Intel/AMD uCode fix for Spectre, HT bug fix and Meltdown.

Let's wait for a week and see if Intel releases new uCodes to fix Spectre NG if current creates more problems like last time. We don't want conflicts at OS level and at driver level when vmware driver is loaded.
@THEBOSS619 I didn't get newer Ryzen uCodes so I hope you have my old packed exe with Ryzen uCodes, correct?

 

No problem.. makes sense to me.. anyway... it is ready and I'm already testing it if there's anything happens.. right now.. I'm gaming to see if there is significant difference or not

Yup.. you mean this one... right?

 

Don't forget benchmarks, as you are todays GP And did Intel change the microcode or was it the same? Or same as in Win microcode patch? Thanks

 

Hah. Grazi Will post benchmarks soon.

Sorry to bring this up again, but d*mn, I cannot find the microcode.dat file. Im in the wormhole man, wasting time for sure. Laughably, I even made a screenshot for anyone who has a minute -check my unpacked .tgz, to a .tar, unpacked to 3 folders plus release notes. Version: 20180425 (Latest) Date: 4/25/2018

Silly to be this stubborn b/c like you guys mentioned earlier we should wait a week or so for a new Intel microcode release.

Thanks!

 

It actually kinda sounds like the 1809 release is just getting back to even, with the same patch package as before 1803, maybe some new CPU's covered under the old vulnerabilities that were already on track, or nothing new at all.

I doubt there is anything new in regards to Spectre Next Generation at all, probably not is my first thought.

We haven't even received "official" notice of the Spectre NG Intel vulnerabilities, they kinda sound too new for Intel to have had enough time to respond with even a first patch.

Heck Intel / Microsoft still aren't on track for providing all of the first set of fixes.

 

Micro$h4ft have more than enough with fixing their new flawed OS Win 10 1803 April Moron Update. Why the rush must push it out before it was ready? Because they have call it the April update?

 

I think you downloaded the incorrect version, have you run hash check on the file and see if the checksum is same as Intel? Use hashtab or hashmyfiles.
Usually WinRAR or 7z can extract or unpack them in relatively easier manner.

 

I have tested it on Linux [I'm a fan use on linux too ] and it seems that there's no significant changes overall... but right now.. I can't test it on windows due to they provided Intel uCodes only for modern Linux but not for the older ones which leads that there is no Microcode.dat file to apply it on windows... Need time to provide a way to install it on windows [Other than Windows Update]....

Anyway.. the change log for the new microcode is mostly changes for Xeon CPU's and a bunch of old CPU's
== 20180425 Release ==
-- Updates upon 20180312 release --
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- updated platforms ------------------------------------
GLK B0 6-7a-1/01 0000001e->00000022 Pentium Silver N/J5xxx, Celeron N/J4xxx
---- removed platforms ------------------------------------
BDX-ML B/M/R0 6-4f-1/ef 0b000021 Xeon E5/E7 v4; Core i7-69xx/68xx
-- Special release with caveats --
BDX-ML B/M/R0 6-4f-1/ef 0b00002c Xeon E5/E7 v4; Core i7-69xx/68xx

What they provided only Intel uCodes for modern Linux.. so that is why you can't find the .dat file due to it was usually used for older Linux OS .

Depending to what I see is.. that inside the Intel-ucode folder may represents the microcode for each single processor individually depending on (Generations,Stepping,etc..) so.. I think they separated it rather than putting it all into one microcode.dat file

 

As expected.. those files on Intel-ucode folder are binary files so... I tried this python script to convert binary file to a text counterpart (.dat) and it works! so.. today I'm gonna test it on windows later when I got free time

for those who is interested or like to be risky.. you can find the python script on this link:- http://www.codegists.com/snippet/python/bin2datpy_aikoncwd_python
Copy the python code to a txt file and then rename it whatever you like but be sure the extension will not be a .txt file but to be .py so that python script works

Find the file to which is related to your CPU [You must know which file on Intel-ucode folder is specific to your CPU] to convert binary files to .dat files

 

