News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • “Side channel” vulnerabilities and Windows

    Home Forums AskWoody blog “Side channel” vulnerabilities and Windows

    Viewing 8 reply threads
    • Author
      Posts
      • #1692690 Reply
        woody
        Da Boss

        I’ve avoided talking much about Spectre, Meltdown and the like because there’s an endless succession of patches to Windows and the hardware – and regi
        [See the full post at: “Side channel” vulnerabilities and Windows]

        5 users thanked author for this post.
      • #1692696 Reply
        woody
        Da Boss

        Here’s the latest from @alqamar:

        My motivation was to give you and myself an overview a ton of information spread over a forest of sites provided by Microsoft, many of them outdated due to the sheer complexity.

        After all I hope it is helpful for you.

        Tl;dr: install all patches on all OS as suitable + some extra patches that might not even be in WSUS by default and enable the registry values and in some cases apply BIOS updates. That easy.

        Disclaimer: It took me several hours of constant work and concentration to put this together. If you find an error let me know. It don’t have Github. I thought about posting this on pastebin instead.

        Susan, if there is no feedback about critical errors, you are welcomed to include this in a sub category of your patch master list.

        Spectre 1, 2, 3, 3a, 4 (SSBD), L1TF, MDS, Retpoline

        Spectre v1/2

        Server 2008 SP2                              KB4090450[0] > KB4093478[1] + Registry AMD / Intel + BIOS

        Server 2008 R2 SP1                       KB4056897[0] > KB4338821[1] + Registry AMD / Intel + BIOS

        Server 2012                                     KB4088880[0] > KB4338816[1] + Registry AMD / Intel + BIOS

        Server 2012 R2 U1                        KB4056898[0] > KB4338831[1] + Registry AMD / Intel + BIOS

        Server 2016 1607/Core                KB4056890[0] > KB4132216 + KB4338822[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091664-v6

        Server 2016 1709 Core                KB4056892[0] > KB4131372 + KB4338817[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091663-v6

        Server 2016 1803 Core                KB4338853 + KB4340917[1] + Registry AMD / Intel + BIOS or 2018-10 KB4100347-v4

        Server 2019 1809/Core                included in OS + Registry AMD / Intel

        Server 2019 1903 Core                included in OS + Registry AMD / Intel

        Windows Vista SP2                       KB4090450[0] > KB4093478[1] + Registry AMD / Intel + BIOS (out of support)

        Windows 7 SP1                               KB4056897[0] > KB4338821[1] + Registry AMD / Intel + BIOS

        Windows 8.0                                   KB4088880[0] > KB4338816[1] + Registry AMD / Intel + BIOS (out of support)

        Windows 8.1 U1                             KB4056898[0] > KB4338831[1] + Registry AMD / Intel + BIOS

        Windows 10 1507 LTSC               KB4345455[1] + Registry AMD / Intel + BIOS or 2018-05 KB4091666-v5 (Home / Pro / Ent / Edu out of support)

        Windows 10 1511                         KB4035632 + KB4093109[1] + Registry AMD / Intel + BIOS (Home / Pro / Ent / Edu out of support)

        Windows 10 1607 LTSC               KB4056890[0] > KB4132216 + KB4338822[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091664-v6 (Home / Pro / Ent / Edu out of support)

        Windows 10 1703                         KB4132649 + KB4338827[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091663-v6 (Home / Pro / Ent / Edu out of support)

        Windows 10 1709                         KB4056892[0] > KB4131372 + KB4338817[1] + Registry AMD / Intel + BIOS or 2018-10 KB4090007_v6 (Home / Pro out of support)

        Windows 10 1803                         KB4338853 + KB4340917[1] + Registry AMD / Intel + BIOS or 2018-10 KB4100347-v4

        Windows 10 1809                         included in OS

        Windows 10 1903                         included in OS

        Windows 10 20H1                         included in OS

        Spectre NG v3, 3a, 4 (SSBD) [3], L1TF

        Server 2008 SP2                             KB4480968[0] > KB4499180[1] + Registry AMD / Intel + BIOS

        Server 2008 R2 SP1                       KB4480970[0] > KB4093478[1] + Registry AMD / Intel + BIOS

        Server 2012                                     KB4480975[0] > KB4499158[1] + Registry AMD / Intel + BIOS

        Server 2012 R2 U1                        KB4480963[0] > KB4499165[1] + Registry AMD / Intel + BIOS

        Server 2016 1607/Core                KB4467691[0] > KB4494440[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346087-v3

        Server 2016 1709 Core                KB4467686[0] > KB4499179[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346085-v3

        Server 2016 1803 Core                KB4467702[0] > KB4499167[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346084-v3

        Server 2019 1809/Core                BIOS or 2019-02 KB4465065-v3 + Registry AMD / Intel

