New Intel CPU Security Flaw « Giveaway of the Day Forums

Back to Giveaway of the Day

Giveaway of the Day Forums » Technical notes

New Intel CPU Security Flaw

(3 posts) (1 voice)

Started 5 years ago by mikiem2
Latest reply from mikiem2

mikiem2
Moderator

thurrott[.]com/hardware/206651/intel-reveals-a-serious-new-chip-security-flaw#

In a bit of irony, today's cumulative update for Windows 10 1809 turns on Microsoft's Retpoline fix, designed to do the same things as last year's Spectre/Meltdown patches, but without the performance hit. The ironic part is another patch included in the update, this one to fix the newly revealed Intel CPU flaw, can cause up to a 19% slowdown -- and it won't completely fix the problem. This year's CPUs came with the fix already, but Intel CPUs since 2011 have the flaw. The new fix is included in today's updates for all versions of Windows 10, plus Windows 7 & 8.

neowin[.]net/news/microsoft-releases-windows-10-build-17763503-17134765---here039s-what039s-new

neowin[.]net/news/patch-tuesday-heres-whats-new-for-windows-7-and-windows-81-5

Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, for 64-Bit (x64) versions of Windows (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions and Windows Server OS editions).

AMD says that their CPUs/chipsets are unaffected
amd[.]com/en/corporate/product-security.

However, it seems that Microsoft **May** have included AMD CPUs in the patching, but the wording is a bit uncertain, and the page for KB4494441 links to the updated previous Spectre/Meltdown page. At the bottom they list registry entries to disable the new fix, but they also disable the Spectre & Meltdown fixes (?). Neither the entries to enable the fixes or to disable them matches what I see in a patched copy of win10 1809 running an AMD Ryzen 2 (?).

Posted 5 years ago #
mikiem2
Moderator

While it looks like it'll take a while for more details on the effects of patching to be investigated & [hopefully] published, to fully protect against these vulnerabilities being exploited, Hyper-Threading on the Intel CPUs that use it has to be turned off. That would halve the number of available cores, and could lead to quite a performance hit. That *might* be where the 19% performance hit that Thurrott wrote about comes from.

Like last year's Spectre & Meltdown vulnerabilities, security researchers are at the forefront when it comes to warning about how severe this newer flaw is. Intel engineers found it 1st, with Intel then collaborating, & paying various groups at different universities who researched it further. Intel says it's not so bad, with a low to medium severity -- researchers of course disagree -- and like last years Spectre & Meltdown, there are no reports of anyone using any of this stuff to do bad things [and cybercriminals have had over a year to go over the detials of Spectre/Meltdown & come up with something].

Anyway, here are a couple more links:

wired[.]com/story/intel-mds-attack-speculative-execution-buffer/

mdsattacks[.]com/

Posted 5 years ago #
mikiem2
Moderator

I wanted to modify or clarify what I posted earlier, regarding the registry entries after the latest update to win10 1809. 1st, there's a bug in KB4494441 that requires you to install it twice -- Microsoft reports that only some users have this problem, but it's occurred updating 3 copies of win10 1809, so I feel it's something that always occurs, but those people that are unaware of it -- it only shows up if you check updates manually -- obviously aren't reporting it.

The registry entries I talked about, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ FeatureSettingsOverride & FeatureSettingsOverrideMask, stayed the same both before and after actually applying the patch -- the 1st time it doesn't apply, & the win10 version stays the same. And it only occurs in the copy of win10 1809 that I migrated from an Intel i7 to the AMD Ryzen 2. A 2nd copy of win10 1809, that was installed fresh to the Ryzen CPU, Does Not have those entries at all. It's confusing... I don't know why Microsoft would talk about changing registry values that don't normally exist, unless their existence depends on the AMD CPU installed (?). But again, just a clarification or correction -- not a problem solved.

Posted 5 years ago #

RSS feed for this topic

Reply

You must log in to post.