Windows Spectre and Meltdown updates

This blog post gives a brief insight into the problems releasing fixes for the Spectre and Meltdown vulnerabilities and discusses a new approach which has recently been implemented. If you would prefer to jump straight to that part, click here.

As most people will already be aware, both Intel and AMD have had a rough time recently when some independent researchers discovered the Spectre and Meltdown vulnerabilities.

If you haven’t heard of this, have a look at these great articles:

  1. Meltdown Attack
  2. Microsoft Security Advisory
  3. Google Project Zero

Now, after reading them, you will probably have an idea of the scale of the problems faced by modern processor and operating system vendors.

This particular problem is both a hardware and software related problem and requires fixes from both sides of the fence. In future releases I would expect CPU’s to address the problems through hardware changes, however, as the design cycle for a CPU can last several years, I don’t expect this to be fixed in the next hardware releases which are probably already beyond the point of reworking.

So, really, that leaves software to fix the problem. This is again split into two different arenas, microcode and higher level software. Microcode is akin to processor firmware, so certain changes and updates to the way the processor operates can be modified through updating the microcode.

The software and microcode updates have caused some serious headaches for both vendors and end users alike, with Microsoft releasing patches on 15 different days in January as they attempted to fix their side of the vulnerability, and the problems their fixes introduced. This Computer World article has a great breakdown.

Microsoft finally managed to resolve their part last month, with successful patching (and no roll-backs) happening last month and appearing to be stable.

That only leaves Intel and AMD. 

If you have an AMD, you’re probably not in a bad place right now as the Microcode updates released are deemed as optional. The three main variants that have been discovered as ‘exploitable’ were found to be more difficult to manipulate and make use of on AMD processors. More can be read on this AMD security release. This doesn’t mean your machines are completely safe, only that the fixes for this rest more on thesoftware (Operating System) manufacturers than AMD.

So, that leaves Intel. They have been working hard to try and develop microcode fixes for their the following affected processors:

  • 2nd to 8th generation Intel®Core™ processors
  • Intel®Atom™ Processor Z Series
  • Intel®Celeron®Processor J Series
  • Intel®Celeron®Processor N Series
  • Intel®Pentium®Processor J Series
  • Intel®Pentium®Processor N Series

Each processor requiring different changes and modifications, meaning there is no one fix for them all. This has been part of the problem Intel have had as some of the released code has worked for one specific set of chips, but caused problems on another.

Recently Intel withdrew all of it’s Spectre microcode fixes as they caused significant problems when installed on users machines. This is quite scary considering each firmware release goes through the following supply chain:


The guts of the post

So, despite the rigorous testing process that the microcode undertakes end users were still impacted by the release of the ‘fixes’.

Intel have now revised the way they deploy the microcode patches to OEM vendors, preferring to do it by dealing with a single processor family at a time. Although this will increase the time to release it ensures they can concentrate on that family of processor rather than attempting to target them all in one go.

However, as you’ll see from the above process graphic, this still means a considerable amount of time for OEM vendors (be they component manufacturers or machine builders) to test and release the firmware that will actually update the BIOS code.

As an interim solution, last week Microsoft announced it will start to deploy ‘on-the-fly’ microcode changes for Windows creators update (1709) with the following patch installed:

  1. Microsoft KB4090007 article
  2. Update Catalogue link

This update will not be deployed via Windows updates, so organisations and individuals will need to download the update direct from the link provided.  It must be noted that this update is not a replacement for the firmware updates, only an interim solution to allow your machine to run in a protected manner until your vendor releases the firmware for your hardware. It does this by: 

  • Matching your processor against a released microcode version
  • Applying the microcode to the processor at boot up time
  • The microcode remains persistent while the machine is powered on

As you’ll see, this is basically an on-the-fly rewrite of the running code until the machine is powered down. That is why, in the future, you will still need to ensure you update the firmware of the machine. 

This also offers a little bit of hope for older machines who’s hardware parts/vendors are no longer maintaining the products, and so will never receive official firmware.

If you’re still confused about whether or not you need to patch, check out The InSpectre application to understand your current patch status and have it explained in general terms.

As always, if there is anything in this post that you want to know more about, don’t hesitate to get in touch. Contact details in the footer or on the front page.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.