Just for additional information to how to find your specific ucode file... is to know your CPU ID through RW-everything and then find your file..
I just find mine by knowing it through the file names.. for example:- My CPU ID was 506e3 so... I go to the Intel-ucode folder and started looking for it... so how would you know which file is made for your cpu? by looking to your CPU ID.. start searching which in my case it was 06-5e-03 file which is equal to my CPU ID=506e3... if you look carefully .. you will find there is similarity on numbers and letters so.. you can try

By the way.. the Python script have safe measurements because it reads your CPU ID on your current computer and then it asks you if this is your CPU ID and then it compares what you selected from the Intel-ucode.. if it doesn't match.. the python will terminate the process.. if it found a match.. it will convert your file to .dat file which you will be able to use it to upgrade your CPU Microcode

I will try to find a way to make it universally as much as possible and cover all the CPU's whenever I can your help is much appreciated if you want to support because I don't have all the CPU's of the world... I only got 1

 

Just an update.. no big difference to me on performance or smoothness or benchmark prospective as it is the same microcode that is used for 6th Gen. Skylake which is C2. All the benchmarks came within margin of error.

As for everybody else.. I'm slowly or gradually trying to convert every single cpu microcode to .dat file on my free time so that it works on windows smoothly

I will try to keep it as simple as possible

but for those who want to try.. I already mentioned or guiding you the way of doing it on previous posts so.. good luck

 

KB4100347: Intel microcode updates
Applies to: Windows Server version 1803 - Windows 10 version 1803
http://forum.notebookreview.com/thr...patches-and-more.812424/page-97#post-10729629

 

I will look into it on my free time & I will test it if there's any difference than from intel one's right now I'm in the middle of converting binary files to .dat files for all CPUs nearly 30% finished from it

 

Head's up, another one.

More details and links in the post:
http://forum.notebookreview.com/thr...patches-and-more.812424/page-98#post-10732633

"Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks. The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won’t see negative performance impacts."

"...
Variant 4 is a vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. While implementation is complex, this side-channel vulnerability could allow less privileged code to:

• Read arbitrary privileged data; and
• Run older commands speculatively, resulting in cache allocations that could be used to exfiltrate data by standard side-channel methods.

Corresponding CVEs for Side-Channel Variant 4:

• Variant 4: Speculative Store Bypass – CVE-2018-3639

Impact
Side-Channel Vulnerability Variants 3a and 4 may allow an attacker to obtain access to sensitive information on affected systems.
..."

Addressing New Research for Side-Channel Analysis
Details and Mitigation Information for Variant 4
https://newsroom.intel.com/editorials/addressing-new-research-for-side-channel-analysis/

INTEL-SA-00115
Q2 2018 Speculative Execution Side Channel Update
https://www.intel.com/content/www/u...m_medium=inline&_utm_content=lnk1140515439680

 

Wow.. I guess intel have alot of things to do to keep up with the new issues

 

There is so much, they can't even divulge them all at the same time, they are taking a measured approach to release the vulnerabilities.

Which is fine I suppose, it helps focus on each problem class so they can release fixes that stand alone so if there is a problem it's easier to debug.

I wonder how many more variants are being held back for later.

It's possible Intel will be releasing fixes up until the hardware releases with all the fixes.

I wonder what will happen if new things are found after the fixed hardware comes out, will there be fixes for the older hardware (what we have new now) in parallel or how will Intel focus resources.

It's going to be a very interesting series of events, for a few years going forward.

 

Totally agree with you.. things will be really interesting and I'm curious about there next move or there next decision... I think Intel may give up on some point for older CPUs

 

Right now.. finished nearly 45% of converting from binary files to. dat file...

Doing it all alone I will keep up with there Intels new microcodes if there's any.. either from MS or even Linux

 

Looks like American Military's first post about security issues was right. Replace Intel Systems with AMD for better security.
@hmscott IT admins have a lot of work to deploy these updates in your co. right?

Newer ones are incoming acc. to Prema so its best to wait so that people can apply all patches at once.

 

Yup, I believed back then the same, that this wasn't going to be fixed in software patches, it was going to take a redesign and reissue of hardware.

And, CERT didn't really "change" their opinion, they changed their recommendation based on the fact that there are currently no replacements without the breakage / faults in the design available to procure:

"It’s possible that part of the issue here might be that there are no CPUs being made that don’t have the underlying flaw and therefore there are no replacements that would fix the issue."

