Microsoft Pushes Intel "Haswell" Microcode Update to Harden Against MDS

btarunr · Oct 18, 2019

Microsoft started deploying microcode updates to some of Intel's older Core, Pentium, and Celeron processor generations through Windows Update. The latest Cumulative Update packages chronicled under "KB4497165" apply to machines running Intel's 4th generation Core "Haswell" processors, and low-power Pentium and Celeron chips based on "Apollo Lake," "Gemini Lake," "Valley View," and "Cherry View" microarchitectures.

The microcode update provides firmware-level hardening against four major variants of the MDS class of security vulnerabilities, namely CVE-2019-11091 (MDS Uncacheable Memory), CVE-2018-12126 (Microarchitectural Store Buffer Data Sampling), CVE-2018-12127 (Microarchitectural Load Port Data Sampling), and CVE-2018-12130 (Microarchitectural Fill Buffer Data Sampling).

View at TechPowerUp Main Site

Solaris17 · Oct 18, 2019

Quick and dirty if interested

Code:

Install-Module SpeculationControl

Code:

Get-SpeculationControlSettings

voltage · Oct 18, 2019

well, gotta hand it to them for doing this, those procs are old and surprised they even bothered. Kudos to them for doing.

notb · Oct 18, 2019

voltage said:
well, gotta hand it to them for doing this, those procs are old and surprised they even bothered. Kudos to them for doing.

Haswell Xeons and Gemini/Apollo Lake are still ubiquitous in enterprise devices - with really no reason to replace unless they die.
Intel will keep supporting them for a long time.

voltage · Oct 18, 2019

notb said:
Haswell Xeons and Gemini/Apollo Lake are still ubiquitous in enterprise devices - with really no reason to replace unless they die.
Intel will keep supporting them for a long time.

Then even More reason they should be commended. Kudos to them for doing good work!

stimpy88 · Oct 18, 2019

So how much performance is this going to cost?

voltage · Oct 18, 2019

stimpy88 said:
So how much performance is this going to cost?

if any, so small you'll never notice

Polo6RGTI_ · Oct 18, 2019

notb · Oct 18, 2019

stimpy88 said:
So how much performance is this going to cost?

Very little. It's a simple and quick fix. Nowhere near what the Spectre tragedy did to modern CPUs.

It became a hot topic since Meltdown, so suddenly you care. But dozens of similar fixes came earlier and you'd have to read every update description to even notice.

voltage said:
Then even More reason they should be commended. Kudos to them for doing good work!

They sell enterprise products, so they have to support them. That's how you get sales in this segment - not with benchmarks, but with cooperation. It's even more important for Intel now that they're slightly under the oomph curve

Crowley · Oct 18, 2019

I agree that this is a very proactive way to help secure computers. I know that the public sector will jump on this patch, hopefully with a little bit of testing first. Doubt it will cause any issues but you need to always test before pushing to a full set of enterprise machines

john_ · Oct 18, 2019

voltage said:
Then even More reason they should be commended. Kudos to them for doing good work!

Wrong.

First we don't know the contracts Intel has for supporting Haswell Xeon. It could have the obligation to support those CPUs for 5-10 years, don't know.

Second. Intel is not doing this because it wants to, but because it needs to. If Intel was offering the best server CPUs in the market TODAY, they could come out and say "Sorry, those Xeon are way old and their warranty expired. Please buy new Xeons". But it doesn't. ALL those customers if they had to choose TODAY, what server CPUs to buy to replace those old Xeons, ALL would have gone for the new EPYC CPUS. Much faster, much cheaper and NO or very few security problems. Intel knows this, so it tries to convince those customers to keep those old Xeons a little longer, as much as needed to keep it's market share and also have more time to prepare, if possible, those 10nm Xeons for next year.

notb · Oct 18, 2019

john_ said:
Wrong.

The comment was OK here, but it got weird later...

First we don't know the contracts Intel has for supporting Haswell Xeon. It could have the obligation to support those CPUs for 5-10 years, don't know.

Contract with whom?
This kind of long-time support contracts could happen in military or HPC clusters. But it doesn't mean the fix would go public.

