Windows 10: Microsoft publishes new Registry mitigation for Intel processors (Spectre)

About six years ago, vulnerabilities were discovered that affected most Intel and AMD processors. The vulnerabilities, Spectre and Meltdown, can be exploited to read sensitive data from attacked computer systems.

Intel released an update for one of the Spectre variants, disclosed officially on March 8, 2022. Microsoft implemented mitigations in client and server versions of Windows as a response to this.

These are disabled by default. The main reason for this seems to be potential performance impacts that comes with the implementation.

This guide walks you through the steps of configuring Windows to enable the mitigations and finding out if your processor is affected.

Is your processor affected?


The very first thing you may want to do is check if your processor is on Intel's list of affected CPUs.

• If it is on the list, you may enable the mitigation to protect the system against potential attacks.
• If it is not on the list, you can skip the remainder of the article.

Here is how you find out:

1. Open Start > Settings > System > About and check the listed processor.
2. Load the following two resource websites: Nist.gov and Intel's Affected Processors website.

Check to see if the installed processor is listed on these websites. You may want to use the browser's search to find the information quickly.

Microsoft's Registry tweak to protect against the vulnerability




If your processor is on the list, you may change the Registry keys to enable the mitigations.

Note: implementation may affect performance. While I cannot recommend not enabling these mitigations, the risk of attacks against home PCs is most of the time neglectable.

Backup: it is highly recommended to back up the system drive before implementing the mitigation. Not with Windows' Backup App, which is useless for the purpose, but with a full backup program like Paragon Backup & Recovery Free.

Here is what you need to do on Windows devices and clients to mitigate CVE-2022-0001:

1. Open Start, type CMD, and select Run as administrator. This launches an elevated command prompt window.
2. Confirm the UAC prompt by selecting yes.
3. Execute the following two commands by pasting them and pressing the Enter-key after each:
   1. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x00800000 /f
   2. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x00000003 /f
4. Restart the computer after both Registry keys have been added.

Tip: you may want to monitor performance to make sure that day-to-day operations are not severely impacted by the mitigation.

Interestingly enough, Microsoft has also revealed how Linux users may mitigate the vulnerability: "Specify spectre_bhi=on on the kernel command line".

Closing Words

While it may be critical for organizations to implement the mitigation, risks of attacks are relatively low for home users.

What about you? Have you implemented Spectre / Meltdown mitigations on your PCs? (via Neowin)

Thank you for being a Ghacks reader. The post Microsoft publishes new Registry mitigation for Intel processors (Spectre) appeared first on gHacks Technology News.

read more...

 

Windows 10 LTSB v. 1607 & Spectre: Still no OS support for mitigation

It really should not be a concern. The microcode which has been pulled by Intel is required to mitigate the Spectre variant 2, without it being installed on your system the patches released by Microsoft cannot be used.

At this point, you really don't want the fixes Intel wrote, if you installed the current fix you would regret it. Microsoft issues emergency weekend update to remove buggy Intel patch

It shouldn't be concerning. It's what you should expect out of a system that has not received the required microcode to implement the mitigation steps done within the kernel that uses a particular instruction.

You are mistaken. 2017-5715 requires a microcode. Without the microcode, the kernel changes done by the update(s) in question, cannot be used and are ignored.

Install the updated firmware, when it's released, but be sure you only do it after Intel releases the updated fixes.

This key is ignored, if you have not patched your firmware, so the required firmware can be used. It also would be used if you had an AMD system which you do not.

Intel pulled the required microcode and Microsoft released an optional patch that disables the current unstable microcode code. Variant 2 CANNOT BE mitigated with kernel changes itself. Spectre variant 2 requires a firmware updated by Dell in order to receive the microcode. Intel has not released the fixed/corrected microcode at this time.

 

Microsoft Pushes New Software-Based Spectre, Meltdown Mitigation Patches

The Spectre/Meltdown road is long and pocked with lawsuits and security holes as it is, and Microsoft is one of the players that's trying to put the asphalt back to tip-top, Autobahn-worth shape. The company has already improved users' security to the Meltdown and Spectre exploits on its OS side; however, hardware patches, and specifically BIOS-editing ones are much harder to deploy and distribute by the PC chain. That may be one of the reasons why Microsoft is now again stepping up with software-based mitigations for Intel-based systems, specifically.

The new updates introduce a software-based CPU microcode revision update, and work at the OS-level to plug some security holes on your Intel processors that might otherwise remain unpatched. The reasons for them remaining unpatched can be many: either Intel taking even more time to deploy patches to the still vulnerable systems; your OEMs not deploying the Intel CPU microcode revisions via a BIOS update; or the good old "I forgot I could do it" user story. Of course, being software based means these Microsoft patches will have to be reapplied should users format their Windows system. The update can for now only be manually downloaded and installed, and can only be applied to version 1709 (Fall Creators Update) and Windows Server version 1709 (Server Core), but that's definitely better than the alternative of forcing less knowledgeable users to try and find their way through BIOS updates. Of course, that is assuming OEMs will ever push BIOS updates to their products.

 

Intel Releases CPU Benchmarks with Meltdown and Spectre Mitigations

official Microsoft report of the impact on performance this would be variable according to the hardware / operating system.

link, https://cloudblogs.microsoft.com/mi...-and-meltdown-mitigations-on-windows-systems/

*85388-2a258f73cf34ceca0c0403ff80d2e800.jpg*