIBLE IN THE LEAST IF YOU END UP WITH A FANCY DOORSTOP AFTER PATCHING YOUR BIOS OR UEFI WITH THIS ONE” basis.

I had to do some assembler and machine-language coding once (long ago and far away). But it is just like riding a bicycle… is it not? How different could that be from writing patches for some, in Silicon Valley terms, ancient Intel chip’s BIOS?

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

anonymous wrote:

Has anyone yet seen anything resembling real world benchmarks for system performance degradation after installing the Meltdown/Spectre patches? The OEM vendors will likely not push out BIOS/UEFI updates to any Haswell CPUs and older anyway. And, it probably does not matter as I think these exploits might be slow to materialize in the wild. [/quote

Yes:

https://www.askwoody.com/forums/topic/yet-another-massive-release-of-patches-re-patches-re-grouped-patches-and-a-few-explanations/page/2/#post-160517

If Intel pushes the Microcode for them (and they most likely will for legal liability reasons) the MB makers will probably push bios updates for hardware back to at least Sandy / Ivy Bridge. While numbers are very hard to come up with it appears that Sandy / Ivy make up about 30-40% of the installed hardware base out there.  The reason for that is due to a lack of competition to push Intel resulting in a Sky/Kaby Lake CPU that is only about 15% faster than a 4-5 year old Sandy/Ivy clock for clock in benchmarks and even less real world.  It simply didn’t pay to upgrade until Coffee Lake became a reality where i3′ are now quad cores and i5 and i7 are 6 core.

Viper

Reply | Quote

I’m wondering what the smell of fresh-bricked PC is, so I can be alert for it.  Acrid smoke of the kind that would be outlawed by the EPA if it were known?

Reply | Quote

wdburt1 wrote:

I’m wondering what the smell of fresh-bricked PC is, so I can be alert for it. Acrid smoke of the kind that would be outlawed by the EPA if it were known?

Yeah, but I’m not sure if fire retardant bromides are still put in plastics encasing computer equipment.

Reply | Quote

In reply to #166123 of course.  Edit attack !

Maybe acrid for you, but I’m quite sure it’s sweet for intel ;>

Reply | Quote

anonymous wrote:

The Wall Street Journal reported a week ago that Intel had also provided an early disclosure to Chinese tech giants Alibaba Group and Lenovo, yet failed to inform the Department of Homeland Security’s US-CERT, which only learned of the bugs after Google’s disclosure. The disclosure to Chinese tech firms raises the possibility that the Chinese government was aware of the vulnerabilities before the US government and the National Security Agency.

Yep, Intel doing Intel things. Of course, nothing could go wrong doing that, right? Right???

So, what governments would use these vulnerabilities?
Time to make a guess

* _ ... _ *

Reply | Quote

NSA first learn about the bugs not from Google, but from the spyware they put on the disk controller firmware sent to the Chinese.

Reply | Quote

So I don’t think I have thought of updating my system since December, I’m running an i5 4670 I think it is….. uh…. should I update my Windows 7 now, or should I not?

Reply | Quote

anonymous wrote:

So I don’t think I have thought of updating my system since December, I’m running an i5 4670 I think it is….. uh…. should I update my Windows 7 now, or should I not?

On February 5th Woody moved to Defcon 3 and posted an article about getting patched.

Check out https://www.askwoody.com/forums/topic/ms-defcon-3-lots-of-caveats-but-its-time-to-get-patched/

There is a lot to read about in the linked ComputerWorld article, but it might help you decide what you really want to do… after all, it is your computer…

It is a time to cautiously go forward with patching, if you haven’t joined the no-patching group after all that reading. I have confidence in following Woody’s system, because it got me safely through the GWX to now, with no problems. However, I’m waiting until I have plenty of time, just in case… and I have a current system image, and also do data back up. I was having all kinds of anxiety about updating this month, because of the Meltdown and Spector patching, and all the problems people are having… and I am tip-toeing up to it… but those are the thoughts of a non-techy…

Non-techy Win 10 Pro and Linux Mint experimenter

2 users thanked author for this post.

Cascadian, amraybt

Reply | Quote

@Elly (166208) and @anon (166193). Here are 3 positive data points for January’s patches.

I’ve patched 2 Intel machines, one 3rd generation (Ivy Bridge) core i5 and one 5th gen (Broadwell) core i3. Both run Win 7 Pro 64 bit service pack 1. I successfully installed in the following order KB4055532 (a .Net update), KB 4056568 (IE 11 security), and KB 4073578 (the latest security only update that has the so-called AMD no boot issue fixed). I was told I needed to restart after each update. I did the .NET update through Windows update, the other 2 manually (as you can tell, I’m basically group B.)

Also did the same on an Intel Atom running Win 7 Starter 32 bit.

