Tuesday, March 6th 2018
Microsoft Pushes New Software-Based Spectre, Meltdown Mitigation Patches
The Spectre/Meltdown road is long and pocked with lawsuits and security holes as it is, and Microsoft is one of the players that's trying to put the asphalt back to tip-top, Autobahn-worth shape. The company has already improved users' security to the Meltdown and Spectre exploits on its OS side; however, hardware patches, and specifically BIOS-editing ones are much harder to deploy and distribute by the PC chain. That may be one of the reasons why Microsoft is now again stepping up with software-based mitigations for Intel-based systems, specifically.
The new updates introduce a software-based CPU microcode revision update, and work at the OS-level to plug some security holes on your Intel processors that might otherwise remain unpatched. The reasons for them remaining unpatched can be many: either Intel taking even more time to deploy patches to the still vulnerable systems; your OEMs not deploying the Intel CPU microcode revisions via a BIOS update; or the good old "I forgot I could do it" user story. Of course, being software based means these Microsoft patches will have to be reapplied should users format their Windows system. The update can for now only be manually downloaded and installed, and can only be applied to version 1709 (Fall Creators Update) and Windows Server version 1709 (Server Core), but that's definitely better than the alternative of forcing less knowledgeable users to try and find their way through BIOS updates. Of course, that is assuming OEMs will ever push BIOS updates to their products.
Sources:
Microsoft, via Tom's Hardware
The new updates introduce a software-based CPU microcode revision update, and work at the OS-level to plug some security holes on your Intel processors that might otherwise remain unpatched. The reasons for them remaining unpatched can be many: either Intel taking even more time to deploy patches to the still vulnerable systems; your OEMs not deploying the Intel CPU microcode revisions via a BIOS update; or the good old "I forgot I could do it" user story. Of course, being software based means these Microsoft patches will have to be reapplied should users format their Windows system. The update can for now only be manually downloaded and installed, and can only be applied to version 1709 (Fall Creators Update) and Windows Server version 1709 (Server Core), but that's definitely better than the alternative of forcing less knowledgeable users to try and find their way through BIOS updates. Of course, that is assuming OEMs will ever push BIOS updates to their products.
22 Comments on Microsoft Pushes New Software-Based Spectre, Meltdown Mitigation Patches
It would be cool if they let you choose the apps that it applied to... that way my sql box wouldnt take a hit running sql server, but chrome would.
And since this is literally the same microcode fix in a software package, performance will be identical.
wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ#Retpoline
wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
www.amd.com/en/corporate/speculative-execution
AMD is not vulnerable to meltdown, has fixes out for type 1 spectre, isn't proven to be vulnerable to type 2, so retpoline covers it completely and they have optional microcodes for the paranoid.
Charts for linux patches are further confused because AMD64 is just 64bit kernel not AMD chips... yay.
www.techpowerup.com/forums/threads/february-windows-10-update-causing-loss-of-usb-and-blue-screens.241831/#post-3808582
They also have yet to produce the optional microcode they promised. I've been looking hard for a very long time.
The problem with a branch injection is the prediction engine is a nn ... it's learning and not exactly repeatable...which is needed for making exploits.
I have yet to see them specifically say that they found it vulnerable, just that they see its theoretically possible, but super hard.
I also have not seen anyone posting demonstration of it being vulnerable like I saw for type 1.
Optional microcode would be delivered to vendors, not individuals, also for type 2, type 1 microcode was delivered Jan 4th.
Why would vendors push microcode for type 2 if retpoline completely covers it... and it hasn't been demonstrated to be vulnerable.
But please... if you have a source showing that is truly vulnerable to type 2 please post it.
I am trying to keep updated on this cluster F but there is tons of miss information and contradictory information floating around.
googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html Heck even the research team only got type 1 working on amd hardware... but feel free to contradict them without proof.
MS will release software patches that everyone will get. Yay i guess.
Intel will release patches to motherboard vendors to provide a bios update that anyone that has extensive knowledge will already know to do. Regular joe schmoe wont care let alone really even know and therefore wont update the BIOS.
Almost nothing for general consumers. Some prosumers may be hit.
Where I got the date from...I work on servers, so I am a tad server centric in my knowledge.
Epyc patches are at least out... but yeah not seeing consumer board updates.
I will ping Patrick @ STH and see if he can ask AMD directly.