Friday, October 18th 2019

Microsoft Pushes Intel "Haswell" Microcode Update to Harden Against MDS

Microsoft started deploying microcode updates to some of Intel's older Core, Pentium, and Celeron processor generations through Windows Update. The latest Cumulative Update packages chronicled under "KB4497165" apply to machines running Intel's 4th generation Core "Haswell" processors, and low-power Pentium and Celeron chips based on "Apollo Lake," "Gemini Lake," "Valley View," and "Cherry View" microarchitectures.

The microcode update provides firmware-level hardening against four major variants of the MDS class of security vulnerabilities, namely CVE-2019-11091 (MDS Uncacheable Memory), CVE-2018-12126 (Microarchitectural Store Buffer Data Sampling), CVE-2018-12127 (Microarchitectural Load Port Data Sampling), and CVE-2018-12130 (Microarchitectural Fill Buffer Data Sampling).
Source: Microsoft
Add your own comment

20 Comments on Microsoft Pushes Intel "Haswell" Microcode Update to Harden Against MDS

#1
Solaris17
Dainty Moderator
Quick and dirty if interested

code:

Install-Module SpeculationControl



code:

Get-SpeculationControlSettings

Posted on Reply
#2
voltage
well, gotta hand it to them for doing this, those procs are old and surprised they even bothered. Kudos to them for doing.
Posted on Reply
#3
notb
voltage
well, gotta hand it to them for doing this, those procs are old and surprised they even bothered. Kudos to them for doing.
Haswell Xeons and Gemini/Apollo Lake are still ubiquitous in enterprise devices - with really no reason to replace unless they die.
Intel will keep supporting them for a long time.
Posted on Reply
#4
voltage
notb
Haswell Xeons and Gemini/Apollo Lake are still ubiquitous in enterprise devices - with really no reason to replace unless they die.
Intel will keep supporting them for a long time.
Then even More reason they should be commended. Kudos to them for doing good work!
Posted on Reply
#5
stimpy88
So how much performance is this going to cost?
Posted on Reply
#6
voltage
stimpy88
So how much performance is this going to cost?
if any, so small you'll never notice
Posted on Reply
#8
notb
stimpy88
So how much performance is this going to cost?
Very little. It's a simple and quick fix. Nowhere near what the Spectre tragedy did to modern CPUs.

It became a hot topic since Meltdown, so suddenly you care. But dozens of similar fixes came earlier and you'd have to read every update description to even notice.
voltage
Then even More reason they should be commended. Kudos to them for doing good work!
They sell enterprise products, so they have to support them. That's how you get sales in this segment - not with benchmarks, but with cooperation. It's even more important for Intel now that they're slightly under the oomph curve :)
Posted on Reply
#9
Crowley
I agree that this is a very proactive way to help secure computers. I know that the public sector will jump on this patch, hopefully with a little bit of testing first. Doubt it will cause any issues but you need to always test before pushing to a full set of enterprise machines
Posted on Reply
#10
john_
voltage
Then even More reason they should be commended. Kudos to them for doing good work!
Wrong.

First we don't know the contracts Intel has for supporting Haswell Xeon. It could have the obligation to support those CPUs for 5-10 years, don't know.

Second. Intel is not doing this because it wants to, but because it needs to. If Intel was offering the best server CPUs in the market TODAY, they could come out and say "Sorry, those Xeon are way old and their warranty expired. Please buy new Xeons". But it doesn't. ALL those customers if they had to choose TODAY, what server CPUs to buy to replace those old Xeons, ALL would have gone for the new EPYC CPUS. Much faster, much cheaper and NO or very few security problems. Intel knows this, so it tries to convince those customers to keep those old Xeons a little longer, as much as needed to keep it's market share and also have more time to prepare, if possible, those 10nm Xeons for next year.
Posted on Reply
#11
notb
john_
Wrong.
The comment was OK here, but it got weird later...
First we don't know the contracts Intel has for supporting Haswell Xeon. It could have the obligation to support those CPUs for 5-10 years, don't know.
Contract with whom?
This kind of long-time support contracts could happen in military or HPC clusters. But it doesn't mean the fix would go public.

Intel supports their CPUs for a long time, because that's how they make their business. It's nothing new. They did the same few years ago when AMD wasn't doing anything worth a forum comment.
Second. Intel is not doing this because it wants to, but because it needs to. If Intel was offering the best server CPUs in the market TODAY, they could come out and say "Sorry, those Xeon are way old and their warranty expired. Please buy new Xeons". But it doesn't. ALL those customers if they had to choose TODAY, what server CPUs to buy to replace those old Xeons, ALL would have gone for the new EPYC CPUS. Much faster, much cheaper and NO or very few security problems.
This fix is for low power SoCs and for old Xeons. Performance? WTF?
Xeons would have to be from 2013-2014, so it's very unlikely they'd still serve in first tier, production systems. More like testing, file servers, fun projects...

Market share of AMD in servers was 4-5% in 2019Q3, so that's how many clients choose EPYC. That's clearly not "ALL".

