On Security: Patch Lady Susan Bradley explains why you might — or might not — want to protect your machine from Spectre and Meltdown

Topic

New Reply

Microsoft keeps releasing patches for Spectre, Meltdown, and similar vulnerabilities — tons of them. Do you really need them? Even if you have the pa
[See the full post at: On Security: Patch Lady Susan Bradley explains why you might — or might not — want to protect your machine from Spectre and Meltdown]

6 users thanked author for this post.

HiFlyer, Philomene123, Steve S., Elly, abbodi86, PhotM

Reply | Quote

Replies

In my opinion, I have a better chance of winning the lottery than being a victim of something that not even widespread. I don’t buy into the M$ “the sky is falling” propaganda. Keep your security up to date and an image handy at all times. These fixes that they put out are doing more damage than good. after updating my Win. 7 and watching the performance go straight south, I downloaded Steve Gibson’s tool and disabled the fixes. So far the only thing I can see that is different is my performance is back up.

1 user thanked author for this post.

TaskForce141

Reply | Quote

To apply the registry changes to disable them yourself, see Microsoft KB articles  for Windows clients: KB 4073119 – Windows client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

For Windows servers: KB 4072698 Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Bottom line, on a Windows 7 client, to disable you want to create these two registry keys in Memory Management and set each to a value of 3.

FeatureSettingsOverride

FeatureSettingsOverrideMask

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

 

Reply | Quote

FINALLY, an article on whether the Meltdown and/or Spectre patches are necessary!  But a word of caution regarding the Inspectre utility from Gibson Research…..

My system is long in the tooth as it’s an Intel Core I7-920 (Bloomfield) processor.  When I ran the Inspectre utility it indicated that a microcode patch was available for this processor and identified the CPUID as being 106A5.  I thought this was a bit strange because of the processor’s age so I did some additional investigation and found the following Intel document:

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

In this document Intel specifically states that development of a patch for the Bloomfield processors with that CPUID were stopped.  However farther down in that same document it states that certain Intel Xeon processors share that same CPUID and that there is a microcode update for them.  So, bottom line is that the Inspectre utility can only identify the CPUID and can’t distinguish correctly whether a patch is available or not as the CPUID is shared.

Despite the warning regarding the Inspectre CPUID issue, I’ve always wondered whether it was really worth having all of the patches for Meltdown and Spectre on my old home PC and sacrifice performance.  This PC is only used for routine word processing, email and web surfing by myself and my wife and apparently there is little risk in removing the patches.  Based on the article that Susan wrote and the other results from the Inspecre utility I’m going to take what appears to be a very minor risk and disable the protection on my machine.  Thanks Susan for the valuable article.

 

 

2 users thanked author for this post.

TaskForce141, SteveTree

Reply | Quote

Reading Susan’s article and seeing InSpectre again, I thought “Why not check if a patch is causing my recent slow connection start up?” (topic here). So I did: there’s no time difference in getting a connection whether the patches are enabled or disabled.

But what’s odd is that I checked about half a year ago (?) and then my system only had a Meltdown patch, but now it has both Meltdown and Spectre patched. (And I supposedly don’t need a Spectre patch for my Intel i5 CPU.)
So how did that come about? I don’t remember getting a patch for Spectre (or one for both).

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

Adding FeatureSettings value soley with 3 as data also disable the unnecessary mitigation
as long as other values are not present

reg add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management" /f /v FeatureSettings /t REG_DWORD /d 3

1 user thanked author for this post.

ch100

Reply | Quote

There is also the undocumented value FeatureSettings which apparently defaults to 0.
This is supposedly a “master key” for FeatureSettingsOverride and FeatureSettingsOverrideMask.
Do you have any authoritative reference about the FeatureSettings value? Your own research is good enough for me too.
I am asking because while I found it on servers as 0 and on most Windows 10 1809 as 0, on one upgraded system I found it as 2048 (decimal). After deleting it and reboot, it went back to 0. How did it get to 2048 in the first place?!