Specifically, it was the CERT organization response:

CERT (which stands for "Computer Emergency Readiness Team") was formed by the Defense Advanced Research Projects Agency ( DARPA ) in November 1988 after the Internet was assaulted in the Internet worm incident.

What is CERT (Computer Emergency Readiness Team)? - Definition ...
https://whatis.techtarget.com/definition/CERT-Computer-Emergency-Readiness-Team

CERT: Only way to fix Meltdown and Spectre vulnerabilities is to replace CPU (Update: CERT backtracks)
CHRIS O'BRIEN @OBRIEN JANUARY 4, 2018 2:26 AM
https://venturebeat.com/2018/01/04/...nd-spectre-vulnerabilities-is-to-replace-cpu/

"Updated at 2:30 p.m. Pacific: CERT has dropped its advice that users replace the CPU. See details below.

As word of the massive security flaw in computer processing units spread yesterday, companies responded to reassure customers and explain the steps they are taking to deliver software patches to address the issues.

But the Computer Emergency Response Team, or CERT, has issued a statementsaying there is only one way to fix the vulnerability: replace the CPU. CERT is based at Carnegie Mellon University and is officially sponsored by the U.S. Department of Homeland Security’s Office of Cybersecurity and Communications.

“The underlying vulnerability is primarily caused by CPU architecture design choices,” CERT researchers wrote. “Fully removing the vulnerability requires replacing vulnerable CPU hardware.”

They also advise users to apply the various software patches but note that this will only “mitigate the underlying hardware vulnerability.”

The pronouncement from CERT doesn’t carry any regulatory obligation for the companies whose CPUs are affected. But the vendors that CERT lists as being affected include many of the biggest names in tech: AMD, Apple, ARM, Google, Intel, Microsoft, and Mozilla.

Together, those companies account for a massive portion of the chips used in computers and smartphones. Were they to come under legal or public pressure to provide replacement CPUs, the costs would be almost impossible to calculate.

For now, the companies have to hope that the software patches reduce security risk sufficiently to avoid widespread legal actions and further public backlash.

Updated at 2:30 a.m. Pacific with new CERT information and Intel comment: One day after recommending that the only way to address the security issue was to replace the CPU, CERT has dropped that recommendation entirely. They also rephrased the section about applying software updates to read: “Apply updates: Operating system and some application updates mitigate these attacks.” Here, CERT also modified the line that previously advised how to “mitigate the underlying hardware vulnerability.”

VentureBeat was alerted to the changes by Intel spokeswoman Agnes Kwan. In an email, Kwan said, “CERT updated its vulnerability note to correct some inaccuracies.” Kwan also wrote, “Note that we are also working with CERT to replace the mention of ‘some application updates’ in this latest version, as it’s inaccurate.”

We’ve reached out to CERT and Intel to clarify the reasons for changing the advice regarding CPU replacement.

It’s possible that part of the issue here might be that there are no CPUs being made that don’t have the underlying flaw and therefore there are no replacements that would fix the issue.

Updated at 2 p.m. Pacific: The CERT Division of the Software Engineering Institute at Carnegie Mellon University issued the following statement about the change to the vulnerability recommendations:

“We are not currently recommending hardware replacement as a response to the Meltdown and Spectre vulnerabilities. The issues are caused by the complex interaction between CPU hardware and operating system software, and our updated advice is to apply operating system updates when available. Our goal is to provide accurate, actionable advice based on available information and our evolving understanding. As a result, we sometimes update Vulnerability Notes as we refine our recommendations.

Our knowledge of these vulnerabilities is developing quickly through our interactions with vendors and the security community as well as through our own testing and analysis. Vulnerability Note VU#584653 is the product of ongoing analysis and is being updated regularly as our understanding changes.”

In a subsequent email, Intel spokesperson Agnes Kwan clarified that “operating system and firmware patches mitigate all three variants.”"

