If you’ve been worried about receiving Spectre and Meltdown BIOS patches for the PC you built yourself, there may be a solution: Microsoft has begun supplying them itself via an archive on its site.
Typically, patching Spectre and Meltdown mitigations have followed a traditional pattern: Microsoft patches Windows via Windows Update, antivirus companies like AVG have patched their antivirus software, and so on. Intel, too, authors patches, as it recently did for Haswell and Broadwell CPUs. But unlike Microsoft, Intel doesn’t directly ship those patches to end users—it uses its network of PC makers and motherboard vendors to distribute them, after the appropriate testing by each vendor.
Microsoft falls into an area somewhere between the two. It has been responsible for patching Windows for Meltdown and Spectre, and it distributes Intel-authored patches to its various Surface products. Now Microsoft will archive both its own patches, and Intel’s, too.
Currently, the microcode being archived is just a fraction of Intel’s available patches (which so far cover the Skylake H-, S-, U-, and Y-series microprocessors). The microcode is available as part of a patch for Windows 10 version 1709 (the Fall Creators Update): KB4090007, which will be stored as part of Microsoft’s Update Catalog. It’s a standalone update, meaning it won’t be part of a subsequent “rollup” update.
What isn’t clear is whether Microsoft will also push out Intel’s microcode via Windows Update, its usual distribution mechanism for supplying patches. Historically, Windows Update has offered a checkbox to allow users to receive patches for other hardware inside or connected to their PC, and not just Windows. It seems that Intel is piggybacking on Microsoft’s distribution network to push Spectre patches where they need to be, and fast.
Though neither Microsoft nor Intel clarified exactly why Microsoft is providing Intel’s microcode, the likely reason is to support smaller PC makers, and especially motherboard makers, who either lack the distribution network or the incentive to distribute patches as quickly as Intel and Microsoft would like. Microsoft is also using KB4090007 as a sort of catchall: For now, Microsoft is only saying that “some” Skylake devices will be supported by the patch, and more will be added as Microsoft works with Intel, chipset, and device makers to supply more mitigations.
What this means to you: If you’ve built a PC using parts from a smaller vendor, patches and other firmware updates might be slow to arrive. Normally, this might be an acceptable risk. Intel rightly feels that it has an obligation to push those Spectre patches out as quickly as possible.