Friday, October 18th 2019
Microsoft Pushes Intel "Haswell" Microcode Update to Harden Against MDS
Microsoft started deploying microcode updates to some of Intel's older Core, Pentium, and Celeron processor generations through Windows Update. The latest Cumulative Update packages chronicled under "KB4497165" apply to machines running Intel's 4th generation Core "Haswell" processors, and low-power Pentium and Celeron chips based on "Apollo Lake," "Gemini Lake," "Valley View," and "Cherry View" microarchitectures.
The microcode update provides firmware-level hardening against four major variants of the MDS class of security vulnerabilities, namely CVE-2019-11091 (MDS Uncacheable Memory), CVE-2018-12126 (Microarchitectural Store Buffer Data Sampling), CVE-2018-12127 (Microarchitectural Load Port Data Sampling), and CVE-2018-12130 (Microarchitectural Fill Buffer Data Sampling).
Source:
Microsoft
The microcode update provides firmware-level hardening against four major variants of the MDS class of security vulnerabilities, namely CVE-2019-11091 (MDS Uncacheable Memory), CVE-2018-12126 (Microarchitectural Store Buffer Data Sampling), CVE-2018-12127 (Microarchitectural Load Port Data Sampling), and CVE-2018-12130 (Microarchitectural Fill Buffer Data Sampling).
20 Comments on Microsoft Pushes Intel "Haswell" Microcode Update to Harden Against MDS
Intel will keep supporting them for a long time.
It became a hot topic since Meltdown, so suddenly you care. But dozens of similar fixes came earlier and you'd have to read every update description to even notice. They sell enterprise products, so they have to support them. That's how you get sales in this segment - not with benchmarks, but with cooperation. It's even more important for Intel now that they're slightly under the oomph curve :)
First we don't know the contracts Intel has for supporting Haswell Xeon. It could have the obligation to support those CPUs for 5-10 years, don't know.
Second. Intel is not doing this because it wants to, but because it needs to. If Intel was offering the best server CPUs in the market TODAY, they could come out and say "Sorry, those Xeon are way old and their warranty expired. Please buy new Xeons". But it doesn't. ALL those customers if they had to choose TODAY, what server CPUs to buy to replace those old Xeons, ALL would have gone for the new EPYC CPUS. Much faster, much cheaper and NO or very few security problems. Intel knows this, so it tries to convince those customers to keep those old Xeons a little longer, as much as needed to keep it's market share and also have more time to prepare, if possible, those 10nm Xeons for next year.
This kind of long-time support contracts could happen in military or HPC clusters. But it doesn't mean the fix would go public.
Intel supports their CPUs for a long time, because that's how they make their business. It's nothing new. They did the same few years ago when AMD wasn't doing anything worth a forum comment. This fix is for low power SoCs and for old Xeons. Performance? WTF?
Xeons would have to be from 2013-2014, so it's very unlikely they'd still serve in first tier, production systems. More like testing, file servers, fun projects...
Market share of AMD in servers was 4-5% in 2019Q3, so that's how many clients choose EPYC. That's clearly not "ALL".
And saying that AMD has "no or very few security problems" is not even fantasy. It's just obviously wrong.
The only thing one can say is that less vulnerabilities are found compared to Intel.
Now, every processor is vulnerable to attacks where, for example, the attacker works at the company, is in fact the IT manager and has all the keys to the systems. Maybe you mean something like that?
Intel: 247
AMD: 16
Expected server life is what, 10+ years right? It's not a smartphone that you throw away after 2 years because it's too old / unsupported by vendor / battery died.
Don't quote those exact numbers but "very little" is not being completely honest.
Likewise, I'd not advise people to avoid this fix either. Even if it was 15-20% on a complete average I'd advise home users to apply it. Fortunately it's way less. But it's not nothing.
As for enterprise? There is no choice, apply it. Even if it was a 80%+ hit I would say the same there. Biggest elephant gets poked the most. Even if their chips had less overall vulnerabilities, you would never know it. It's a huge case of sample bias. Yeah, and honestly the smartphone ideology sucks too All? Jesus man, can I get a "yeah right" here?
Corperations are inherently conservative. HALF is the most I could see migrating, and that's probably giving AMDs market penatration way too much credit. Not saying that wouldn't be smart... but the people who approve these purchases simply don't understand, and don't care or want to learn either.