Should we expect new microcode updates once again?
https://www.intel.com/content/www/us/en/…l-sa-00115.html
Not very clear , where to download ??
HOW can we get this new update ??
Can not find this on Intel-sites…!!
Yes, a few of those are already available in the usual places. Both Linux and the latest Windows 10 builds have SSBD support (disabled by default, because it HURTS performance just as much as the Meltdown fixes (separate page tables for kernel/userspace) did).
The fixes for RSRR are transparent and harder to detect (assume anything that claims to support SSBD MSR has RSRR fixed), and RSRR would be used as a tool to bypass ASLR or other such steps in a multi-vulnerability chain to get privilege escalation – it is not going to leak user or kernel data, but rather the contents of MSRs such as page table locations, etc.
Haswell CPU Micro-Code Rev. 25 (cpu306C3_plat32_ver00000025_2018-04-02_PRD_5F430452.bin) brings hardware support for CVE-2018-3639
How to enable mitigation
Manage Speculative Store Bypass and mitigations around Spectre Variant 2 and Meltdown
Speculation control settings for CVE-2017-5715 [branch target injection]
For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: True [not required for security]
Speculation control settings for CVE-2018-3639 [speculative store bypass]
Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass mitigation is present: True
Windows OS support for speculative store bypass mitigation is present: True
Windows OS support for speculative store bypass mitigation is enabled system-wide: True
BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : True
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : True
I have the same results with Skylake and microcode C6.
@RvdH and all,
I would not recommend at all to set "enable fix" in the registry settings for "protect against speculative execution side-channel vulnerabilities".
1) Mitigation against Spectre Variant 2
To enable the fix
and
2) Manage Speculative Store Bypass and mitigations around Spectre Variant 2 and Meltdown
To enable the fix
From what I 've tested it will breaks many softwares as for example AI Suite II, Windows Explorer, IE 11, IRST, etc… by a violation access code.
Doing by sfc /scannow will not repair any of them.
I had to do a restore point at boot with original DVD after having disable my raid0 array in order to repair.
Good luck!
@N6O7
I can not say i have experienced any issues with both (CVE-2017-5715/CVE-2017-5754 and CVE-2018-3639) protections enabled (yet)
I’m using windows 7 x64 Pro and as I saw, it’s new to the OS system having enable SSBD.
Since the OS system had been patched and most of the intel microcodes too, you can see/use with such tool as “InSpectre” or “SpectreMeltdownCheck” if the fix is enable or not. Also can be use the PowerShell script provided in the MS article to verify.
But using the registry aswell, will override as it says in the registry dword key “FeatureSettingsOverride”
@N6O7
No idea what your last comment is about???
I have enabled all protections against CVE-2017-5715/CVE-2017-5754 and CVE-2018-3639 as you can see here
I am just saying this has NOT broken anything here!
So you did it by registry settings?. Adding the dword keys?
What I’m telling is that all of this is patched in lastest MS Updates and intel/amd microcodes, thus are not always visible in the registry keys. My OS do not have those keys in registry, but protections are enabled.
Just no need to add them
On Windows 10 you don’t have to set CVE-2017-5715/CVE-2017-5754, as by default, this update is enabled. see https://support.microsoft.com/en-us/help…nerabilities-in
On Windows Server 2016 you have to enable both CVE-2017-5715/CVE-2017-5754 mitigations manually (because they are not enabled by default, like they are on Windows 10). see https://support.microsoft.com/en-us/help…ative-execution
CVE-2018-3639 is disabled by default on both Windows 10/Windows Server 2016 and you need to enable mitigation manually, see https://support.microsoft.com/en-us/help…ative-execution and https://support.microsoft.com/en-us/help…nerabilities-in
Well at least the end users should care of which OS version this should be applied using the registry settings.
The MS article mention:
Mitigation against Spectre Variant 2:
Spectre and Meltdown are patched on my OS but not the SSBD (Speculative Store Bypass Detection)
and this one is not enabled by default
Manage Speculative Store Bypass and mitigations around Spectre Variant 2 and Meltdown:
I found the last combination dangerous for my OS windows 7 SP1 to enable both "mitigations around Speculative Store Bypass" and "Spectre Variant 2/Meltdown". in registry
Whatever… you are the one mentioning all these registry settings and confusing people, not me…I just point people to the proper documents/instructions
I do not blame you, but by posting such article including registry change can lead some users to wrong informations and have to be read carefully
You are ridiculous… you are the one posting registry changes!!!
I just warn some users not using the registry change posted in the article without knowing the risk I experienced too.
BTW, You’re not supposed jumping on your big horses by answering me. Free others to read.
Discussion closed
FYI …
Intel just released an updated “Microcode Revision Guidance” dated June 21 2018 for INTEL-SA-00115
https://www.intel.com/content/dam/www/pu…te-guidance.pdf
It looks as if the "medicin " is worse then the disease…!