Is a manufacture of a motherboard have to release compatible bios update to somehow inject or support/update the new microcode of a cpu or is it possible to do this directly without updating the bios ? i'm a little confused of what steps should i take because i have a processor that have a new microcode update available but the manufacturer of the motherboard don't have new bios updates or a any solution to this problem they basically don't release a s**t since 2015. i have Intel Core i5 4460 and MSI NIGHTBLADE B85C motherboard and i'm affected by a Spectre vulnerability. what i can do ?
What is different if you are using a BIOS update "instead"? I'm not sure this is the correct term. What I am sure, however, is that: - Intel released that first round of 'buggy" microcode updates that they recommended are no longer used; this BIOS was actually stable on Coffee Lake, I think only older platforms had issues, so I kept it - then Microsoft made available KB4090007 with new, functional microcode At this point, I was curious how this would affect my PC (8700k), so i installed that update. There was a pretty clear impact in performance, for example in Cinebench and a few AIDA64 tests. I uninstalled it immediately. - MSI released a new BIOS containing the same microcode basically; updated my BIOS, there's no additional performance hit and AIDA64 tests were similar to previous BIOS. So, somehow, installing the microcode from the Microsoft patch instead of a BIOS flash resulted in a performance hit. Is there a significant difference between the 2? Thanks.
I tell you what. How many years has this code gone unnoticed? How many years have we lived with it unknowing, and been fine? I am passing on any patch, especially one that slows down my computer. Remember the old adage If it ain't broke don't fix it, also if it is in print, that doesn't make it true, and I certainly don't have to respond to mass hysteria over a problem that has never, ever once effected me or anyone else.
There must be a difference...and the difference is that the M$ patch is not a MC update alone. From the technical aspect it does not matter whether the (same) MC come from BIOS or from the OS... You find the hint at their wording :"This update includes microcode updates from Intel for the following CPUs.." The update includes MC updates besides of other unknown stuff...it is no pure MC update. You do not consider that the situation has changed by publishing the vulnerabilities.... If somebody discovers a vulnerability then the one is always in a dilemma. When publishing it then the public knows about...from that time the vulnerability exists (to the public) not before! And by that the need to patch them....since a known vulnerability can be exploited. It depends on the CPU type/architecture. In this regard one might inform about RISC / CISC approach..... One of Intels 'faults' that time had been to go for CISC (until 80386)....we here for scientific use (NMR) could not use any Intel CPU in the early 90s.....we had to go for alpha RISC to live calculate a furrier transformation..... To eliminate the performance gap to RISC they came to 'strange' ideas... AFAIK the 80486 then had got some 'attributes' of RISC... Intel actually never had a right intuition when it came to CPU development, in this regard they are similar to M$ and only their strong alliance and unfair market politics could make them persist..just remember the threats to mainboard manufacturers against AMD mainboards...
Yeah it's probably impossible to tell what exactly is in both the Microsoft KB update and the new BIOS. What I do know is that before them, CPU-Z would say that I am vulnerable to Spectre (web page from validating CPU). After both updates, it says: Rev. 0x84 ► Spectre (CVE-2017-5715) Patched ◄ So the microcode revision from the new BIOS is the same as the one in the KB. But there's no performance hit (compared to previous microcode BIOS update, cause against unpatched there's obviously a performance difference). The Inspectre tool would not say the PC is vulnerable with the first microcode, it would consider it properly patched, it's just CPU-Z that insists on the latest microcode. Now about if it's worth it or not to patch these vulnerabilities. The Spring Creators Update has the patches built in it. It seems like you can still disable the protections from Inspectre, but I doubt many will. While I don't have critical info to guard, i would still not like it having to change passwords and recover accounts cause my PC got hacked or having it used in some botnet for whatever the hackers feel like. This makes me wonder, let's say one would not apply these protections, but uses a good internet security suite, like Kaspersky's. Would it matter? Or it would be irrelevant.
One should not forget that such check tools like Inspectre tool are from pure scientific view not able to tell something about the condition "your PC is still vulnerable to.../ is not vulnerable anymore" Why? Quite easy..the check tools come along with the self-determined idea WHEN the vulnerabilities have been patched.... That is a good question.... We can only talk about probabilities....and it depends on use. I think when using 2FA on sensitive accounts (banking etc) they should be safe. One should know what the exploits can....they can read arbitrary memory....(RAM).... I have an unpatched w7 and Linux mint dual boot. Linux is fully patched, windows not at all....I do my banking on Linux, though...
TBH, I'm still not convinced that this isn't some kind of ploy to make people update to newer hardware. And I'm not going to patch my CPU and make it a cripple because of this nonsense. I bought an I7. Not a P4 or an I3.
That was my first reaction too.. [#16] And I keep wondering why people in the ict security business have to reveal such vulnerabilities every time.. It feels a bit like ;`look, ma how smart I am..` While it is not that smart at all, crooks are unlikely to invent the wheel every time;in any case they did not for nearly two decades..But it looks like Intel cs really messed it up this time...all in the name of speed. And they are unlikely to introduce better processors anytime soon...So, if all the crooks jump on the meltdown/spectre bandwagon, we may have to resort to a raspberry to do our online banking business..
Exactly. The bad guys didn't know about Meltdown and Spectre, now they KNOW. Scary! But not that scary to me lol, cause: Me too, buddy, me too.
Google found this flaw and told Intel and AMD about this issue 6 months before they made it public, If Intel and AMD sat on their butts and did nothing, then I can not blame Google for making it public