 

While waiting for newer microcodes acc. to Prema .. would like to share the current microcodes that Intel released on there official website 4/25/2018 ... I successfully converted all the binary file to .dat file in order to work on windows I found a way to convert it all at once through python script better than selecting file by file to convert it

Here is it for those people who like to test it but in order to find which microcode for your current CPU... I mentioned on the previous posts how to find it anyway.. here is the link ---> https://drive.google.com/open?id=15v5hYB-hPD-sLd6CXPnfCrm6ouoQgfEm

I will not post it on my main post due to it is not noob friendly... once I try to find a way like.. simple click or easy way to apply the new microcodes.. I will surely put it on my main post

Note:- All Microcodes are not tested

Only 1 microcode are tested which is [06-5e-03.dat] file because this microcode is related to 6700HQ according to CPU ID which is 506e3

 

Simply update OP putting a disclaimer in Red Color saying Meant for advanced users. Anyway, users of Linux and W10 are protected by uCodes now. uCodes supports from Broadwell and upwards.

 

Thanks to @Vasudev for providing information for this update, Post is updated

Change Log:-
- Updated post with newer Intel Microcode (Only for andvanced users)
- Added [Advanced User Sections] with red lines to avoid confusion
- Revised the main post with some clearer information & corrected spelling mistakes here & there

 

One thing I didn't understand is this "Post updated depending on Vasudev"?

 

I meant with your suggestions I did it

 

What we usually say in English is, thanks to @personthatfoundit for providing the info for this update.

or something like that.

Which is what you said, right. You depended on @Vasudev 's input or information for this update.

 

Yup

 

Am i the only paranoid A55h0le who ran your hard work through VT first? Thanks so much for your efforts! Very cool. I'll give it a go as I DL the .zip to thumb drive -which I'll try on my uCode machine later tonight. Thanks very much!

 

If you're on win 10 v1709 and above and modern linux distros you're probably have uCode patch installed. uCode are applied for Broadwell and above CPUs from Intel. If yours is older, then @THEBOSS619 uCode fix will work 100%.
I'd recommend carrying a zip as opposed to the extracted archive since malware can change the contents easily since there aren't any protection to prevent changes to inf files.
EDIT: @THEBOSS619
I got hold off newer Ryzen uCOdes and you must modify the inf and bat files for the uCode patch

 

Update:
Jacob Klein made a SW to convert those bin files to dat and merged everything into microcode.dat
Big thanks to Jacob Klein http://wp.xin.at/archives/4397#comment-154115
Converter can be found here https://1drv.ms/f/s!AgP0NBEuAPQRpdoWT_3G3XCdotPmWQ
So we have Updated Intel uCodes and AMD Ryzen( Don't worry older ones are present too!) with modified script inside inf driver and install.bat files to incorporate new ucodes from AMD.
AMD Ryzen uCodes were downloaded from https://launchpad.net/ubuntu/+source/amd64-microcode
Used this package to be specific https://launchpad.net/ubuntu/+archive/primary/+files/amd64-microcode_3.20180524.1_amd64.deb

For those who are worried if I'm a hacker and distrust me, they can open cpumcupdate.inf & install.bat where I've added a comment "new line" followed by my additions. Be sure to change the file permission from read-only to writable which can be done going into Properties and simply un-checking Read-Only option.
SHA1 Hash: C128985F1A43EB41A5C7DC67E156BDD721AD81D7
Ryzen uCodes aren't tested so proceed with caution and make an image of your system using Macrium Reflect just in case, something bad occurs.


@THEBOSS619 Sorry mate too many updates at a time, sorry for the trouble and can you please update OP. Just in case uninstall prev. ucode package and see if the new one works alright!

Changelog:

• Supports almost all Intel CPUs and AMD released till date.
• Used Jacob Klein Microcode converter and used Debian's amd64 microcode package which was unpackaged to get bin files

 

Thank you so much for the information & providing your time to help I will update OP as we speak and testing this on my own laptop AMD users will surely be happy about it

No need to say sorry at all by the way.. who dares to distrust you

 

Thanks to @Vasudev for providing easier way of installing uCode update and providing easier procedure of converting .bin files to .dat files and the source of the uCodes

Change Log:-
- Updated post with newer AMD Microcode & Intel Microcode
- Supports almost all Intel CPUs and AMD released till date.
- Used Jacob Klein Microcode converter and used Debian's amd64 microcode package which was unpackaged to get bin files for more info. refer to http://forum.notebookreview.com/thr...fix-and-meltdown.806451/page-13#post-10741190
- Updated Credits to Jacob Klein http://wp.xin.at/archives/4397#comment-154115 for providing easy way to convert .bin files to .dat files easily!

