Microcode BIOS Updates coming from a Microsoft Update

November 13th, 2019 by Stephen Jones Leave a reply »

Intel Microcode Updates coming from a Microsoft Update or the Windows Catalog.
The security implications of why you should update the microcode on your processors are covered in these links

https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

https://www.amd.com/en/corporate/product-security

Microsoft is collaborating with Intel and AMD on these microcode updates.

When processors are manufactured, they have a baseline microcode baked into their ROM. This microcode is immutable and cannot be changed after the processor is built. Modern processors have the ability at initialization to apply volatile updates to move the processor to a newer microcode level. However, as soon as the processor is rebooted, it reverts back to the microcode baked into their ROM. These volatile updates can be applied to the processor one of two ways – System Firmware/BIOS via OEM and by the Operating System (OS). However, neither updates the microcode in the processors ROM. If you were to remove the processor from one computer and to install in a computer with an older System Firmware/BIOS and an un-updated OS, then you will again be vulnerable.

Windows offers the broadest coverage and quickest turnaround time to address these vulnerabilities. Microcode updates delivered via the Windows OS are not new; as far back as 2007 some updates were made available to address performance and reliability concerns.

You could jus take the OEM System Firmware/BIOS Updates, but often Microsoft Update hasthe microcode updates to address issues much sooner.

When the processor boots, it has versioning to make sure it is utilizing the latest microcode updates regardless of from where it came. Install of System Firmware/BIOS updates and microcode updates from Microsoft Update is therefore O.K. It is possible that the OEM updates the microcode to one level and the OS updates the microcode to an even higher level during the same boot.

Microcode updates install like any other update. They can be installed from Microsoft Update, WSUS, SCCM or manually installed if downloaded from the Catalog. The key difference is that the payload of the hotfix is primarily one of two files:

mcupdate_GenuineIntel.dll – Intel
mcupdate_AuthenticAMD.dll – AMD

These files contain the updated microcode and Windows automatically loads these via OS Loader to patch the microcode on the boot strap processor. This payload is then passed to additional processors as they startup as well the Hyper-V hypervisor if enabled.

Advertisement

Comments are closed.