Intel supports their CPUs for a long time, because that's how they make their business. It's nothing new. They did the same few years ago when AMD wasn't doing anything worth a forum comment.

Second. Intel is not doing this because it wants to, but because it needs to. If Intel was offering the best server CPUs in the market TODAY, they could come out and say "Sorry, those Xeon are way old and their warranty expired. Please buy new Xeons". But it doesn't. ALL those customers if they had to choose TODAY, what server CPUs to buy to replace those old Xeons, ALL would have gone for the new EPYC CPUS. Much faster, much cheaper and NO or very few security problems.

This fix is for low power SoCs and for old Xeons. Performance? WTF?
Xeons would have to be from 2013-2014, so it's very unlikely they'd still serve in first tier, production systems. More like testing, file servers, fun projects...

Market share of AMD in servers was 4-5% in 2019Q3, so that's how many clients choose EPYC. That's clearly not "ALL".

And saying that AMD has "no or very few security problems" is not even fantasy. It's just obviously wrong.
The only thing one can say is that less vulnerabilities are found compared to Intel.

john_ · Oct 18, 2019

notb said:
And saying that AMD has "no or very few security problems" is not even fantasy. It's just obviously wrong.
The only thing one can say is that less vulnerabilities are found compared to Intel.

About this one. I don't see news about serious AMD vulnerabilities and AMD/Microsoft rushing to publish fixes. Do you?
Now, every processor is vulnerable to attacks where, for example, the attacker works at the company, is in fact the IT manager and has all the keys to the systems. Maybe you mean something like that?

jgraham11 · Oct 18, 2019

john_ said:
Wrong.

First we don't know the contracts Intel has for supporting Haswell Xeon. It could have the obligation to support those CPUs for 5-10 years, don't know.

Second. Intel is not doing this because it wants to, but because it needs to. If Intel was offering the best server CPUs in the market TODAY, they could come out and say "Sorry, those Xeon are way old and their warranty expired. Please buy new Xeons". But it doesn't. ALL those customers if they had to choose TODAY, what server CPUs to buy to replace those old Xeons, ALL would have gone for the new EPYC CPUS. Much faster, much cheaper and NO or very few security problems. Intel knows this, so it tries to convince those customers to keep those old Xeons a little longer, as much as needed to keep it's market share and also have more time to prepare, if possible, those 10nm Xeons for next year.

Not mention that they released all these products for so many years with so many high security risk bugs... I guess we're supposed to be thankful that Intel is fixing their broken products. Its about time Intel cared about security!

jayjr1105 · Oct 18, 2019

This website keeps track of known security vulnerabilites within any vendor... https://www.cvedetails.com/vendor-search.php

Intel: 247
AMD: 16

cygnus_1 · Oct 19, 2019

voltage said:
well, gotta hand it to them for doing this, those procs are old and surprised they even bothered. Kudos to them for doing.

5.5 years old isn’t *that* old.... sheesh. They were only discontinued 2 years ago.

holyprof · Oct 19, 2019

cygnus_1 said:
5.5 years old isn’t *that* old.... sheesh. They were only discontinued 2 years ago.

Yep, I'm 100% with you.
Expected server life is what, 10+ years right? It's not a smartphone that you throw away after 2 years because it's too old / unsupported by vendor / battery died.

Crowley · Oct 19, 2019

holyprof said:
Yep, I'm 100% with you.
Expected server life is what, 10+ years right? It's not a smartphone that you throw away after 2 years because it's too old / unsupported by vendor / battery died.

I fully agree 5 years is not old but when it comes to 10 years, I would say that most enterprise scenarios typically perform some sort of server refresh around 4-5 years. Could they last 10 years, probably but depending what is running on these 10 year old servers/CPU, things like Virtualization may not work to it's full potential. As new technology comes out, the software can be designed to work more efficiently with new CPUs as the code can be tailored to specific processors

john_ · Oct 20, 2019

A simple google search and you read titles, in 2019, that say "43% of businesses are still running Windows 7" and "It's 2019, and one third of businesses still have active Windows XP deployments"

R-T-B · Oct 21, 2019

notb said:
Very little. It's a simple and quick fix. Nowhere near what the Spectre tragedy did to modern CPUs.

