stilesw -> RE: Intel CPU issues (1/14/2018 4:07:21 PM)
Another info update:
From Windows Secrets - January 11, 2018
Patch Watch: Tracking Issues with the Spectre Patches on AMD Machines
Top Story: Susan Bradley
Beware, AMD chip owners.
For you Windows Secrets readers who have computers with AMD inside, these Spectre/Meltdown patches are causing more issues than they are preventing. So much so that Microsoft has halted release of the updates on machines that have AMD chipsets. Some of the relevant security posts include the following:
Microsoft's KB4073707 on the issues with AMD chip sets and how Microsoft is blocking the patches until the issue is resolved.
Microsoft's KB4073757 recapping the overall guidance
Let's recap the big picture:
Intel CPU chips have a bug in their very architecture.
Researchers found a way for attackers to possibly steal passwords and other confidential information from our machines. As of publication, the attack has not been used in the wild. However, the potential is there and it'sreally concerning up in cloud servers as it could mean that fellow virtual servers could read information from a tenant next door.
It won't be enough to patch for the Windows operating system, you'll need to patch the firmware on your computer as well.
It's not a Microsoft bug, but because everything uses CPUs, pretty much everything needs to be patched ranging from phones to firewalls. So after you get your patches for Windows, go look for updates for anything else that has a CPU included in it (I'm not kidding or overstating the issue).
A bigger concern to many will be the performance hit this "fix" will make on your system as discussed in a Microsoft blog. The older your computer the more the "hit" will be. If you have a computer that is a 2015-era PC with Haswell or older CPU - you will notice a difference.
CERT goes so far as to recommend replacing the CPU hardware in their blog post. I'm not ready to go that far, but it would be wise to review how old your computer hardware is, evaluate the performance hit and plan accordingly.
Check That Your Antivirus Is Supported
Because this is a kernel update, antivirus vendors who have hooked into the kernel for additional protection could trigger blue screens of death if they are not updated for the change introduced by this patch. Thus Microsoft is requiring that before the January Windows and .NET updates are installed that a registry entry is made by the vendor - or by you if your vendor doesn't provide the registry key in an update - before the January updates are installed.
Make sure you review the antivirus listing page that is tracking all of the antivirus vendors and when they plan to support these January updates. If your vendor doesn't support these updates, it's time to find a new vendor. If you don't use antivirus (say on a specialized server), you'll need to manually add the following:
In the right hand side in the registry look for the value as shown below:
For those who have to patch servers, you need to be aware that you'll need to perform all the steps done as you did on Windows client workstations - checking that antivirus is ready, and installing the updates - but also manually add two or three registry keys on the server. You will need to add two registry keys for a "normal" server, and all three registry keys as noted in the KB4072698 if the server is a HyperV or virtualization host.
The registry keys that need to be added include:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
And finally remember that just about every device uses CPU chips. Start reviewing your phones, your devices, to see if these items need patches and firmware updates as well.