Windows 10: Windows Sandbox and Intel CPU Speculative side channel vulnerabilities

LaurFlorin · May 16, 2019

Hi.

I've yet to try Windows 10 version 1903 (waiting for the final version to roll out). However I'm aware of the new Windows Sandbox feature and I'm excited about it.

I do have a question though.

In the light of the recent side channel speculative execution vulnerabilities of the Intel chips, be it Meltdown, Spectre, Spoiler, MDS, ZombieLoad, etc. - do they have the potential to weaken the sandbox security?

I am aware that Windows Sandbox will base itself on Hyper-V, but if these speculative execution vulnerabilities in Intel chips continue to unravel, do they have the possibility to affect the sandbox security by design?

Will future cpu flaws of this type render the windows sandbox security useless? Are there any permanent mitigations that could help prevent sandbox escape or data leaks from the sandbox via a speculative execution vulnerability?

Thank you in advance for your feedback!

:)

Ground Sloth · May 16, 2019

Windows Client Guidance against speculative execution vulnerabilities

There is a new speculative execution side-channel vulnerability that comes in 3 varieties. Fortunately, a new CPU microcode update is not needed. But for people using virtual machines in a could environment, additional steps might need to be taken.

On August 14, 2018, Intel and industry partners shared more details and mitigation information about a recently identified speculative execution side-channel method called L1 Terminal Fault (L1TF).

L1TF is a speculative execution side channel cache timing vulnerability. In this regard, it is similar to previously reported variants. There are three varieties of L1TF that have been identified. Each variety of L1TF could potentially allow unauthorized disclosure of information residing in the L1 data cache, a small pool of memory within each processor core designed to store information about what the processor core is most likely to do next.

The microcode updates released earlier this year when coupled with operating system and hypervisor software available from our industry partners, ensure consumers, IT professionals and cloud service providers have access to the protections they need. Intel recommends people keep their systems up to date to protect against the evolving threat landscape.
Click to expand...

Intel Side Channel Vulnerability L1TF

Q3 2018 Intel Speculative Execution Side Channel Update

Brink · May 16, 2019

Surface Guidance for speculative execution side-channel vulnerability

Surface Guidance to protect against speculative execution side-channel vulnerabilities

Applies to: Surface Pro 4, Surface Book, Surface Studio, Surface Pro (latest), Surface Laptop, Surface Pro with LTE Advanced, Surface Book 2 - 13 inch, Surface Book 2 - 15 inch

Introduction

Since January 2018, the Surface team has been publishing firmware updates for a new class of hardware vulnerabilities that involve speculative execution side channels. The Surface team has not received any information to indicate that these vulnerabilities have been used to attack customers currently, and the team continues to work closely with the Windows team and industry partners to protect customers. To get all available protection, both firmware and Windows system updates are required.

Summary

Vulnerabilities Announced in May 2018
The Surface team has become aware of new speculative execution side-channel attack variants that also affect Surface products. Mitigation of those vulnerabilities requires UEFI updates that use new microcode. For more information about the vulnerabilities and mitigations, see the following security advisories:

Microsoft Security Advisory ADV180012

Microsoft Security Advisory ADV180013

We are working with our partners to provide updates to the following Surface products as soon as we can make sure that the updates meet our quality requirements:

Surface Book 2

Surface Book

Surface Laptop

Surface Studio

Surface Pro 4

Surface Pro 3

Surface Pro Model 1796 and Surface Pro with Advanced LTE Model 1807

References

CVE-2018-3640

CVE-2018-3639

Vulnerabilities Announced in January 2018
The Surface team is aware of the publicly disclosed class of vulnerabilities that involve speculative execution side channels (known as Spectre and Meltdown) that affect many modern processors and operating systems, including Intel, AMD, and ARM. For more information about the vulnerabilities and mitigations, see the following security advisory:

Microsoft Security Advisory ADV180002

For more information about Windows software updates, see the following Knowledge Base articles:

4073757 Protect your Windows devices against Spectre and Meltdown vulnerabilities

4073119 Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

In addition to installing the January 3 Windows Operating System Security Updates, Surface has released UEFI updates through Windows Update and the Download Center for the following devices:

Surface Book 2 - (Update history)

Surface Book - (Update history)

Surface Laptop - (Update history)

Surface Studio - (Update history)

Surface Pro 4 - (Update history)

Surface Pro 3 - (Update History)

Surface Pro Model 1796 and Surface Pro with Advanced LTE Model 1807- (Update History)

These updates are available for devices that are running Windows 10 Creators Update (build 15063) and later versions.

References

CVE-2017-5753

CVE-2017-5715

CVE-2017-5754

More Information

Note Surface hub has implemented defense-in-depth strategies. For more information, go to the following topic on the Microsoft website:

Differences between Surface Hub and Windows 10 Enterprise

Because of this, we believe that exploits that use these vulnerabilities are significantly reduced on Surface Hub.

The Surface team is focused on making sure that our users have a secure and reliable experience. We will continue to monitor and update devices as required to address these vulnerabilities and keep the device reliable and secure.
Click to expand...

Source: https://support.microsoft.com/en-us/...n-side-channel

See also: Surface devices and the new speculative execution side-channel vulnerabilities (May 2018) Surface

Bree · May 16, 2019

Q3 2018 Intel Speculative Execution Side Channel Update

A patch has already been issued in the latest cumulative update.

Key changes include:

Provides protections against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646). Make sure previous OS protections against Spectre Variant 2 and Meltdown vulnerabilities are enabled using the registry settings outlined in the Windows Client and Windows Server guidance KB articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)

Click to expand...

Cumulative Update KB4343909 Windows 10 v1803 Build 17134.228 - Aug. 14

Windows 10: Windows Sandbox and Intel CPU Speculative side channel vulnerabilities

Windows Sandbox and Intel CPU Speculative side channel vulnerabilities

Windows Sandbox and Intel CPU Speculative side channel vulnerabilities

Windows Sandbox and Intel CPU Speculative side channel vulnerabilities

Windows Sandbox and Intel CPU Speculative side channel vulnerabilities - Similar Threads - Sandbox Intel CPU

Microsoft CVE-2017-5715: Guidance to mitigate speculative execution side-channel...

Q3 2018 Intel Speculative Execution Side Channel Update

Surface Guidance for speculative execution side-channel vulnerability

New Speculative Execution Side-Channel Vunerability (Variant 4)

Mitigating speculative execution side-channel attacks in Edge and IE11

SQL Server Guidance against speculative execution vulnerabilities

Mitigating speculative execution side channel hardware vulnerabilities

Windows Server Guidance against speculative execution vulnerabilities

Windows Client Guidance against speculative execution vulnerabilities

Users found this page by searching for:

windows sandbox l1tf

Windows Sandbox on Intel Processors