Windows Client Guidance against speculative execution vulnerabilities

fdegrove said:

Hi,



You're most welcome.
Well, what they're saying is that those systems were meant to be stand alones. Sure enough, when you're not connected to a network you're not going to be vulnerable to these kinds of attacks....
Guess they have to draw the line somewhere.


Cheers,

Well, I don't think those "closed systems" are not connected to a network, the reasons evoked have to do more with the micro-architectural characteristics of those old machines precluding the implementation of features capable of mitigating the variant 2 of Spectre (CVE-2017-5715). For reference, you can check the article:
https://www.helpnetsecurity.com/2018...ocode-updates/

Question, where do you download the MC updates from? shows that the update is available for the Sandy Bridge and Ivy Bridge but now links as to find them. I'm going to assume it's what is in 1803 but according to Steve's InSpectre utility it sounds like an update is out there. Can someone point me in the right direction where you can download these fixes if there is such a place other than upgrade the OS? Thank you.

sneekez said:

Question, where do you download the MC updates from? shows that the update is available for the Sandy Bridge and Ivy Bridge but now links as to find them. I'm going to assume it's what is in 1803 but according to Steve's InSpectre utility it sounds like an update is out there. Can someone point me in the right direction where you can download these fixes if there is such a place other than upgrade the OS? Thank you.

There was a Microsoft's microcode update patch for Fall Creators's version or build that one could get from the Microsoft Update catalog. It doesn't work for April 2018 Feature version. Maybe they will issue a new one with the next patch Tuesday cumulative update. The only other way to get it is to check your manufacturer's support page in order to have a BIOS/UEFI firmware update.

Hi,

IronZorg89 said:

Well, I don't think those "closed systems" are not connected to a network, the reasons evoked have to do more with the micro-architectural characteristics of those old machines precluding the implementation of features capable of mitigating the variant 2 of Spectre (CVE-2017-5715). For reference, you can check the article:
https://www.helpnetsecurity.com/2018...ocode-updates/

I did not word that well, my bad. By "Closed System" they mean what exactly ?
The article isn't really clear about that. The way I read it is that most of those machines are either stand alones or on an intranet ??
Or is the CPU's architecture just not capable of speculative code execution ?

Cheers,

fdegrove said:

Or is the CPU's architecture just not capable of speculative code execution ?

Cheers,

That last question of yours is probably what they meant. That's my understanding.

I contacted Gigabyte regarding a MB for a system that showed no update available nor anything in the pipe. They privately linked me to the BIOS/UEFI update. Win 7 system and it is not slow...yet.

Lenovo made updates available for Sandy Bridge laptops ready a couple of months ago. Haven't patched them yet.

Which utility do you guys recommend to verify a system is patched? I'm always skeptical of freeware.

ericnixmd said:

Which utility do you guys recommend to verify a system is patched? I'm always skeptical of freeware.

I think most people use this: GRC


And you can double/manually check via:

1) Open elevated PowerShell.

2) Temporarily set PowerShell script execution policy
PS> Set-ExecutionPolicy Unrestricted -Scope Process -Force

3) Install the PowerShell module
PS > Install-Module SpeculationControl -Force

Type Y and press Enter if prompted to install and import NuGet.

4) Run the PowerShell module to validate protections are enabled
PS > Get-SpeculationControlSettings

Thanks @tomseys.