Microsoft Expands Spectre Microcode Approvals for Windows 10 Version 1709
Microsoft announced on Tuesday that it removed an anti-virus compatibility check for some Windows 10 version 1709 devices, and it expanded some Spectre microcode approvals.
The anti-virus compatibility check was added in January for Windows 10 users as part of Microsoft's response to the Meltdown and Spectre attack methods. In effect, Microsoft blocked Meltdown and Spectre mitigations from arriving to Windows 10 users if their anti-virus software was deemed to be making "inappropriate calls" into the Windows kernel. Possibly, some users may have not received the Meltdown and Spectre mitigations in Microsoft's January and February updates because of that block.
Block Removed for Windows 10
With Tuesday's announcement, Microsoft is removing the OS update block specifically for Windows 10 users of the Windows Update service. Possibly, it also applies to organizations that use patch management software to control the arrival of Windows 10 updates. The removal is in effect with Tuesday's March security updates, according to the announcement by John Cable, director of program management for Windows servicing and delivery:
Based on our analysis of available data, we are now lifting the AV compatibility check for the March Windows security updates for supported Windows 10 devices via Windows Update. This change will expand the breadth of Windows 10 devices offered cumulative Windows security updates, including software protections for Spectre and Meltdown. We continue to require that AV software is compatible and in cases where there are known issues of AV driver compatibility, we will block those devices from receiving Windows updates to avoid any issues.
Meltdown and Spectre are attack techniques published by researchers in which operating system kernel information can be tapped by malware. The techniques, considered to be a widespread problem for computer users, exploit the normal "speculative execution" processes of CPUs. Organizations and individuals can mitigate the Meltdown and Spectre attack methods by applying operating system updates and firmware ("microcode") updates to the CPU.
The Meltdown and Spectre issues apply to both Linux and Windows OSes. However, in the case of Windows 10, Microsoft had required that anti-virus software meet its requirements before permitting updates to arrive. Microsoft had added that restriction because the unsupported calls to the Windows kernel by anti-virus software were said to be causing "blue-screen" problems for users.
Cable said that Microsoft would share more details about anti-virus compatibility on Windows systems older than Windows 10 "in the weeks ahead." He advised contacting anti-virus software makers to know the status.
Microsoft also announced on Tuesday that it has approved Intel's microcode updates to address Spectre variant 2 issues for "the latest generation Intel platforms including Skylake, Kaby Lake and Coffee Lake devices" for Windows 10 version 1709. In late January, Microsoft had advised using blocking mechanisms for Intel's Spectre variant 2 microcode updates because they caused possible reboot problems.
In addition to Tuesday's microcode approvals, Microsoft earlier this month approved Intel's microcode updates for sixth-generation Skylake chips using Windows 10 version 1709.
Typically, original equipment manufacturers first test these microcode updates before making them publicly available. Intel lists the status of its microcode releases in this Intel "Microcode Revision Guidance" document (PDF), which gets frequently updated. A list of Microsoft's approved microcode for specific Intel processors can be found in Knowledge Base article KB4093836, by clicking on the internal link to "KB4090007 Intel."
Microsoft's approved microcode releases don't arrive automatically via Windows Update. Users have to go to the Microsoft Update Catalog to download and install them. It's not clear what to search for in the catalog, though.
Cable did note in the announcement that Microsoft does plan to add coverage for "x86 editions of Windows 7 [Service Pack 1] and Windows 8.1," which presumably means that Microsoft will eventually issue microcode approvals for those systems, in addition to Windows 10.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.