So tell me again what’s happening with the two new Spectre v2 patches, KB 4078407 and KB 4091666

Topic

New Reply

Yesterday, Microsoft released two patches that tackle the Spectre v2 vulnerability — the one that’s never been seen in public. The first patch, KB 40
[See the full post at: So tell me again what’s happening with the two new Spectre v2 patches, KB 4078407 and KB 4091666]

1 user thanked author for this post.

Elly

Reply | Quote

Replies

Sure looks like all it does is a registry edit to enable already-installed code:

“Applying this update will enable the Spectre Variant 2 mitigation CVE-2017-5715 – “Branch target injection vulnerability.”

Advanced users can also manually enable mitigation against Spectre, Variant 2 through the registry settings documented in the following articles:”

https://support.microsoft.com/en-us/help/4078407/update-to-enable-mitigation-against-spectre-variant-2

1 user thanked author for this post.

rc primak

Reply | Quote

Sorry – clarification: my comment refers only to KB4078407.

1 user thanked author for this post.

woody

Reply | Quote

Analogous to KB4091666 there are KB4090007 which you already mentioned, but was amended yesterday. This KB is for Win10 v1709. I think more processors have been added. I have never seen Haswell or Broadwell before on that list, for example. It used to be only Skylake, Kaby Lake and Coffee Lake. But you also have KB4091663 which is for Win10 v1703 and KB4091664 which is for Win10 v1607. Together with KB4091666 for Win10 v1507, I think that covers all supported Win10 versions. All these KB’s have been amended (introduced for older Win10 versions?) yesterday, April 24. What the relation is between these KB’s and KB4078407 I do not know. I always assumed that Windows would automatically implement its Spectre v2 patch when the proper microcode is present, which, I assume, is the whole purpose for all these KB’s. Maybe it is for manually forcing Win10 to apply its Spectre patch if Windows does not do that automatically?

Reply | Quote

@Pim:

The KB4090007, KB4091663 & KB4091664 updates have been revised on April 24 (aka. V2) to include Broadwell & Haswell CPUs.

just get the “revised” ones that were released on April 24 and not the ones that were originally released on either March 13 or March 14.

Reply | Quote

All that M$ needs to do it to provide a way to load CPU microcode on early OS boot. That’s exactly what every other OS out there does. And it’s no different from loading a boot critical OS driver. Too bad the Redmond guys are too incompetent to do exactly that.

Reply | Quote

That would actually require running the mitigations before the OS has a chance to get started. So it’s ball in Intel’s court for this. Which they answer by proposing to use the GPU, not the CPU to do some preboot security scanning. Also, TPM mitigations run preboot. Security on this scale has to be baked into the hardware and updated through the firmware of the device. Microsoft can’t patch for security issues this early in the boot sequence, even with UEFI fast-boot.

-- rc primak

1 user thanked author for this post.

Cascadian

Reply | Quote

I know that I still have a Haswell desktop that has yet to get a firmware update. HP now says its pending so maybe were finally seeing Broadwell and Haswell CPU’s fixed?

Reply | Quote

@jescott418: the firmware/bios updates for Intel broadwell & haswell processors might not come until later this year – maybe in May or June as HP is still probably testing them.

Reply | Quote

KB4078407 is not a patch, it’s just an executable that enable the Spectre mitigation protection
percisely:
reg add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 2 /f

reg add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 2 /f

2 users thanked author for this post.

Mr. Natural, woody

Reply | Quote

Hello!

I read that the update is not needed if the BIOS has been patched with the latest Intel’s microcode updates. Does anyone know if this is true?

The .exe actually can undo some of the Meltdown mitigations on some Skylake systems. I comment further on this below.

Reply | Quote

You can check if an update – either the KB ones listed here or a BIOS update – is effective by running grc’s InSpectre utility (a quick google for “grc inspectre” will find it)

Reply | Quote

I am not able to see KB4078407 in SCCM CB 1702, is this update only available at MS Catalog and we have to download it and install manually?

Reply | Quote

abbodi86 wrote:

KB4078407 is not a patch, it’s just an executable that enable the Spectre mitigation protection precisely:

reg add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 2 /f

reg add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 2 /f

These entries have an undesirable side-effect on some systems. They actually disable the Meltdown firmware (BIOS) patches on some Skylake systems (including my own Intel NUC mini-PC).

This was discovered using the Gibson Research InSpectre testing tool on Windows 10, version 1709, 64-bits on my Intel NUC.  I used InSpectre as Admin to reverse the undesirable effect.

Once again, Windows 10 is being “sealed for our protection” and simultaneously being opened up to “new and dangerous threat-t-t-t-ts”! Thanks, Microsoft! 🙁

(Contrast this with my Fedora and Ubuntu Linux kernel updates — better protections with each iteration. Thanks, Linus [Torvalds]!) 🙂

-- rc primak

2 users thanked author for this post.

Microfix, columbia2011

Reply | Quote