Update: This story has been updated at 12:04 PM to include Intel’s explanation of the new microcode.
If your PC includes an Intel processor, it will likely receive a mysterious new update originally pushed out by the company on Friday.
Three things about this release are somewhat concerning. First, Intel released the new CPU microcode as an “out of band” or unscheduled release. Second, it covers just about everything Intel has on the market today — dating all the way back to the 2017 8th-gen Core (“Coffee Lake”) chips. (The code itself is on the Intel GitHub page, listing all of the affected processors up to and including Intel’s most recent 13th-gen Core chips. Intel Xeons are affected, too.) Finally, the secretive and sudden nature of this patch raises eyebrows.
You do not need to try and download and install this code; motherboard vendors and even Microsoft itself will incorporate the security release inside updates for their own products. (Microsoft issues its own hardware drivers, especially for the Surface notebooks and tablets it produces.) You can probably expect that the new code will show up in a Windows update or a BIOS update from the board manufacturer itself.
Like Microsoft, Intel typically publishes vulnerability information on what’s known as “Patch Tuesday,” or the first Tuesday of the month. (As an example, Intel released information noting that its Smart Campus Android app could be used as a handheld Denial of Service (DOS) mechanism. Fun!) The fact that this code release wasn’t scheduled on that day signifies that Intel wasn’t aware of the vulnerability then, and felt it was significant enough to release a patch on Friday rather than waiting for next month.
So what’s all the fuss about? We don’t know, although Intel did respond.
“Microcode 20230512 update released on May 12, 2023 does not contain any security updates and the note, [INTEL-SA-NA], is meant to convey that there are no applicable (Not Applicable) security updates in the package,” an Intel spokeswoman said in an email. “The microcode update includes functional updates only (also documented in product erratum).”
So while we still don’t know what the microcode actually fixes, Intel’s response gives us a better idea that the microcode isn’t actually a repeat of the Meltdown and Spectre bugs of 2018. That’s a relief.