Tuesday, March 6th 2018

Microsoft Pushes New Software-Based Spectre, Meltdown Mitigation Patches

The Spectre/Meltdown road is long and pocked with lawsuits and security holes as it is, and Microsoft is one of the players that's trying to put the asphalt back to tip-top, Autobahn-worth shape. The company has already improved users' security to the Meltdown and Spectre exploits on its OS side; however, hardware patches, and specifically BIOS-editing ones are much harder to deploy and distribute by the PC chain. That may be one of the reasons why Microsoft is now again stepping up with software-based mitigations for Intel-based systems, specifically.

The new updates introduce a software-based CPU microcode revision update, and work at the OS-level to plug some security holes on your Intel processors that might otherwise remain unpatched. The reasons for them remaining unpatched can be many: either Intel taking even more time to deploy patches to the still vulnerable systems; your OEMs not deploying the Intel CPU microcode revisions via a BIOS update; or the good old "I forgot I could do it" user story. Of course, being software based means these Microsoft patches will have to be reapplied should users format their Windows system. The update can for now only be manually downloaded and installed, and can only be applied to version 1709 (Fall Creators Update) and Windows Server version 1709 (Server Core), but that's definitely better than the alternative of forcing less knowledgeable users to try and find their way through BIOS updates. Of course, that is assuming OEMs will ever push BIOS updates to their products.
Sources: Microsoft, via Tom's Hardware
Add your own comment

22 Comments on Microsoft Pushes New Software-Based Spectre, Meltdown Mitigation Patches

#2
eidairaman1
The Exiled Airman
CrAsHnBuRnXp said:
I still could care less about this.
You shouldn't care at all then, because apparently you do care lol.
Posted on Reply
#3
CrAsHnBuRnXp
eidairaman1 said:
You shouldn't care at all then, because apparently you do care lol.
Nah. Just tired of seeing this shit already.
Posted on Reply
#4
R-T-B
CrAsHnBuRnXp said:
Nah. Just tired of seeing this shit already.
It's an industry issue. Don't like? Don't click.
Posted on Reply
#5
phanbuey
im wondering if the performance is better here than the bios one.

It would be cool if they let you choose the apps that it applied to... that way my sql box wouldnt take a hit running sql server, but chrome would.
Posted on Reply
#6
Patriot
phanbuey said:
im wondering if the performance is better here than the bios one.

It would be cool if they let you choose the apps that it applied to... that way my sql box wouldnt take a hit running sql server, but chrome would.
In linux for spectre retropline (software fix) is the preferred solution, microcode solution takes a small performance hit, retropline does not.
Posted on Reply
#7
R-T-B
Patriot said:
In linux for spectre retropline (software fix) is the preferred solution, microcode solution takes a small performance hit, retropline does not.
AFAIK both are needed for complete security.

And since this is literally the same microcode fix in a software package, performance will be identical.
Posted on Reply
#8
Patriot
R-T-B said:
AFAIK both are needed for complete security.

And since this is literally the same microcode fix in a software package, performance will be identical.
Sigh... thought I specified amd... guess not.
Retpoline is a software workaround that mitigates against SV2 on platforms preceding Intel Skylake. This workaround does not require microcode in order to be active; however, it requires that code be recompiled with a compiler enabled with this feature. Recompiling the kernel with this feature is simple, but updating all of userspace is a significant effort, without which protection from speculative userspace attacks needs to rely on the slower hardware-based mitigations.
So yes Intel requires both microcode and retpoline for spectre, microcode for Spectre type 1, and retpoline for type 2, though because retpoline requires a recompile of all software a microcode update to cover part 2 is generally installed... and is slower than the retpoline solution.

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ#Retpoline
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

https://www.amd.com/en/corporate/speculative-execution
AMD is not vulnerable to meltdown, has fixes out for type 1 spectre, isn't proven to be vulnerable to type 2, so retpoline covers it completely and they have optional microcodes for the paranoid.

Charts for linux patches are further confused because AMD64 is just 64bit kernel not AMD chips... yay.
Posted on Reply
#10
R-T-B
Patriot said:
isn't proven to be vulnerable to type 2,
Yes, it has been. Even the article you link admits that.

They also have yet to produce the optional microcode they promised. I've been looking hard for a very long time.
Posted on Reply
#11
Patriot
R-T-B said:
Yes, it has been. Even the article you link admits that.

They also have yet to produce the optional microcode they promised. I've been looking hard for a very long time.
They changed the statement from near zero to I guess it could be but... It'd be hard.
The problem with a branch injection is the prediction engine is a nn ... it's learning and not exactly repeatable...which is needed for making exploits.

