2

Linked to my question here, the MS support page states

In addition to installing the January security update, a processor microcode update is required.

But previous articles I've read said there are no microcode fixes possible, which is exactly why all the OS vendors have had to release patches to enable memory isolation.

Darren
  • 194
  • 7
  • 1
    I would interpret "no microcode fixes possible" as that you cannot fix the issue with microcode only. That's why it says "in addition" - i.e. you will need both microcode and OS patches. And such microcode updates seem to be underway, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367 – Steffen Ullrich Jan 05 '18 at 12:00

2 Answers2

2

The current microcode fixes change the behavior of the branch predictor in two ways: by disabling prediction of indirect branches (referred to as IBRS), and by flushing the contents of the indirect branch predictor when performing a context switch from userspace to kernelspace or vice-versa (referred to as IPBP).

Both of these make the Spectre attack harder (an attacker is now restricted to attacking direct branches, which greatly reduces their choice in which code to have speculatively executed). They have no effect on the Meltdown attack, which is about speculatively bypassing memory-access restrictions.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • Would it be difficult to stoke the branch predictor by running `if (array1[x] && array2[*p])` many times when `array1[x]` holds a non-zero value and `*p` is valid, and then running with a different value of x such that `array1[x]` needs to be fetched from main memory and will yield zero, while `*p` is invalid? – supercat Jan 08 '18 at 23:27
1

Only few things can be done currently it seems:On AMD disable the branch prediction and on Intel show that branch prediction was used:

https://www.suse.com/de-de/support/update/announcement/2018/suse-su-20180009-1/

On Linux the intel microcode patch is mostly needed to interact with the new kernel code. Similar things might apply to Microsoft.

Neither one fixes the design flaw, that is none according to Intel ;)

Patches won't applied if your virus scanner uses unsupported syscalls.Same could be potentially be true for some unpatched CPUs.

You can (only) run the powershell command provided by Microsoft to check if protection is active (https://www.powershellgallery.com/packages/SpeculationControl/1.0.1) . If the output is positive you should be fine. It should tell you if they disable the patches due to missing microcode. Example output:

BTIHardwarePresent             : True
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : True
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled           : True
till
  • 163
  • 6