 

@Charles P. Jefferies If you can edit the thread title to μcode(aka Microcode) fix for Intel and AMD CPUs.

 

Yeah it will be good title because now it it covers Intel + AMD CPUs

 

Thanks @Charles P. Jefferies for the title change.

 

I flashed this or installed this via CMD but I'm still vulnerable on Spectre. What else do I need to do to remove? Thanks so much. Have the i7 7700HQ

 

I think Windows 10 already has the ucode fixes for skylake and above. I suppose your vendor already pushed the BIOS update for spectre V2 exploit. Even newer BIOS patches for Spectre V3/V4 are incoming.

 

You’ve been able to take the new microcode and “flash” your BIOS?

If you’re talking installing .bat as Admin, Me too... same problem. i7-4700MQ that no longer has “enable spectre” protection option. I Read something about a recent registry tweak certain Windows 7 Updates did -perhaps thats why (if my cursory read understood the crux).

So Im back at Step 1. Is there a full pack, from scratch, uCode download within this thread (with newest microcode)? Thanks in advance... I uninstalled/deleted the application -but want to give it another try. I feel nakey w/o any Spectre protection

 

have you tried this? http://forum.notebookreview.com/thr...-fix-and-meltdown.806451/page-6#post-10664756

 

Ohh, wow. Are you talking about the registry tweak? I vaguely remember reading that when I first stumbled on this uCode/microcode tool... but I totally forgot! If that's what you're talking about... I'll give it a try, and also revert back to the previous microcode. The inability to enable Spectre protection coincided with the last win7 Simplix Update pack (06/15/18)... so I figured it might be a WU thing. Thanks Boss!

 

Yes it is about registry tweak.. sorry for not being clear about it

 

@THEBOSS619 New ucodes are up from Intel. I'm waiting until Ubuntu testing flags off this version. https://downloadcenter.intel.com/download/27945/Linux-Processor-Microcode-Data-File?v=t

 

Looking at it closely

while also monitoring this link too https://github.com/platomav/CPUMicrocodes

 

Here's a link with up-to-date microcode files (sorry if previously posted)...
https://github.com/platomav/CPUMicrocodes

 

Gawd, sorry for the link immediately below your post. Embarrassed. I started at page #1, skimmed through looking for that github link, then said “F-it”, I gotta get back to work. Hah, you had it posted immediately above mine. *Mod* please erase my redundant link/post.

Good lookin out Boss. I was stoked to find it & share -but you already had it covered. My bad. Thanks!

 

I would like to announce that I may not be able to be active or consistent for the incoming weeks (5~6 weeks) due to I'll be out side country related to my job.... lately I was trying to balance out but the pressure was increasing through time until the time it came that I will not be at home so... I will try my best to be able to be present here from time to time or whenever there's new things happening.

Life first than anything else

 

For real! Happy travels. Thanks for all your hard work!

 

I'm still having problems with Enabling Spectre protection via the GRC tool. I've successfully used Jacob Klein's microcode extractor tool with latest Intel Microcode. Haswell i7-4700MQ. Windows 7 (latest Simplix updates applied). Registry Tweak applied (cpumupdate "Start" value from 2 modified to 1). "Enable Spectre Protection" is still greyed out. MBAM is my RealTime AV (which has registry fix). Any help would be appreciated. Thanks much!

 

MBAM 3.x?

 

Thanks man. MBAM 3.5.1.2522. I use MBAM on both my Win7 machines. InSpectre works fine on my Skylake i7-6700 (Gigabyte BIOS update though). The uCode workaround had been working on my Toshiba Haswell 4700MQ -but now Spectre Protection is greyed out. I can't figure it out. w/ new microcode the machine's fan runs less, benchmarks feel better than before (didn't run any though), but feels good. Its still a solid machine w/ 16GB RAM, & 2 SSD's -I'm happy w/ it. D*mn Toshiba (and Intel).

Jacob Klein's tool is working -the microcode.dat file it extracts is the right KB size. GRC/InSpectre notes Microcode Update available (306C3).

Hmmm... maybe I'll look into a MBAM glitch? I really appreciate your reply and any help.