        Server 2019 1903 Core                included in OS + Registry AMD / Intel

        Windows Vista SP2                       KB4480968[0] > KB4499180[1] + Registry AMD / Intel + BIOS (out of support)

        Windows 7 SP1                              KB4480970[0] > KB4093478[1] + Registry AMD / Intel + BIOS

         Windows 8.0                                   KB4480975[0] > KB4499158[1] + Registry AMD / Intel + BIOS (out of support)

        Windows 8.1 U1                            KB4480963[0] > KB4499165[1] + Registry AMD / Intel + BIOS

        Windows 10 1507 LTSC               KB4467680[0] > KB4471323[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346088-v2 (Home / Pro / Ent / Edu out of support)

        Windows 10 1511                         KB4035632 + KB4093109[1] + Registry AMD / Intel + BIOS (Home / Pro / Ent / Edu out of support)

        Windows 10 1607 LTSC               KB4467691[0] > KB4494440[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346087-v3 (Home / Pro / Ent / Edu out of support)

        Windows 10 1703                         KB4467696[0] > KB4499181[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346086-v3 (Home / Pro / Ent / Edu out of support)

        Windows 10 1709                         KB4467686[0] > KB4499179[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346085-v3 (Home / Pro out of support)

        Windows 10 1803                         KB4467702[0] > KB4499167[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346084-v3

        Windows 10 1809                         KB4467708[0] > KB4471332[1] + Registry AMD / Intel + BIOS or 2019-02 KB4465065-v3

        Windows 10 1903                         included in OS

        Windows 10 20H1                         included in OS

        MDS

        Server 2008 SP2                             Registry AMD / Intel + BIOS

        Server 2008 R2 SP1                       Registry AMD / Intel + BIOS

        Server 2012                                     Registry AMD / Intel + BIOS

        Server 2012 R2 U1                        Registry AMD / Intel + BIOS

        Server 2016 1607/Core                Registry AMD / Intel + BIOS or 2019-05 KB4494175

        Server 2016 1709 Core                Registry AMD / Intel + BIOS or 2019-05 KB4494452

        Server 2016 1803 Core                Registry AMD / Intel + BIOS (KB Microcode not yet available)

        Server 2019 1809/Core                Registry AMD / Intel + BIOS (KB Microcode not yet available)

        Server 2019 1903 Core                included in OS

        Windows Vista SP2                       Registry AMD / Intel + BIOS

        Windows 7 SP1                              Registry AMD / Intel + BIOS

        Windows 8.0                                   Registry AMD / Intel + BIOS

        Windows 8.1 U1                            Registry AMD / Intel + BIOS

        Windows 10 1507 LTSC               Registry AMD / Intel + BIOS or 2019-05 KB4494454 (Home / Pro / Ent / Edu out of support)

        Windows 10 1511                         (out of support)

        Windows 10 1607 LTSC               Registry AMD / Intel + BIOS or 2019-05 KB4494175 (Home / Pro / Ent / Edu out of support)

        Windows 10 1703                         Registry AMD / Intel + BIOS or 2019-02 KB4494453 (Home / Pro / Ent / Edu out of support)

        Windows 10 1709                         Registry AMD / Intel + BIOS or 2019-05 KB4494452 (Home / Pro out of support)

        Windows 10 1803                         Registry AMD / Intel + BIOS (KB Microcode not yet available)

        Windows 10 1809                         Registry AMD / Intel + BIOS (KB Microcode not yet available)

        Windows 10 1903                          included in OS

        Windows 10 20H1                          included in OS

        Retpoline (<=Skylake)/ ImportOptimization (>Skylake)

        Server 2019 1809/Core  2019-05 KB4494441 + Registry AMD / Intel

        Server 2019 1903 Core  included in OS + Registry AMD / Intel

        Windows 10 1809                         2019-05 KB4494441

        Windows 10 1903                          included in OS

        [0] superseded, bugged should be declined

        [1] or later cumulative security quality update. READ RESPECTIVE UPDATE HISTORY KNOWN ISSUES BEFORE APPLYING

        [2] Exceptions apply to clients with AMD CPUs that need Registry AMD, refer MS advisories

        [3] SSBD is never enable by default without Registry Intel, refer MS advisories

        Registry values:

        Server:  https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

        Clients: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

        9 users thanked author for this post.
      • #1696556 Reply
        abbodi86
        AskWoody_MVP

        I’m glad that FeatureSettings 3 is still valid to disable all these mitigations mess

        1 user thanked author for this post.
      • #1710366 Reply
        Susan Bradley
        AskWoody MVP

        I’m getting a headache reading this.  Thank you so much for this.