Reply | Quote

I don’t
as far as i know, it’s set to 3 on servers by default, and not present on client of course
so i add it on my Windows 8.1 client and it disabled the mitigations (per Get-SpeculationControlSettings output)

1 user thanked author for this post.

ch100

Reply | Quote

Thanks, but I think you misunderstood my post.
I am talking here about FeatureSettings which is not documented, but exists on some desktops or servers.
This is a third value, not the same with the other 2 “override” values.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

The value is FeatureSettings DWORD.
I found it as 0 (most common), but also 1 or 2048 (decimal).

EDIT: I re-read your original post and it refers indeed to FeatureSettings. Sorry!
This is not documented anywhere, but I think what you say about making the value 3 makes total sense.

1 user thanked author for this post.

abbodi86

Reply | Quote

Good common sense article, Susan! Thanks.

I haven’t activated the OS protections on my Win 10 Pro 64x machine, but am considering updating the BIOS (from ASUS) which likely has the Intel firmware updates included. I’m wondering if Intel’s firmware hits performance negatively like the OS ones do? The machine is dual boot Linux Mint, btw.

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

Performance impact varies a lot based on the age of the CPU, and the kind of work being demanded.

Gaming, for instance, isn’t affected to any significant degree.  Benchmarks from gaming websites have shown low single-digit percentage FPS hit on older CPUs like the i7-4790K.

Also, sticking with 1709 isn’t going to do you any favours here. 19H1 is shipping with a significantly more efficient implementation of the Spectre v2 fix called “return trampoline”, and Microsoft doesn’t plan to backport that fix to older versions of Windows.

 

2 users thanked author for this post.

dlsdjh, Steve S.

Reply | Quote

Hopefully good news! My processor is an i7-8700K. I’m not doing any intensive database, compiling or video editing – so hopefully it won’t be impacted much by the Intel firmware adds.

As for 1709, I’m planning to update to 1809 after the BIOS update. Then I’ll see how I feel about 1903 after it settles out for a few months.

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

Thanks Susan, much hype but no blood. I think I will worry about phishing attacks.

Reply | Quote

Since most of my PC’s are old enough to not be practically patchable to defend against a threat that isn’t happening, I’ve avoided the hassle.

To avoid the hassle of patching for these issues in the future, I’m waiting till Intel comes out with processors that fix the problem. As far as I can find recent releases from intel still rely on software and microcode patches and I can’t find when a really fixed processor will be available…just vague hints maybe this year. Intel is understandably reluctant to make much noise about the defects as it might cause more people to join me in waiting for a fixed processor with out the problems. Anybody have insight on when a processor without the spectre meltdown issues may be released?

Reply | Quote

After I posted above..I did a bit of digging. Here are some notes:

2/20/2019  https://www.digitaltrends.com/computing/Intel-Ice-Lake-Cpu-Everything-You-Need-To-Know/
ICE LAKE will have HARDWARE FIXES FOR THE SPECTRE AND MELTDOWN architectural flaws
OR NOT  Won’t fix Spectre Variant 1 https://www.digitaltrends.com/computing/intel-ice-lake-wont-rid-spectre/
Intel has no concrete plan for fixing Spectre variant one; pushes the problem onto software developers; to protect against Spectre in this manner, every piece of software that runs on modern PCs, both Windows and MacOS would have to be rewritten with this fix in mind. It’s completely unrealistic. “From what I know of Intel’s ROADMAP FOR THE NEXT FEW YEARS, THERE’S NOT A CLEAR SOLUTION THAT’S BEEN PUT FORWARD,” Kocher said. “It’s an unmitigated risk that will be lingering for a long time.”

2 users thanked author for this post.

AlexEiffel, Elly

Reply | Quote

I’m not so worried about the risk of Spectre and Meltdown…none of my PC’s have any mitigations…No..the worry is that software mitigation attempts will screw things up.

2 users thanked author for this post.

DriftyDonN, bassmanzam

Reply | Quote

I just ran the inspectre tool from GRC on my brand new laptop with an Icelake processor, and it says that it is spectre protected but NOT meltdown protected. Interesting, I thought the 10th gen Icelake processors were going to have hardware level protection against spectre and meltdown? I have a fully updated system according to Windows Update and have every available new driver update from the computer’s software and drivers page (including the latest bios released a few months ago). I’m not sure if the tool just doesn’t work correctly on Icelake processors (i.e. it looks for a patch rather than hardware level protection?) or Intel have mislead us and it’s actually vulnerable.

Reply | Quote