Microsoft Gives Some Intel 'Spectre' Security Updates the Go-Ahead
Microsoft has greenlit some Intel Skylake microcode updates for the Windows 10 Fall Creators Update (version 1709) that address Spectre variant 2 types of attacks.
Disclosed in January, the Meltdown and Spectre attack methods affect most CPU chips in computers. There are three variants of these attack methods that the industry is collectively trying to address by issuing operating system updates and firmware (or "microcode") processor updates. In this case, Microsoft is approving Intel's microcode for one variant and for specific machines.
The microcode updates, described in Knowledge Base article KB4090007, are just for x86 Windows 10 editions for two sixth-generation Intel Skylake chips and were made available on Wednesday through the Microsoft Update Catalog. At press time, KB4090007 offered this link to the Microsoft Update Catalog, but it lands users at a default support page. Instead, persons wanting to download the microcode updates can use this link, which takes them to the Microsoft Update Catalog. From there, users can search for "KB4090007" to see the two optional downloads.
These microcode updates specifically provide a workaround for Spectre variant 2 types of attack scenarios in those two Intel Skylake chips, and it's a workaround specifically for Windows 10 version 1709. IT pros may recall that Microsoft previously issued an out-of-band update, namely KB4078130, in late January that was available for download from the Microsoft Update Catalog to block Intel's Spectre variant 2 fix because Intel's original fix had caused reboot problems for some users. That KB4078130 update delivered a change to the Windows registry to block Intel's fix. Alternatively, Microsoft offered manual ways to make registry changes to block that mitigation.
Back in late January, Microsoft had suggested that IT pros would have to remove its registry block, whether applied manually or via KB4078130, when the approved Intel microcode was made available. However, that's apparently not the case if Microsoft's February updates get applied for those affected Windows 10 version 1709 systems. That point is buried in a FAQ in this "Protect Your Windows Devices Against Spectre and Meltdown" Microsoft document. Here's the explanation:
If I apply any of the applicable February security updates, will they disable the protections for CVE-2017-5715 like security update 4078130 did?
No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and/or unexpected reboots after installation of microcode. Applying the February security updates on Windows client operating systems enables all three mitigations. On Windows server operating systems, you still need to enable the mitigations after proper testing is performed. See Microsoft Knowledge Base Article 4072698 for more information.
The three mitigations refer to Variant 1 (Spectre), a bounds check bypass (CVE-2017-5753) problem; Variant 2 (Spectre), a branch target injection (CVE-2017-5715) problem; and Variant 3 (Meltdown), a rogue data cache load (CVE-2017-5754) problem.
Other Microcode Fixes To Come?
Will Microsoft offer future microcode updates for other Windows 10 versions, and even for older releases like Windows 7? Microsoft's announcement last week suggested that maybe it would.
"We will offer additional microcode updates from Intel as they become available to Microsoft," stated John Cable, director of program management for Windows Servicing and Delivery, in the announcement.
Microsoft wouldn't answer press questions whether that statement meant there will be approved microcode updates coming for all supported Windows versions or not, even though Intel early on had promised to release Meltdown and Spectre microcode updates for all of its chips shipped in the last five years.
There's an additional question about Microsoft's ongoing commitment to support Windows 7 and Windows 8.1 on older Intel processors, which possibly could affect the microcode updates that Microsoft approves. Initially, Microsoft had said it would truncate Windows lifecycle product support for Intel Core Skylake processors. However, later in August 2016, Microsoft rescinded that plan. It also declared back then that future Windows 10 support would be provided only for Intel's seventh-generation processors (Kaby Lake) and AMD's seventh-generation processors (Bristol Ridge).
Microsoft wouldn't answer a question last week about whether it would provide microcode approval support for all of Intel's microcode releases on Windows 10, even if the chip isn't supported on Windows 10, so it's an open question. However, its Windows 10 support for Skylake chips this month is for Intel Core sixth-generation products. Intel lists its chips by code names and generations in this document.
