Windows 10: Windows Client Guidance against speculative execution vulnerabilities

Page 19 of 64 FirstFirst ... 9171819202129 ... LastLast
  1.    12 Jan 2018 #180

    Hi,
    @qao :

    Welcome to the forum and thanks for the links to the program. I find it excellent.

    Cheers,
      My ComputersSystem Spec

  2.    12 Jan 2018 #181

    K, I thought I had done all the updates, but I'm still a bit confused on the items in bold. It appears I'm still vulnerable to Spectre, according to the SpectreMeltdownCheck .... What I'm I missing ?

    1. KB4056892
    2. cpumcupdate - microcode-20180108
    3. According to HP and Get-SpeculationControlSettings - Appears my CPU doesn't need a BIOS update ?

    PS C:\WINDOWS\system32> Get-SpeculationControlSettings
    Speculation control settings for CVE-2017-5715 [branch target injection]

    Hardware support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is enabled: False
    Windows OS support for branch target injection mitigation is disabled by system policy: False
    Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False


    Speculation control settings for CVE-2017-5754 [rogue data cache load]

    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID performance optimization is enabled: True [not required for security]

    Suggested actions

    * Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119


    BTIHardwarePresent : True
    BTIWindowsSupportPresent : True
    BTIWindowsSupportEnabled : False
    BTIDisabledBySystemPolicy : False
    BTIDisabledByNoHardwareSupport : False
    KVAShadowRequired : True
    KVAShadowWindowsSupportPresent : True
    KVAShadowWindowsSupportEnabled : True
    KVAShadowPcidEnabled : True
      My ComputersSystem Spec


  3. Posts : 1,471
    WinX Pro x64 IP current
       12 Jan 2018 #182

    johngalt said: View Post
    For a laugh, here are the results of my scan on my eVGA X58-based mobo with a Core i7 965 EE (full specs in my profile):

    Attachment 171024

    I included the full screenshot to show others what exactly I did from the point of opening PowerShell as Admin from the Start context menu.

    Unfortunately, with this hardware being as old as it is, I doubt I will receive any sort of BIOS update for it - the last was almost 7 years ago now.
    Interesting. The above was on build 17063. The below is from build 17074:

    Click image for larger version. 

Name:	ProcessorCheck2.PNG 
Views:	3 
Size:	59.4 KB 
ID:	172247

    Click image for larger version. 

Name:	ProcessorCheck3.PNG 
Views:	3 
Size:	28.0 KB 
ID:	172255
      My ComputersSystem Spec

  4.    12 Jan 2018 #183

    Hi,
    @Eagle51 :

    Windows OS support for branch target injection mitigation is enabled: False
    That line is truly odd and contradicts the ones following it unless I really misunderstand something here....

    Cheers,
      My ComputersSystem Spec

  5.    12 Jan 2018 #184

    That line is truly odd and contradicts the ones following it unless I really misunderstand something here....
    Yea, I don't get and I even tried doing the reg additions, which shouldn't be needed. I'm thinking I'm gonna need a BIOS update.

    The only other thing I've found is this over on TechNet.

    I managed to enable the patch, but had to mod BIOS firmware with the latest microcode from intel for my CPU, i7-4960X on X79 ASUS Rampage IV Black Edition Mobo, Windows 10 x64 1709 16299.192
    Before that I tried the VMWare driver, which gave me "hardware support for branch target injection mitigation: True", but I believe the OS loads the microcode too late for mitigation to be enabled.

    Note that I did not have to add the registry keys as listed below to my machine in order to enable the patch:
      My ComputersSystem Spec


  6. Posts : 1,471
    WinX Pro x64 IP current
       12 Jan 2018 #185

    Or else that the patched BIOS is not enough for the new microcode and requires actual new BIOS as well.

    For my nearly ancient X58 mobo, here is what eVGA Tech LeeM had to say about BIOS updates for eVGA motherboards in their forums:

    This is our current schedule for BIOS updates related to these vulnerabilities:

    By end of this week*: Z170, Z270, Z370, X99, X299, Laptops.

    Within 1-2 weeks*: X79, W888, Z87, Z97.

    *Please note that this date is projected, contingent on receiving source code from Intel, and final testing may push the dates back temporarily.

    At this point, we do not have source code from Intel to update X58, P67, or Z77 motherboards. When/if that becomes available, I'll provide an update.
    If all they needed was to update the microcode in any BIOS for any machine, well, Intel provided new microcode for damn near every CPU on 8 Jan: Download Linux* Processor Microcode Data File

    But I suspect that there is more to the BIOS than just replacing the microcode - quite possibly it could be that it has built in safeguards to check the integrity of the microcode within itself before passing it on to the CPU, and if it doesn't pass the integrity test, it may do something else in the interim.

    I don't know much about it, but it makes sense that this sort of check would be in there - after all, if not,someone could start spreading false BIOSs that were malicious in intent rather easily....

    I do know that other parts of the BIOS have been successfully been updated, specially the Intel RAID ROM part, even for the BIOS for my machine, but haven't ever seen any real success on BIOS microcode modification working.
      My ComputersSystem Spec

  7.    13 Jan 2018 #186

    The New Bios update is released, version 3703 for those that need this one for your ASUS boards.

    Click image for larger version. 

Name:	Bios_update.png 
Views:	6 
Size:	19.0 KB 
ID:	172443
      My ComputersSystem Spec


  8. Posts : 19,835
    Win10 Pro, Win10 Pro N, Win10 Home, Win10 Pro Insider Fast Ring, Windows 8.1 Pro, Ubuntu
       13 Jan 2018 #187

    OldMike65 said: View Post
    The New Bios update is released, version 3703 for those that need this one for your ASUS boards.

    Click image for larger version. 

Name:	Bios_update.png 
Views:	6 
Size:	19.0 KB 
ID:	172443
    That's for the Z170(skylake/kaby lake) boards.
    It looks like they are getting to the older chipsets finally.
      My ComputersSystem Spec

  •    13 Jan 2018 #188

    Cliff S said: View Post
    That's for the Z170(skylake/kaby lake) boards.
    It looks like they are getting to the older chipsets finally.
    Yes I know, that is my board on this rig....been waiting for this, its only a little over 1 year old
      My ComputersSystem Spec


  • Posts : 1,471
    WinX Pro x64 IP current
       13 Jan 2018 #189

    OldMike65 said: View Post
    Yes I know, that is my board on this rig....been waiting for this, its only a little over 1 year old
    Haven't had A BIOS update since 2011.....
      My ComputersSystem Spec


  •  
    Page 19 of 64 FirstFirst ... 9171819202129 ... LastLast

    Related Threads
    The PowerShell script execution policies enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on your computer. Windows PowerShell has four different execution policies: Execution Policy Description ...
    Source: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer - Microsoft Edge Dev Blog See also update: Cumulative Update KB4056892 Windows 10 v1709 Build 16299.192 - Windows 10 Forums
    Source: Google Online Security Blog: Disclosing vulnerabilities to protect users
    Windows 10 - Need some guidance on recovery in Installation and Upgrade
    One of my spare Windows 10 machines is on life support. I must have clobbered it somehow when I was tweaking the multiple display settings ( to incorporate a HDMI projector). It actually worked fine all week, but today, when I tired to set it...
    Read more: http://www.zdnet.com/article/microsoft-offers-it-guidance-to-prepare-for-windows-as-a-service/
    Our Sites
    Site Links
    About Us
    Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

    Designer Media Ltd
    All times are GMT -5. The time now is 20:08.
    Find Us