>When there's a bug in the CPU microcode, you're at the mercy of your motherboard vendor to release a new system BIOS that will update it for you—you can't just go to some download link at AMD and apply a fix yourself.
I think this is the real kicker, and might represent one of the next major fronts in the security struggle. It's a little different from the debates happening right now about support periods, that at least has clear economic implications. It's one thing to argue about whether a product should still be supported at all. But it's quite another when something is being supported, and does in fact have a patch available, yet many owners still can not apply it anyway. That seems like an avoidable failure, and something worth considering legislation around. The industry could and should have more standardized methods and requirements to make sure that any patches that are created do make it out to product owners quickly and universally, there just hasn't been consistent motivation.
At least on Linux, that's not true. Intel publishes microcode updates on Github [1] (and distros package it) and AMD has it upstreamed in linux-firmware [2], so you don't have to rely on motherboard vendors at all.
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Dat...
[2] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/lin...