Uh... no. IIRC, Benchmarks have been pegging it at around 2-10%. It's not "very little" by any stretch. Media access is hit the worst I think.

Don't quote those exact numbers but "very little" is not being completely honest.

Likewise, I'd not advise people to avoid this fix either. Even if it was 15-20% on a complete average I'd advise home users to apply it. Fortunately it's way less. But it's not nothing.

As for enterprise? There is no choice, apply it. Even if it was a 80%+ hit I would say the same there.

jayjr1105 said:
This website keeps track of known security vulnerabilites within any vendor... https://www.cvedetails.com/vendor-search.php

Intel: 247
AMD: 16

Biggest elephant gets poked the most. Even if their chips had less overall vulnerabilities, you would never know it. It's a huge case of sample bias.

holyprof said:
Yep, I'm 100% with you.
Expected server life is what, 10+ years right? It's not a smartphone that you throw away after 2 years because it's too old / unsupported by vendor / battery died.

Yeah, and honestly the smartphone ideology sucks too

john_ said:
ALL would have gone for the new EPYC CPUS.

All? Jesus man, can I get a "yeah right" here?

Corperations are inherently conservative. HALF is the most I could see migrating, and that's probably giving AMDs market penatration way too much credit. Not saying that wouldn't be smart... but the people who approve these purchases simply don't understand, and don't care or want to learn either.

john_ · Oct 21, 2019

R-T-B said:
All? Jesus man, can I get a "yeah right" here?

Corperations are inherently conservative. HALF is the most I could see migrating, and that's probably giving AMDs market penatration way too much credit. Not saying that wouldn't be smart... but the people who approve these purchases simply don't understand, and don't care or want to learn either.

This period of time, security, price and performance are on AMD's side. So with maybe superficial criteria, everyone would have the EPYC as the standard option. But in corporations the parameters are probably too many and unknown to me, so let's change that to "enough to make Intel feel (very) uncomfortable".

System Name	RBMK-1000
Processor	AMD Ryzen 7 5700G
Motherboard	ASUS ROG Strix B450-E Gaming
Cooling	DeepCool Gammax L240 V2
Memory	2x 8GB G.Skill Sniper X
Video Card(s)	Palit GeForce RTX 2080 SUPER GameRock
Storage	Western Digital Black NVMe 512GB
Display(s)	BenQ 1440p 60 Hz 27-inch
Case	Corsair Carbide 100R
Audio Device(s)	ASUS SupremeFX S1220A
Power Supply	Cooler Master MWE Gold 650W
Mouse	ASUS ROG Strix Impact
Keyboard	Gamdias Hermes E2
Software	Windows 11 Pro

System Name	RogueOne
Processor	Xeon W9-3495x
Motherboard	ASUS w790E Sage SE
Cooling	SilverStone XE360-4677
Memory	128gb Gskill Zeta R5 DDR5 RDIMMs
Video Card(s)	MSI SUPRIM Liquid X 4090
Storage	1x 2TB WD SN850X \| 2x 8TB GAMMIX S70
Display(s)	49" Philips Evnia OLED (49M2C8900)
Case	Thermaltake Core P3 Pro Snow
Audio Device(s)	Moondrop S8's on schitt Gunnr
Power Supply	Seasonic Prime TX-1600
Mouse	Lamzu Atlantis mini (White)
Keyboard	Monsgeek M3 Lavender, Moondrop Luna lights
VR HMD	Quest 3
Software	Windows 11 Pro Workstation
Benchmark Scores	I dont have time for that.

