Windows Spectre Patches Are Here, But You Might Want to Wait

To fully protect your PC against Spectre, you need updated Intel CPU microcode. This is normally provided by your PC manufacturer via a UEFI firmware update, but Microsoft now offers an optional patch with the new microcode.

We think most people should wait for their PC manufacturers to roll out this update rather than rush to install Microsoft’s patch. But, if you’re particularly concerned about Spectre attacks, you can get the updated microcode from Microsoft even if your PC manufacturer has no plans to release it. Microsoft’s patch is only available for Windows 10.

Why Your PC May Still Be Vulnerable to Spectre

RELATED: How to Check if Your PC or Phone Is Protected Against Meltdown and Spectre

Spectre and Meltdown were disclosed at the same time, so this can be a bit confusing. The original Windows patch protected against the Meltdown attack, but required a CPU microcode update from Intel to fully protect against Spectre. Technically, the microcode update we’re talking about here protects against Spectre Variant 2, “Branch Target Injection.”

You can check if your PC is protected against Spectre with the Gibson Research Corporation’s InSpectre tool. Assuming you haven’t installed a UEFI firmware update from your computer’s manufacturer—or your motherboard’s manufacturer, if you built your own computer—you’ll see that your computer is vulnerable to Spectre. If you do have those patches installed already, this tool shows how much the patches are affecting your PC’s performance.

To fully enable the Spectre protection, you need new CPU microcode from Intel. CPU microcode is basically firmware for your CPU, and it controls how your CPU works. In general, new CPU microcode is provided through updates to the system’s UEFI firmware, or BIOS. However, many PC manufacturers haven’t yet released CPU microcode updates for their existing PCs, and some PCs may never see updates from their manufacturers.

So, to solve this mess, Microsoft has worked with Intel to provide another way to get microcode updates. Microsoft offers Windows updates that add new microcode files to Windows itself. When Windows boots up, Windows provides the new microcode to the CPU. The microcode will be used until your computer shuts down.

Why You May Want to Wait For Your PC Manufacturer

RELATED: How Will the Meltdown and Spectre Flaws Affect My PC?

This all sounds great, but there’s one concern: system stability. Intel’s original microcode updates caused random reboots on many systems. The new microcode updates seem stable and we haven’t seen reports of widespread problems. However, your computer manufacturer may be taking their time to check that the update won’t cause problems on your PC before they make it available to you.

On Microsoft’s official documentation page, Microsoft says it “is not aware of any issues that affect this update currently,” but also that you should “consult with your device manufacturer’s and Intel’s websites regarding their microcode recommendation for your device before applying this update to your device.”

RELATED: How to Check Your BIOS Version and Update it

This is a little bit of a cop out, as your PC manufacturer probably will not recommend installing a microcode update unless they’re the ones providing it to you.

So, our recommendation is that you first check your PC manufacturer’s website for a UEFI or BIOS update and install that, if possible. If an update isn’t available, and you’re uncomfortable waiting until one is, then you might want to consider Microsoft’s microcode update.

Many of the worst fears about Spectre have been addressed by other software patches, which makes this update less urgent. For example, web browsers have released updates that prevent websites from exploiting Spectre via JavaScript code. Spectre is much harder to exploit than Meltdown was.

We also haven’t seen any serious Spectre exploits in the wild yet. So, overall, we don’t recommend rushing this. It’s possible that Microsoft themselves may want time to test this update before rolling it out to all Windows users automatically via Windows Update, although we have no idea what Microsoft’s future plans for this update may be.

However, some types of systems are still especially vulnerable. Systems that run virtual machines containing untrusted code—like at a cloud hosting service—should almost certainly install the microcode update on those systems.

How to Install the Microcode Updates From Microsoft

We don’t recommend all Windows users rush to install these patches. But, if you’re concerned about Spectre and you want the microcode update now, you can get it.

Note that the microcode updates are only available for some CPUs, and they’re only available for Windows 10 version 1709—that is, the Fall Creators Update. Windows 7, Windows 8, and older versions of Windows 10 are not supported. As of March 13, 2018, the Microsoft patch supports 6th Generation (Skylake), 7th Generation (Kaby Lake), and 8th Generation (Coffee Lake) Intel Core CPUs, as well as some Intel Xeon processors.

You can check if your CPU is specifically supported by running the free InSpectre tool we mentioned above. Look for the “CPUID” line, and then visit the Intel microcode updates page on Microsoft’s website. Check if the CPUID shown in InSpectre on your computer is listed on Microsoft’s page. If it isn’t, the Windows update doesn’t yet support your CPU with microcode updates, but may in the future.

If your CPU is supported and you need the update—for example, if InSpectre says you aren’t protected against Spectre—you can download the update and install it. This update won’t be installed automatically on your PC, but must be downloaded manually through Microsoft’s Update Catalog website.

Download the KB4090007 patch on the Update Catalog website. Both 64-bit and 32-bit versions are available, so download the appropriate one for whichever version of Windows you have installed—x64 for 64-bit Windows, or x86 for 32-bit Windows.

Run the downloaded installer file to install the microcode on your PC. You’ll be prompted to reboot afterwards.

After installing the update, run the InSpectre tool again and it should tell you that your system is protected from Spectre.

Image Credit: Intel, Natascha Eibl

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Twitter.