News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • “Side channel” vulnerabilities and Windows

    Home Forums AskWoody blog “Side channel” vulnerabilities and Windows

    This topic contains 12 replies, has 10 voices, and was last updated by  Paul T 2 months ago.

    • Author
      Posts
    • #1692690 Reply

      woody
      Da Boss

      I’ve avoided talking much about Spectre, Meltdown and the like because there’s an endless succession of patches to Windows and the hardware – and regi
      [See the full post at: “Side channel” vulnerabilities and Windows]

      5 users thanked author for this post.
    • #1692696 Reply

      woody
      Da Boss

      Here’s the latest from @alqamar:

      My motivation was to give you and myself an overview a ton of information spread over a forest of sites provided by Microsoft, many of them outdated due to the sheer complexity.

      After all I hope it is helpful for you.

      Tl;dr: install all patches on all OS as suitable + some extra patches that might not even be in WSUS by default and enable the registry values and in some cases apply BIOS updates. That easy.

      Disclaimer: It took me several hours of constant work and concentration to put this together. If you find an error let me know. It don’t have Github. I thought about posting this on pastebin instead.

      Susan, if there is no feedback about critical errors, you are welcomed to include this in a sub category of your patch master list.

      Spectre 1, 2, 3, 3a, 4 (SSBD), L1TF, MDS, Retpoline

      Spectre v1/2

      Server 2008 SP2                              KB4090450[0] > KB4093478[1] + Registry AMD / Intel + BIOS

      Server 2008 R2 SP1                       KB4056897[0] > KB4338821[1] + Registry AMD / Intel + BIOS

      Server 2012                                     KB4088880[0] > KB4338816[1] + Registry AMD / Intel + BIOS

      Server 2012 R2 U1                        KB4056898[0] > KB4338831[1] + Registry AMD / Intel + BIOS

      Server 2016 1607/Core                KB4056890[0] > KB4132216 + KB4338822[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091664-v6

      Server 2016 1709 Core                KB4056892[0] > KB4131372 + KB4338817[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091663-v6

      Server 2016 1803 Core                KB4338853 + KB4340917[1] + Registry AMD / Intel + BIOS or 2018-10 KB4100347-v4

      Server 2019 1809/Core                included in OS + Registry AMD / Intel

      Server 2019 1903 Core                included in OS + Registry AMD / Intel

      Windows Vista SP2                       KB4090450[0] > KB4093478[1] + Registry AMD / Intel + BIOS (out of support)

      Windows 7 SP1                               KB4056897[0] > KB4338821[1] + Registry AMD / Intel + BIOS

      Windows 8.0                                   KB4088880[0] > KB4338816[1] + Registry AMD / Intel + BIOS (out of support)

      Windows 8.1 U1                             KB4056898[0] > KB4338831[1] + Registry AMD / Intel + BIOS

      Windows 10 1507 LTSC               KB4345455[1] + Registry AMD / Intel + BIOS or 2018-05 KB4091666-v5 (Home / Pro / Ent / Edu out of support)

      Windows 10 1511                         KB4035632 + KB4093109[1] + Registry AMD / Intel + BIOS (Home / Pro / Ent / Edu out of support)

      Windows 10 1607 LTSC               KB4056890[0] > KB4132216 + KB4338822[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091664-v6 (Home / Pro / Ent / Edu out of support)

      Windows 10 1703                         KB4132649 + KB4338827[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091663-v6 (Home / Pro / Ent / Edu out of support)

      Windows 10 1709                         KB4056892[0] > KB4131372 + KB4338817[1] + Registry AMD / Intel + BIOS or 2018-10 KB4090007_v6 (Home / Pro out of support)

      Windows 10 1803                         KB4338853 + KB4340917[1] + Registry AMD / Intel + BIOS or 2018-10 KB4100347-v4

      Windows 10 1809                         included in OS

      Windows 10 1903                         included in OS

      Windows 10 20H1                         included in OS

      Spectre NG v3, 3a, 4 (SSBD) [3], L1TF

      Server 2008 SP2                             KB4480968[0] > KB4499180[1] + Registry AMD / Intel + BIOS

      Server 2008 R2 SP1                       KB4480970[0] > KB4093478[1] + Registry AMD / Intel + BIOS

      Server 2012                                     KB4480975[0] > KB4499158[1] + Registry AMD / Intel + BIOS

      Server 2012 R2 U1                        KB4480963[0] > KB4499165[1] + Registry AMD / Intel + BIOS

      Server 2016 1607/Core                KB4467691[0] > KB4494440[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346087-v3

      Server 2016 1709 Core                KB4467686[0] > KB4499179[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346085-v3

      Server 2016 1803 Core                KB4467702[0] > KB4499167[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346084-v3