        Susan Bradley Patch Lady

      • #1714368 Reply
        Pim
        AskWoody Plus

        Thanks for this list. Like Susan I get a headache reading it 🙂

        But I did see two small errors: Retpoline is mitigated on systems older than Skylake. Systems with Skylake or newer do not get this patch, because it is technically impossible. Also, Import optimization is not restricted to systems higher than Skylake, but, from what I have read, is available on all systems. What may have caused the confusion is that on Skylake and newer only Import optimization is available, but nowhere was mentioned that it was only available on those systems and not on older systems (link).

        ASRock Beebox J3160 - Win7 Ultimate x64
        Asus VivoPC VC62B - Win7 Ultimate x64
        Dell Latitude E6430 - Win7 Ultimate x64
        Dell Latitude XT3 - Vista Ultimate x86 (still...)
        Gigabyte GA-H110M-HD3 DDR3 - Win10 Pro 1809 x64

        • #1715882 Reply
          mn–
          AskWoody Lounger

          Ahem. This is not actually what happens.

          Retpoline is an alternate mitigation method for some of these vulnerabilities. It needs to be turned on at compile time, which means you need compiler support for it. Now, since we aren’t getting application packages both with and without it, it cannot as such be fundamentally incompatible with any hardware version that those run on…

          What it is, is that it’s only useful on certain kinds of hardware. Base-type retpoline is not very useful on Skylake. However, with additional underflow protection, it can be at least useful (as in good enough to be used), if not quite the very best possible, strategy on at least some variants of Skylake too. Hence, on Linux, some of Andi Kleen’s patches did indeed enable retpoline on some Skylake variants.

          Where this all becomes relevant is virtualization, particularly high availability or load-balanced setups with VM migration between physical nodes – meaning, at startup time you don’t actually know what kind of a processor your process, or the entire VM guest system install, will be running on an hour from now… much less during weekly/monthly build times at the application vendor. You’ll want to include mitigation strategies that apply to as many processor models as possible.

          So. Which versions of Visual Studio come with a retpoline-enabled compiler again? And how do we determine whether it’s on or not in application binaries?

      • #1719963 Reply
        Tex265
        AskWoody Plus

        Woody, thanks for the work and info.

        I see Susan has added this to the Master Patch List.

        Can you please explain how to understand the information, by interpreting one or two of the lines? What is the (0) etc after the KB number?

        Thanks

        Windows 10 Pro x64 v1909 and Windows 7 Pro SP1 x64 (RIP)
        • #1736486 Reply
          b
          AskWoody Plus

          Footnotes:

          [0] superseded, bugged should be declined

          • #1849919 Reply
            Tex265
            AskWoody Plus

            Could someone help decipher (item by item) what this listing for ver 1803 from the current Master Patch list is advising me I need to do?
            Thx

            Windows 10 1803 KB4338853 + KB4340917[1] + Registry AMD / Intel + BIOS or 2018-10 KB4100347-v4

            Windows 10 Pro x64 v1909 and Windows 7 Pro SP1 x64 (RIP)
            • #1851173 Reply
              Paul T
              AskWoody MVP

              If you apply cumulative patches you don’t need to do anything.
              Otherwise:
              Install KB4338853
              Check for the latest version of KB4340917. There are known issues with this patch so check before installing.
              Apply the registry patches shown here.
              Patch your BIOS/firmware, if possible / apply KB4100347.

              Or you could choose the “do nothing” option as there seem to be no attacks – probably because it’s much easier to go phishing.

              cheers, Paul

              1 user thanked author for this post.
      • #1736203 Reply
        jjnc
        Guest

        I am confused about the registry key FeatureSettingsOverride to enable all mitigations in KB4072698 for servers.  If a processor does not support hyper-threading, should I treat it the same as hyper-threading disabled?  I would assume yes, but technically it is not disabled.

        So I have to figure out which servers currently use hyper-threading to assign either 72 or 8264 to that registry key.

        I have been running remotely:

        wmic cpu get numberofcores, numberoflogicalprocessors

        Some of them are obvious, the number of logical processors are greater than the number of cores with just a one line response.  But what about the ones that come back with the numbers the same twice, a 2 line response.  I would assume those are also not using hyper-threading.  When I look up the processor on intel’s site, hyper-threading is not listed as a feature.

        I already have the servers set with 8 for that registry key from the last time.  I guess we are going to be changing it often and have to seperate out the servers in GP that have hyper-threading.  Yes, I have some very old servers that need replaced. If MS would give me a break, I could get something done.

        Any insight would be appreciated.

      • #1765788 Reply
        MyAussie
        AskWoody Plus

        Do I understand that any of those numerous “side panel” patches mentioned above, that should they apply, need be installed or not ??

        Thanks
        Win 7 64 Group “B”

      • #1766566 Reply
        Paul T
        AskWoody MVP

        There do not seem to be any exploits for the side channel vulnerabilities, so you can leave the patches out.

        cheers, Paul

        1 user thanked author for this post.
    Viewing 8 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: “Side channel” vulnerabilities and Windows

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.