As the saying goes —if at first, you don’t succeed, then try, try again.
This is the mantra that Microsoft seems to have taken up for dealing with the patching process meant to mitigate the effects of the Spectre v2 (CVE-2017-5715) vulnerability.
The OS maker released yesterday two new Windows updates meant to fix the Spectre v2 vulnerability.
The first of these two is KB4078407. This is a Windows Update package that is available via the Microsoft Update Catalog as a manual update only.
The update is a software-based OS-level mitigation for Spectre v2. Additional hardware-level CPU microcode (firmware) updates are still needed, based on the user’s CPU make and model.
KB4078407 is only available for Windows 10 and Windows Server 2016 systems.
Microsoft tried to release these updates on January 4, a day after news of the Meltdown and Spectre flaws became public. Unfortunately, the first set of patches released back then caused some systems to experience higher reboot rates or boot-up issues. Microsoft eventually paused the rollout of some of the Spectre v2 patches.
The second Windows Update package that Microsoft released yesterday is KB4091666, also available as a manual download from the Microsoft Update Catalog portal.
KB4091666 is for Intel users only. This update includes Intel microcode (firmware) updates needed to mitigate Spectre v2 at the hardware level.
Initially, Intel planned to provide these CPU microcode updates to motherboard vendors, which would have had to deploy them to their respective customers as BIOS updates. But, alas, some vendors lagged behind, and Microsoft stepped in at the start of March to announce it would automate the delivery of these microcode updates via a Windows Update package.
The OS maker initially released KB4090007, with microcode updates for the Intel Skylake series, which it later expanded with other CPU models after two weeks.
KB4091666 contains microcode updates for even more CPU models. Some models included in KB4091666 overlap with the ones mentioned in KB4090007. Microsoft did not say if KB4091666 supersedes KB4090007.
Spectre v2 is one of the three vulnerabilities discovered by security researchers and disclosed at the start of the year, known to affect almost all CPUs released in the past 20 to 25 years. The other two are Meltdown and Spectre v1.
Meltdown and Spectre v1 can be mitigated with OS and app-level patches, while Spectre v2 needs both software and hardware-level (CPU microcode) mitigations.
The entire patching process has been terribly confusing [1, 2] for most users and plagued with problems, such as the ones faced by AMD, Red Hat, or Ubuntu users.