Processor	AMD Ryzen 9 5950X
Motherboard	Asus ROG Crosshair VIII Hero WiFi
Cooling	Arctic Liquid Freezer II 420
Memory	32Gb G-Skill Trident Z Neo @3806MHz C14
Video Card(s)	MSI GeForce RTX2070
Storage	Seagate FireCuda 530 1TB
Display(s)	Samsung G9 49" Curved Ultrawide
Case	Cooler Master Cosmos
Audio Device(s)	O2 USB Headphone AMP
Power Supply	Corsair HX850i
Mouse	Logitech G502
Keyboard	Cherry MX
Software	Windows 11

Processor	Intel i7-8700k @ 5.0GHz
Motherboard	Gigabyte Z390 Aurous Pro
Cooling	Corsair H115i Pro
Memory	G.SKILL TridentZ Series 32GB DDR4 3200
Video Card(s)	EVGA RTX 2080 SUPER XC Ultra
Storage	Samsung 870 EVO+ 500GB NVMe and Samsung 850 EVO 1TB SSD
Display(s)	ASUS ROG PG279Q 27" IPS QHD w/ G-Sync @ 144hz
Case	Cooler Master H500M
Audio Device(s)	Corsair VOID PRO
Power Supply	Corsair 1000w Gold Rated
Mouse	Logitech G700
Software	Win10 1909

System Name	3 desktop systems: Gaming / Internet / HTPC
Processor	Ryzen 5 5500 / Ryzen 5 4600G / FX 6300 (12 years latter got to see how bad Bulldozer is)
Motherboard	MSI X470 Gaming Plus Max (1) / MSI X470 Gaming Plus Max (2) / Gigabyte GA-990XA-UD3
Cooling	Νoctua U12S / Segotep T4 / Snowman M-T6
Memory	32GB - 16GB G.Skill RIPJAWS 3600+16GB G.Skill Aegis 3200 / 16GB JUHOR / 16GB Kingston 2400MHz (DDR3)
Video Card(s)	ASRock RX 6600 + GT 710 (PhysX)/ Vega 7 integrated / Radeon RX 580
Storage	NVMes, ONLY NVMes/ NVMes, SATA Storage / NVMe boot(Clover), SATA storage
Display(s)	Philips 43PUS8857/12 UHD TV (120Hz, HDR, FreeSync Premium) ---- 19'' HP monitor + BlitzWolf BW-V5
Case	Sharkoon Rebel 12 / CoolerMaster Elite 361 / Xigmatek Midguard
Audio Device(s)	onboard
Power Supply	Chieftec 850W / Silver Power 400W / Sharkoon 650W
Mouse	CoolerMaster Devastator III Plus / CoolerMaster Devastator / Logitech
Keyboard	CoolerMaster Devastator III Plus / CoolerMaster Devastator / Logitech
Software	Windows 10 / Windows 10&Windows 11 / Windows 10

Microsoft Pushes Intel "Haswell" Microcode Update to Harden Against MDS

btarunr

Editor & Senior Moderator

Solaris17

Super Dainty Moderator

voltage

notb

voltage

stimpy88

voltage

Polo6RGTI_

New Member

notb

Crowley

john_

notb

john_

jgraham11

New Member

jayjr1105

cygnus_1

New Member

holyprof

Crowley

john_

R-T-B

john_

System Name	Ryzen 1
Processor	Ryzen 5800X
Motherboard	MSI B550 Gaming Plus
Cooling	Scythe Fuma 2
Memory	32GB Patriot Viper 3600 CL16
Video Card(s)	AMD RX 7800 XT 16GB
Storage	SSD's
Display(s)	HP X32 32" 1440p 165Hz
Case	Phanteks P400A
Power Supply	Superflower Leadex III 750w

System Name	Dreamstation2
Processor	Ryzen 7 3700X
Motherboard	MSI X470 Gaming Plus
Cooling	Hyper 212 Black Edition
Memory	Kingston HyperX 32GB DDR4 3200 CL16
Video Card(s)	Aorus 2080 Ti Turbo (sounds like a vaccum cleaner at full load)
Storage	2 x 1TB M.2 NVME + 1TB 2.5" SSD
Display(s)	Samsung Odyssey G7 32" 4k
Case	NZXT H500i
Audio Device(s)	Asus Xonar U3 / Audio-Technica ATH-M50x / Edifier R1855DB
Power Supply	Corsair TX650M
Mouse	Corsair Scimitar Pro RGB
Keyboard	Cooler Master Masterkeys Lite L

System Name	Pioneer
Processor	Ryzen R9 9950X
Motherboard	GIGABYTE Aorus Elite X670 AX
Cooling	Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory	64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64 / Windows 11 Enterprise IoT 2024