And saying that AMD has "no or very few security problems" is not even fantasy. It's just obviously wrong.
The only thing one can say is that less vulnerabilities are found compared to Intel.
Posted on Reply
#12
john_
notb
And saying that AMD has "no or very few security problems" is not even fantasy. It's just obviously wrong.
The only thing one can say is that less vulnerabilities are found compared to Intel.
About this one. I don't see news about serious AMD vulnerabilities and AMD/Microsoft rushing to publish fixes. Do you?
Now, every processor is vulnerable to attacks where, for example, the attacker works at the company, is in fact the IT manager and has all the keys to the systems. Maybe you mean something like that?
Posted on Reply
#13
jgraham11
john_
Wrong.

First we don't know the contracts Intel has for supporting Haswell Xeon. It could have the obligation to support those CPUs for 5-10 years, don't know.

Second. Intel is not doing this because it wants to, but because it needs to. If Intel was offering the best server CPUs in the market TODAY, they could come out and say "Sorry, those Xeon are way old and their warranty expired. Please buy new Xeons". But it doesn't. ALL those customers if they had to choose TODAY, what server CPUs to buy to replace those old Xeons, ALL would have gone for the new EPYC CPUS. Much faster, much cheaper and NO or very few security problems. Intel knows this, so it tries to convince those customers to keep those old Xeons a little longer, as much as needed to keep it's market share and also have more time to prepare, if possible, those 10nm Xeons for next year.
Not mention that they released all these products for so many years with so many high security risk bugs... I guess we're supposed to be thankful that Intel is fixing their broken products. Its about time Intel cared about security!
Posted on Reply
#15
cygnus_1
voltage
well, gotta hand it to them for doing this, those procs are old and surprised they even bothered. Kudos to them for doing.
5.5 years old isn’t *that* old.... sheesh. They were only discontinued 2 years ago.
Posted on Reply
#16
holyprof
cygnus_1
5.5 years old isn’t *that* old.... sheesh. They were only discontinued 2 years ago.
Yep, I'm 100% with you.
Expected server life is what, 10+ years right? It's not a smartphone that you throw away after 2 years because it's too old / unsupported by vendor / battery died.
Posted on Reply
#17
Crowley
holyprof
Yep, I'm 100% with you.
Expected server life is what, 10+ years right? It's not a smartphone that you throw away after 2 years because it's too old / unsupported by vendor / battery died.
I fully agree 5 years is not old but when it comes to 10 years, I would say that most enterprise scenarios typically perform some sort of server refresh around 4-5 years. Could they last 10 years, probably but depending what is running on these 10 year old servers/CPU, things like Virtualization may not work to it's full potential. As new technology comes out, the software can be designed to work more efficiently with new CPUs as the code can be tailored to specific processors
Posted on Reply
#18
john_
A simple google search and you read titles, in 2019, that say "43% of businesses are still running Windows 7" and "It's 2019, and one third of businesses still have active Windows XP deployments"
Posted on Reply
#19
R-T-B
notb
Very little. It's a simple and quick fix. Nowhere near what the Spectre tragedy did to modern CPUs.
Uh... no. IIRC, Benchmarks have been pegging it at around 2-10%. It's not "very little" by any stretch. Media access is hit the worst I think.

Don't quote those exact numbers but "very little" is not being completely honest.

Likewise, I'd not advise people to avoid this fix either. Even if it was 15-20% on a complete average I'd advise home users to apply it. Fortunately it's way less. But it's not nothing.

As for enterprise? There is no choice, apply it. Even if it was a 80%+ hit I would say the same there.

jayjr1105
This website keeps track of known security vulnerabilites within any vendor... https://www.cvedetails.com/vendor-search.php

Intel: 247
AMD: 16
Biggest elephant gets poked the most. Even if their chips had less overall vulnerabilities, you would never know it. It's a huge case of sample bias.


holyprof
Yep, I'm 100% with you.
Expected server life is what, 10+ years right? It's not a smartphone that you throw away after 2 years because it's too old / unsupported by vendor / battery died.
Yeah, and honestly the smartphone ideology sucks too

john_
ALL would have gone for the new EPYC CPUS.
All? Jesus man, can I get a "yeah right" here?

Corperations are inherently conservative. HALF is the most I could see migrating, and that's probably giving AMDs market penatration way too much credit. Not saying that wouldn't be smart... but the people who approve these purchases simply don't understand, and don't care or want to learn either.
Posted on Reply
#20
john_
R-T-B
All? Jesus man, can I get a "yeah right" here?

Corperations are inherently conservative. HALF is the most I could see migrating, and that's probably giving AMDs market penatration way too much credit. Not saying that wouldn't be smart... but the people who approve these purchases simply don't understand, and don't care or want to learn either.
This period of time, security, price and performance are on AMD's side. So with maybe superficial criteria, everyone would have the EPYC as the standard option. But in corporations the parameters are probably too many and unknown to me, so let's change that to "enough to make Intel feel (very) uncomfortable".
Posted on Reply
Add your own comment