On all 3 machines everything went smoothly and everything seems to work fine for the last 2 days. Haven’t noticed any performance hits but I’m not a gamer and don’t do any intensive number crunching or I/O stuff.

The only thing I’d warn you about is to be patient on the KB 4073578 as it seems to take a few minutes (literally 3 or 4 minutes which in my experience is fairly long) on the restart when it gets to the 4-color Windows flag on startup.

Good Luck!

3 users thanked author for this post.

Elly, jburk07, Cascadian

Reply | Quote

@OscarCP in Post #166105.

My Lenovo Thinkpad E440 (Win7-64Pro_SP1) has a Lenovo System Updater for the Lenovo specific software and hardware as well as the UEFI BIOS. It can be set to auto scan on a schedule if you wish, but it only will install if you permit it. It also allows you to hide updates. Generally, all the BIOS/UEFI updates have had cautions not to update them if the issues they are fixing have not minifested themselves on your machine.

Mine shows a November 2017 BIOS update (pre-Spectre/Meltdown), but says it is not reversible to address a security issue. I suspect it may be to fix the Intel ME vulnerability issue. I have not installed it yet as I am waiting for the Spectre/Meltdown UEFI/BIOS update for that. When it appears I will monitor the Lenovo forums to see if there are any issues.

That machine is not used that much since I bought an iPad Pro for the road. Plus the iPad Pro has a GREAT camera. I will keep it a Windows 7 laptop as long as possible and then it will become a Linux Mint machine.

Reply | Quote

WooHoo! I just checked the link in Woody’s original post and my old Bloomfield i7-960 is getting a firmware update. The 2/8/2018 Intel Guidance shows it as in planning. Since the CPU and MB are both Intel OEM, I guess they will have it on their site at some point.

Reply | Quote

Okay according to this 02/08/2018 revision to the “Intel Microcode Revision Guidance PDF”

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/02/microcode-update-guidance.pdf

Intel is planning on issuing Meltdown / Spectre Microcode updates going back 10+ years to Yorkfield and Wolfdale CPU’s.  Sandy and Ivy bridge code is currently in Pre-Beta stage.

Looks like the 12+ year old Conroe / Kentsfield CPU’s are going to be cutoff.

Viper

 

2 users thanked author for this post.

MrBrian, Noel Carboni

Reply | Quote

ViperJohn wrote:

Okay according to this 02/08/2018 revision to the “Intel Microcode Revision Guidance PDF”

…

Intel is planning on issuing Meltdown / Spectre Microcode updates going back 10+ years to Yorkfield and Wolfdale CPU’s. Sandy and Ivy bridge code is currently in Pre-Beta stage.

Thanks for that.

Of course, two important issues remain:

1. Does the computer’s OEM plan to bring forth an update to carry the microcode. For example, in my case with a Westmere EP processor for which the chart still shows “Planning”, will Dell push the change forth in a BIOS upgrade? Up to now Dell’s list has not included my system.

2. What are the performance implications? So far we have seen hardly ANY information – anecdotal or artificially derived via benchmarks – even for the Windows patches alone. What will the degradation be with the Microcode updates? It’s ridiculous that the best we’ve got so far is Microsoft’s statements about “who’s likely to notice”. Is this really “security at all costs”?

-Noel

Reply | Quote

Noel Carboni wrote:

Thanks for that. Of course, two important issues remain:

1. Does the computer’s OEM plan to bring forth an update to carry the microcode.

2. What are the performance implications?

-Noel

(1) If Intel releases Spectre mitigation Microcode for a given CPU series I think that would push the OEM’s / MB Makers to create bios updates for their MB’s.  If they didn’t then liability for future Spectre attacts that involve their product would be borne by the OEM / MB maker alone.

Also even if an OEM / MB maker decides to not release (foolishly IMO) a bios update if the Microcode exists then it can be directly applied to the Windows OS at boot using VMwares CPU Microcode Update Drivers.  It realy not that hard to setup and do after ya get past the initial “Oh Snap Now What” panic.

(2) I still have not seen more than a 2.1% worst case performance drop (in any benchmark), in BOTH Win 7 and Win 10 post Meltdown Patch install.  That has now included a Skylake system that had Intel’s original Spectre microcode installed (and ran flawlessly after too).  By my real world testing the typical home user just isn’t going to see or notice any performance drop/change real world post patch in W7 or W10.

Now a multi CPU server running many concurrent virtual machines with massive amounts of disk I/O over fiber or multiple 10Gb/sec ethernet cards (and the amounts of branch speculation that goes with that) may get clobbered performance wise BUT you are also talking machines running Windows Server OS’s not W7 or W10.

Viper

Reply | Quote

Try the Advanced “Workstation” disk test in PassMark PerformanceTest.