I have yet to see them specifically say that they found it vulnerable, just that they see its theoretically possible, but super hard.
I also have not seen anyone posting demonstration of it being vulnerable like I saw for type 1.

Optional microcode would be delivered to vendors, not individuals, also for type 2, type 1 microcode was delivered Jan 4th.
Why would vendors push microcode for type 2 if retpoline completely covers it... and it hasn't been demonstrated to be vulnerable.

But please... if you have a source showing that is truly vulnerable to type 2 please post it.
I am trying to keep updated on this cluster F but there is tons of miss information and contradictory information floating around.

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html Heck even the research team only got type 1 working on amd hardware... but feel free to contradict them without proof.
Posted on Reply
#12
CrAsHnBuRnXp
R-T-B said:
It's an industry issue. Don't like? Don't click.
It doesnt have to be rammed down our throats.

MS will release software patches that everyone will get. Yay i guess.

Intel will release patches to motherboard vendors to provide a bios update that anyone that has extensive knowledge will already know to do. Regular joe schmoe wont care let alone really even know and therefore wont update the BIOS.
Posted on Reply
#13
ensabrenoir
.....sad day when you gotta decide which dose you the most harm......the ailment or the cure........
Posted on Reply
#14
Prima.Vera
I care only for 1 thing. WHAT IS THE PERFORMANCE IMPACT???
Posted on Reply
#15
TheGuruStud
Prima.Vera said:
I care only for 1 thing. WHAT IS THE PERFORMANCE IMPACT???
It makes their CPUs completely worthless in server if buying, but they're busy throwing shade and trying to convince everyone of the opposite.

Almost nothing for general consumers. Some prosumers may be hit.
Posted on Reply
#16
evernessince
R-T-B said:
Yes, it has been. Even the article you link admits that.

They also have yet to produce the optional microcode they promised. I've been looking hard for a very long time.
I have not seen anyone able to exploit variant 2 on AMD hardware. You should provide links if you are going to contradict AMD engineers who weren't even able to exploit it.
Posted on Reply
#17
cdawall
where the hell are my stars
CrAsHnBuRnXp said:
It doesnt have to be rammed down our throats.

MS will release software patches that everyone will get. Yay i guess.

Intel will release patches to motherboard vendors to provide a bios update that anyone that has extensive knowledge will already know to do. Regular joe schmoe wont care let alone really even know and therefore wont update the BIOS.
Those bios patches are already being pushed by venders through windows update.
Posted on Reply
#18
CrAsHnBuRnXp
cdawall said:
Those bios patches are already being pushed by venders through windows update.
I can see that going horribly wrong.
Posted on Reply
#19
R-T-B
evernessince said:
I have not seen anyone able to exploit variant 2 on AMD hardware. You should provide links if you are going to contradict AMD engineers who weren't even able to exploit it.
I'm not contradicting them. They admit it is vulnerable, diffilculty is irrelevant to my point. This isn't a fanboy discussion so don't make it one.

Patriot said:
Optional microcode would be delivered to vendors, not individuals, also for type 2, type 1 microcode was delivered Jan 4th.
Why would vendors push microcode for type 2 if retpoline completely covers it... and it hasn't been demonstrated to be vulnerable.
Link or it didn't happen. I'm a bios modder and have been unable to trace any bios updates containing modified microcode fixes of any type. Yes, AMD said they were going to push some. I have yet to see that in any form.

CrAsHnBuRnXp said:
I can see that going horribly wrong.
No, not really. Microcode patches via Windows Update are simple and have been done in the past.
Posted on Reply
#20
fullinfusion
Vanguard Beta Tester
and another reason I cant wait for Ryzen 2 to come out.
Posted on Reply
#21
Patriot
R-T-B said:
I'm not contradicting them. They admit it is vulnerable, diffilculty is irrelevant to my point. This isn't a fanboy discussion so don't make it one.

Link or it didn't happen. I'm a bios modder and have been unable to trace any bios updates containing modified microcode fixes of any type. Yes, AMD said they were going to push some. I have yet to see that in any form.

No, not really. Microcode patches via Windows Update are simple and have been done in the past.
https://support.hpe.com/hpsc/swd/public/detail?sp4ts.oid=1010268410&swItemId=MTX_c43761fa7c9f4ba1ac7a262002&swEnvOid=4184#tab4
Where I got the date from...I work on servers, so I am a tad server centric in my knowledge.

Epyc patches are at least out... but yeah not seeing consumer board updates.
I will ping Patrick @ STH and see if he can ask AMD directly.
Posted on Reply
#22
cdawall
where the hell are my stars
CrAsHnBuRnXp said:
I can see that going horribly wrong.
Windows 10 has been pushing firmware updates since it came out. Rarely have I ever seen an issue from it.
Posted on Reply
Add your own comment