      Server 2019 1809/Core                BIOS or 2019-02 KB4465065-v3 + Registry AMD / Intel

      Server 2019 1903 Core                included in OS + Registry AMD / Intel

      Windows Vista SP2                       KB4480968[0] > KB4499180[1] + Registry AMD / Intel + BIOS (out of support)

      Windows 7 SP1                              KB4480970[0] > KB4093478[1] + Registry AMD / Intel + BIOS

       Windows 8.0                                   KB4480975[0] > KB4499158[1] + Registry AMD / Intel + BIOS (out of support)

      Windows 8.1 U1                            KB4480963[0] > KB4499165[1] + Registry AMD / Intel + BIOS

      Windows 10 1507 LTSC               KB4467680[0] > KB4471323[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346088-v2 (Home / Pro / Ent / Edu out of support)

      Windows 10 1511                         KB4035632 + KB4093109[1] + Registry AMD / Intel + BIOS (Home / Pro / Ent / Edu out of support)

      Windows 10 1607 LTSC               KB4467691[0] > KB4494440[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346087-v3 (Home / Pro / Ent / Edu out of support)

      Windows 10 1703                         KB4467696[0] > KB4499181[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346086-v3 (Home / Pro / Ent / Edu out of support)

      Windows 10 1709                         KB4467686[0] > KB4499179[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346085-v3 (Home / Pro out of support)

      Windows 10 1803                         KB4467702[0] > KB4499167[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346084-v3

      Windows 10 1809                         KB4467708[0] > KB4471332[1] + Registry AMD / Intel + BIOS or 2019-02 KB4465065-v3

      Windows 10 1903                         included in OS

      Windows 10 20H1                         included in OS

      MDS

      Server 2008 SP2                             Registry AMD / Intel + BIOS

      Server 2008 R2 SP1                       Registry AMD / Intel + BIOS

      Server 2012                                     Registry AMD / Intel + BIOS

      Server 2012 R2 U1                        Registry AMD / Intel + BIOS

      Server 2016 1607/Core                Registry AMD / Intel + BIOS or 2019-05 KB4494175

      Server 2016 1709 Core                Registry AMD / Intel + BIOS or 2019-05 KB4494452

      Server 2016 1803 Core                Registry AMD / Intel + BIOS (KB Microcode not yet available)

      Server 2019 1809/Core                Registry AMD / Intel + BIOS (KB Microcode not yet available)

      Server 2019 1903 Core                included in OS

      Windows Vista SP2                       Registry AMD / Intel + BIOS

      Windows 7 SP1                              Registry AMD / Intel + BIOS

      Windows 8.0                                   Registry AMD / Intel + BIOS

      Windows 8.1 U1                            Registry AMD / Intel + BIOS

      Windows 10 1507 LTSC               Registry AMD / Intel + BIOS or 2019-05 KB4494454 (Home / Pro / Ent / Edu out of support)

      Windows 10 1511                         (out of support)

      Windows 10 1607 LTSC               Registry AMD / Intel + BIOS or 2019-05 KB4494175 (Home / Pro / Ent / Edu out of support)

      Windows 10 1703                         Registry AMD / Intel + BIOS or 2019-02 KB4494453 (Home / Pro / Ent / Edu out of support)

      Windows 10 1709                         Registry AMD / Intel + BIOS or 2019-05 KB4494452 (Home / Pro out of support)

      Windows 10 1803                         Registry AMD / Intel + BIOS (KB Microcode not yet available)

      Windows 10 1809                         Registry AMD / Intel + BIOS (KB Microcode not yet available)

      Windows 10 1903                          included in OS

      Windows 10 20H1                          included in OS

      Retpoline (<=Skylake)/ ImportOptimization (>Skylake)

      Server 2019 1809/Core  2019-05 KB4494441 + Registry AMD / Intel

      Server 2019 1903 Core  included in OS + Registry AMD / Intel

      Windows 10 1809                         2019-05 KB4494441

      Windows 10 1903                          included in OS

      [0] superseded, bugged should be declined

      [1] or later cumulative security quality update. READ RESPECTIVE UPDATE HISTORY KNOWN ISSUES BEFORE APPLYING

      [2] Exceptions apply to clients with AMD CPUs that need Registry AMD, refer MS advisories

      [3] SSBD is never enable by default without Registry Intel, refer MS advisories

      Registry values:

      Server:  https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

      Clients: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

      9 users thanked author for this post.
    • #1696556 Reply

      abbodi86
      AskWoody_MVP

      I’m glad that FeatureSettings 3 is still valid to disable all these mitigations mess

      1 user thanked author for this post.
    • #1710366 Reply

      Susan Bradley
      AskWoody MVP

      I’m getting a headache reading this.  Thank you so much for this.