On one Haswell system here I measured a drop from a 1400 MB/second cached I/O rate to 900 MB/second. That’s pretty serious, and I’ve found that benchmark to be a good indication of real world all out disk-intensive application performance, such as one might see by an I/O limited application like, I don’t know, Visual Studio..

-Noel

Reply | Quote

Noel Carboni wrote:

Try the Advanced “Workstation” disk test in PassMark PerformanceTest. On one Haswell system here I measured a drop from a 1400 MB/second cached I/O rate to 900 MB/second. That’s pretty serious, and I’ve found that benchmark to be a good indication of real world all out disk-intensive application performance, such as one might see by an I/O limited application like, I don’t know, Visual Studio.. -Noel

I did run that test many times Noel and did not see a performance drop but I do not have drives that can move disk data that fast either.  I also did real world timed bulk file copies  (100 files of various sizes from 50KB to 10GB) between my SSD’s and/or HDD’s and saw zero slow downs in any source – target combination.

My test drives were a pair of 500GB WD Blacks and a pair of 500GB Samsung 850’s. Those SSD’s top out around 550MB/sec seq in my system so they are probably not fast enough for a disk I/O slowdown to show up.  I suspected that if you had some Samsung 960’s that could do 1400 to 2000MB/sec you may see a disk I/O slowdown with them.

I have know idea what the in use stats for systems with drives that fast are. Considering their cost per GB/TB of capacity and the fact MB’s with NVMe interfaces haven’t been around all that long I would bet their use in home desktop systems (versus spinning rust) for internal bulk file storage is close to zero and still few and far between for workstations desktops at this time.

I’m not saying there won’t be select workloads that will not see slowdowns.  What I am saying is the typical desktop user is going to see little to no slowdown (and absolutely none in gaming frame rates) and that Win10 is no better than Win7 or Win8 in that respect.

Viper

1 user thanked author for this post.

AlexEiffel

Reply | Quote

I think you’re onto something here… If the OS with a modern processor wasn’t the limiting factor in I/O speed, then making the OS a little slower was unlikely to cut into I/O speed. So most folks aren’t able to measure a speed drop. But with systems maxed out with hardware (e.g., the “servers” Microsoft alluded to) then OS has been and will be more of a bottleneck. I have specifically built my systems with arrays of flash drives to max out I/O performance, so I’m seeing the OS becoming more of a bottleneck.

-Noel

1 user thanked author for this post.

AlexEiffel

Reply | Quote

I have  Windows 7 Pro, SP1, x64, I-7 quad Sandy Bridge CPU, and these two questions:

(1) How can I find out, in a simple, low-level-of-skill-required way, if the manufacturer (HP) already has installed automatically a microcode patch in my PC?

(2) How can it can be prevented from doing so: (a) for ever, (b) with the option to install it a some later time — if the new patch has not been installed already?

(If I find my machine has been updated already and it is, obviously, still working, I suppose I can live with that. Particularly if I have not noticed anything untoward, such as a significant slowdown. And I am not too worried about speed, anyways.

Thanks.

Reply | Quote

anonymous wrote:

I have Windows 7 Pro, SP1, x64, I-7 quad Sandy Bridge CPU, and these two questions: (1) How can I find out, in a simple, low-level-of-skill-required way, if the manufacturer (HP) already has installed automatically a microcode patch in my PC?

Intel hasn’t pushed out the required microcode to the OEM yet. It is starting with the most recent processors, so Sandy Bridge has a way to go.

Take a look at this article about Steve Gibsons utility that simply reports on the status of your computer regarding Meltdown and Spectre vulnerabilities.

https://www.askwoody.com/2018/scan-for-meltdown-and-spectre-with-steve-gibsons-new-inspectre-utility/

Non-techy Win 10 Pro and Linux Mint experimenter

Reply | Quote

Thanks, Elly.

The article you refer me to is about installing software to see if one’s machine is vulnerable.

For the moment, my machine is definitely vulnerable, because I still have not installed February’s Security Only update for Win 7 (only the one for E11). I am in a “careful watching” mode, waiting to see how it goes with those who install it.

One thing I am very interested is on the BIOS/UEFI patch: has the manufacturer pushed it through an automatic update I know nothing about? From what you wrote, it seems the answer is “not yet”.

The other point, and somehow doubt the software in that link can help me with it, is whether I can prevent the manufacturer from installing the patch sometime in the future without my knowing, and if this can be prevented, how is it done? I am not happy about having the worrisome patch installed in exchange for avoiding a rather theoretical problem that might never come to pass.

As others have written here, if a patch to the UEFI or BIOS goes bad (I think for my PC is already an UEFI), it can be curtains for the old, familiar, much needed, much used (and, therefore, much loved) machine. Or a perhaps expensive and quite likely time-consuming attempt at restoration, in my case after finding someone with the skill, experience, knowledge, reputation… to do such a job.