Typically, original equipment manufacturers (OEMs) are supposed to test the microcode (or "firmware") updates from chipmakers (AMD, ARM and Intel) before releasing them publicly. The "OEM" definition can be slippery. Microsoft is an OEM to Intel, and so are CPU hardware makers, and even some PC makers, such as Dell, HP and Toshiba, are considered to be OEMs. Some PC makers, though, are just parts assemblers, rather than OEMs, and in those cases the approved microcode updates are supposed to be available from the CPU hardware makers.
In addition to microcode updates to CPU chips, protections against Meltdown and Spectre attack methods require that operating system updates be applied to both Linux and Windows systems. Microsoft released OS updates in that regard for 64-bit (x64) Windows 10, Windows 8.1 and Windows 7 systems in January and for 32-bit (x86) Windows 10 systems in February.
Microsoft's announcement last week noted some progress in a prerequisite it set for anti-malware software makers before permitting Windows updates to get delivered for the Meltdown and Spectre attack methods. Microsoft's collaborations with anti-virus software partners has resulted in "the vast majority of Windows devices now having compatible AV software installed," according to Cable.
What Microsoft did is to block Windows updates for Meltdown and Spectre mitigations if a system's antivirus software was making "inappropriate calls" to the Windows kernel. Anti-virus products that don't make such calls may or may not install a registry setting. The registry setting is an indicator that will permit the OS updates for Meltdown and Spectre to arrive. If the antivirus product didn't set the registry key, then IT pros might have to do it manually.
For a list of anti-virus products showing if they are Windows-compliant to permit Meltdown and Spectre OS updates or not, and showing whether the anti-virus software sets a registry key or not, see this list, which was compiled by security researcher Kevin Beaumont. The list was last updated in January.
Organizations and individuals must follow a specific patch order to get the updates that add Meltdown and Spectre mitigations. It's summed up in a "Note" in Microsoft's "Protect Your Windows Devices Against Spectre and Meltdown" document as follows:
Antivirus software updates should be installed first. Operating system and firmware updates should follow. We encourage you to keep your devices up-to-date by installing the monthly security updates.
Ultimately, it's thought that the software updates are just temporary mitigations at his point and that true protections against Meltdown and Spectre will involve chip replacements, typically with chips that aren't on the market yet. AMD has insisted that operating systems updates are sufficient for its chips to be protected, although researchers have indicated that Intel, AMD and ARM chips are all vulnerable to Spectre attack methods.
IT Pro Frustration?
IT pros have seen microcode releases before for Meltdown and Spectre. In some cases, they got reboot problems with Intel machines after applying the updates, and AMD machines initially got "bricked" by Windows OS updates (although Microsoft later fixed the problem). Patching Meltdown and Spectre has become a new tracking task for organizations. It's sufficiently burdensome that Microsoft recently enhanced its Windows Analytics tool to provide some help.
With all of the back and forth, IT pros may be a bit frustrated. For instance, a recent survey of system administrators conducted by Barkly, a maker of an endpoint protection platform, found that "80% have found the Meltdown and Spectre patching process to be unclear," with 88 percent expressing frustration. Moreover, 56 percent are holding off applying updates, and 23 percent indicated they may not apply the patches if they have a "significant hit to performance."
Microsoft has previously confirmed that its OS updates for Meltdown and Spectre will slow some workloads, particularly for Windows Server running any "IO-intensive application."
As for what IT pros are doing about the Meltdown and Spectre situation, they're mostly keeping Windows patched and waiting for the Spectre microcode patches from equipment makers, according to an informal HP report, "Coping with Spectre and Meltdown: What Sysadmins Are Doing."
A good overview of the various Meltdown and Spectre developments and misfires can be found in Barkly's "A Clear Guide to Meltdown and Spectre Patches" document. It provides a running history for people trying to recall all of the shifting nuances.