      Susan Bradley Patch Lady

    • #1714368 Reply

      Pim
      AskWoody Plus

      Thanks for this list. Like Susan I get a headache reading it 🙂

      But I did see two small errors: Retpoline is mitigated on systems older than Skylake. Systems with Skylake or newer do not get this patch, because it is technically impossible. Also, Import optimization is not restricted to systems higher than Skylake, but, from what I have read, is available on all systems. What may have caused the confusion is that on Skylake and newer only Import optimization is available, but nowhere was mentioned that it was only available on those systems and not on older systems (link).

      • #1715882 Reply

        mn–
        AskWoody Lounger

        Ahem. This is not actually what happens.

        Retpoline is an alternate mitigation method for some of these vulnerabilities. It needs to be turned on at compile time, which means you need compiler support for it. Now, since we aren’t getting application packages both with and without it, it cannot as such be fundamentally incompatible with any hardware version that those run on…

        What it is, is that it’s only useful on certain kinds of hardware. Base-type retpoline is not very useful on Skylake. However, with additional underflow protection, it can be at least useful (as in good enough to be used), if not quite the very best possible, strategy on at least some variants of Skylake too. Hence, on Linux, some of Andi Kleen’s patches did indeed enable retpoline on some Skylake variants.

        Where this all becomes relevant is virtualization, particularly high availability or load-balanced setups with VM migration between physical nodes – meaning, at startup time you don’t actually know what kind of a processor your process, or the entire VM guest system install, will be running on an hour from now… much less during weekly/monthly build times at the application vendor. You’ll want to include mitigation strategies that apply to as many processor models as possible.

        So. Which versions of Visual Studio come with a retpoline-enabled compiler again? And how do we determine whether it’s on or not in application binaries?

    • #1719963 Reply

      Tex265
      AskWoody Plus

      Woody, thanks for the work and info.

      I see Susan has added this to the Master Patch List.

      Can you please explain how to understand the information, by interpreting one or two of the lines? What is the (0) etc after the KB number?

      Thanks

      Windows 10 Pro x64 v1803 and Windows 7 Pro SP1 x64
      • #1736486 Reply

        b
        AskWoody Plus

        Footnotes:

        [0] superseded, bugged should be declined

        Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

        • #1849919 Reply

          Tex265
          AskWoody Plus

          Could someone help decipher (item by item) what this listing for ver 1803 from the current Master Patch list is advising me I need to do?
          Thx

          Windows 10 1803 KB4338853 + KB4340917[1] + Registry AMD / Intel + BIOS or 2018-10 KB4100347-v4

          Windows 10 Pro x64 v1803 and Windows 7 Pro SP1 x64
          • #1851173 Reply

            Paul T
            AskWoody MVP

            If you apply cumulative patches you don’t need to do anything.
            Otherwise:
            Install KB4338853
            Check for the latest version of KB4340917. There are known issues with this patch so check before installing.
            Apply the registry patches shown here.
            Patch your BIOS/firmware, if possible / apply KB4100347.

            Or you could choose the “do nothing” option as there seem to be no attacks – probably because it’s much easier to go phishing.

            cheers, Paul

            1 user thanked author for this post.
    • #1736203 Reply

      jjnc

      I am confused about the registry key FeatureSettingsOverride to enable all mitigations in KB4072698 for servers.  If a processor does not support hyper-threading, should I treat it the same as hyper-threading disabled?  I would assume yes, but technically it is not disabled.

      So I have to figure out which servers currently use hyper-threading to assign either 72 or 8264 to that registry key.

      I have been running remotely:

      wmic cpu get numberofcores, numberoflogicalprocessors

      Some of them are obvious, the number of logical processors are greater than the number of cores with just a one line response.  But what about the ones that come back with the numbers the same twice, a 2 line response.  I would assume those are also not using hyper-threading.  When I look up the processor on intel’s site, hyper-threading is not listed as a feature.

      I already have the servers set with 8 for that registry key from the last time.  I guess we are going to be changing it often and have to seperate out the servers in GP that have hyper-threading.  Yes, I have some very old servers that need replaced. If MS would give me a break, I could get something done.

      Any insight would be appreciated.

    • #1765788 Reply

      MyAussie
      AskWoody Plus

      Do I understand that any of those numerous “side panel” patches mentioned above, that should they apply, need be installed or not ??

      Thanks
      Win 7 64 Group “B”

    • #1766566 Reply

      Paul T
      AskWoody MVP

      There do not seem to be any exploits for the side channel vulnerabilities, so you can leave the patches out.

      cheers, Paul

      1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: “Side channel” vulnerabilities and Windows

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.