Most likely outcome, if that ever happened to me: a very premature and pitiful terminal doorstop.

1 user thanked author for this post.

Elly

Reply | Quote

@anonymous:

I have had PCs from a fairly wide variety of manufacturers over the years (Dell, HP, Lenovo, Toshiba, etc.). None have ever tried to force-feed a BIOS/UEFI update onto any of my machines.

Generally speaking, if a manufacturer has that kind of update available, it will be available for manual, deliberate download from their website. At best, they may send you a notice (via their pre-installed PC maintenance software) telling you that such an update is available. But I have never heard of BIOS/UEFI updates just showing up and getting installed without the owner’s participation, let alone his knowledge.

Historically, BIOS updates have been tricky to install and risk-prone, so they are handled via a much more careful, step-by-step procedure requiring your close involvement. It’s highly unlikely your manufacturer would simply foist the patch on you willy-nilly.

So, chances are you can rest easy on this point.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

2 users thanked author for this post.

OscarCP, Elly

Reply | Quote

anonymous wrote:

… The other point, and somehow doubt the software in that link can help me with it, is whether I can prevent the manufacturer from installing the patch sometime in the future without my knowing, and if this can be prevented, how is it done? …

Hi anonymous, I agree that the InSpectre tool discussed above does not address your concern directly as a preventative measure. However, I believe Elly was wanting to point out that it offers a painless method to deactivate any protection you have decided is harmful to your top performance requirement. This can be done after-the-fact, without requiring a firmware rollback, which has more hazards if attempted.

As Cybertooth has mentioned it is not likely that a truly preventative measure is required at this point. I will extend on the point offered by adding that making changes to purchased hardware without permission of the owner could open up the OEM or chipmaker to liability. This is untested. But I do not believe there is a leased license to hide behind, the way Microsoft does with their OS.

I agree that it is difficult to predict the future, and how the business model may change. But think your level of concern is not supported by current information.

2 users thanked author for this post.

Elly, OscarCP

Reply | Quote

Paul,

First: thanks for some advice you gave me some time ago that fixed a problem with my user profile being corrupted repeatedly. Your suggestion of disabling services that are not from MS did work like a charm.

Now, because I am very interested in Anonymous question, I have one for you of my own.

You wrote:

“However, I believe Elly was wanting to point out that it offers a painless method to deactivate any protection you have decided is harmful to your top performance requirement. This can be done after-the-fact, without requiring a firmware rollback, which has more hazards if attempted. ”

Question:

Would not be the same to either return the machine to an early state by going back to the restore point created before the questionable update, and then install again any OK updates that might be gone after doing that, or else simply uninstall the undesirable ones without first returning the machine to an early state?

Even if recommended by several people who know what they are talking about, I generally don’t feel too good about installing software that is not essential for what I am doing and comes from an outfit that I do not know a good deal about already.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Cascadian

Reply | Quote

OscarCP wrote:

…
Would not be the same …?

(enclosing quotes so that if Woody reverts to threading, there will be a link to referenced comment)

Thank you for sharing your 3rd-party services disabled success. Glad it helped. Regret that I have forgotten from whom I learned it.

On the current item, in my understanding, firmware is a different beast from software patches with a different set of hazards. If I have crossed ideas here, I hope to be corrected by others.

Software patches, including patches to the Operating System, which is software, are simple things to revert to the prior condition. Though the steps required to make the change are protected to prevent malicious or accidental changes.

But the fix that would come from the OEM or chipmaker would involve a ‘permanent’ change to the encoded logic onboard the actual hardware. And while the microphysics involved are a little fuzzy to me, there is a hazard in changing or flashing this instruction set at that level. Reverting to a former state is not as easy as rolling back to a saved file of instructions. The same instruction set must be overwritten yet again, increasing the chances of a lingering bit here or there failing to revert. Resulting in an inoperable instruction set. At this point getting a Blue Screen would be a lucky outcome. The possibility of no display on screen, while audible noises come from within the case, or even worse, just silence. No opportunity for F8 or any other input.

Please, for other readers, this is a description in answer to a specific question. This is not a scare-story for any of the Microsoft updates from January or February. It is only the possible outcome of undoing or reverting a change to hardware instructions. This change would come from the OEM badge (Dell, Toshiba, &c) or, in the case of this topic title, from Intel. But it is an answer to a hypothetical question only.
—
Your hesitation is wise. Beyond trusting the vendor, and their instructions, I would also feel better reading results from another user’s real-world experience first. Kind of like the entire purpose of Woody’s MSDefcon warning system.

1 user thanked author for this post.

Elly

Reply | Quote