Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)

Windows Update and security fixes.

Occasional Contributor

Hi all,

Since several years, many securities issues has been discovered in CPU.

 

Microsoft has been able to update CPU microcode revision which is prerequisite to handle mitigation OS fixes on some CPU. That is a good point for overall security.

 

Unfortunately, that is not enough, and our computer are still vulnerable, because there are other actions that are not done by Windows Update.

After that, you have to update registry like this page:

https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-... 

 

Actually, no information about 1909 build, but Microsoft tell me that mitigations are still not installed on this new build. And consequently, there will be a lot of users and administrators that thought that they are secured with there computer, which is not the case.

 

For the future next Windows build, it would be very good that Windows Update install all securities fixes and mitigations by default, to secured all computers that is very important in our dangerous world, and only allow for specific user's needs that have computer that are not connected to the network, the ability to remove some specific Windows security fixes.

 

Hope that this very important security improvement will be soon applied by Windows Update by default.

 

Best regards

Xavier

13 Replies
Hi,
I think because that article says:
"Applies to: Windows 10, version 1903, Windows 10, version 1809, Windows 10, version 1803, Windows 10, version 1709, Windows 10, version 1607, Windows 10, Windows RT 8.1, Windows 8.1, Windows 7 Service Pack 1"

and there is no mention of 1909 in that entire page, so it's safe to assume that it is already fixed in version 1909, otherwise Microsoft would have included it in the article as well.

@HotCakeXI totally agree with your analyze. The issue is that in reality, according to Microsoft expert internal tests, it is not yet safe or fixed with 1909 version. You still need to manually modify registry.

I think you misunderstood the side-channel mitigations article.

If you have all Updates installed on a current Windows 10 (1809, 1903, 1909), and your firmware has the correct cpu microcode, you don't have to edit the registry.

The article you linked to describes methods to disable certain mitigations if you run into problems, or enable special cases.

If we talk about Windows Server, then it is a different story. There you have to manually activate part of the mitigations. As many of these mitigations can cost a substantial ammount of performance in certain server environments, it would not be wise to enable them without an admin testing it first.

 

To sum it up:

 

For Windows 10 Clients with Intel CPU, ALL operatingsystem-mitigations, except system-wide speculative store bypass mitigation, are enabled by default. You do NOT need to touch the registry if you don't have a special case where SSBD is a problem. SSBD-mitigations are only needed if you run vulnerable software. All operating system binaries are not vulnerable to SSBD. Be aware that system-wide SSBD-mitigation will impact end-user performance!

 

For Windows Server 2019 with Intel CPU, you have to set 2 registry keys (FeatureSettingsOverride = 0, FeatureSettingsOverrideMask = 3) to get the same protections as a Windows 10 Client. You can easily set these keys for your servers with group policy.

 

You need firmware-updates for your hardware to mitigate some of the vulnerabilites! you cannot mitigate side-channel vulnerabilites with windows updates and/or registry keys alone!

 

If you want to know the protection state of a system, open powershell and install the speculationcontrol module. With this module you can use "get-speculationcontrolsettings" to get a complete rundown of side-channel-protections and vulnerabilites. It will tell you if your hardware is vulnerable in the first place, if os-mitigations are enabled and if hardware-support for this mitigations is available.

If it tells you to update your device firmware, you need to check with your oem, or you will be vulnerable anyway.

@Xavier_2020 

@Xavier_2020 

Spoiler

@Xavier_2020 wrote:

@HotCakeXI totally agree with your analyze. The issue is that in reality, according to Microsoft expert internal tests, it is not yet safe or fixed with 1909 version. You still need to manually modify registry.


Could you please show me that internal test results?

@HotCakeX 

Microsoft do not gave me there internal test, so I can't, but I am confidant of the information that they gave me and action they ask me to do.

@Xavier_2020 

Spoiler

@Xavier_2020 wrote:

@HotCakeX 

Microsoft do not gave me there internal test, so I can't, but I am confidant of the information that they gave me and action they ask me to do.


I mean you can believe whatever you like but for me proof is important,

 

I think dretzer wrote a complete answer:

https://techcommunity.microsoft.com/t5/windows-10-security/windows-update-and-security-fixes/m-p/113...

@dretzer 


@dretzer  a écrit :

If you have all Updates installed on a current Windows 10 (1809, 1903, 1909), and your firmware has the correct cpu microcode, you don't have to edit the registry.

 

If you want to know the protection state of a system, open powershell and install the speculationcontrol module. With this module you can use "get-speculationcontrolsettings" to get a complete rundown of side-channel-protections and vulnerabilites. It will tell you if your hardware is vulnerable in the first place, if os-mitigations are enabled and if hardware-support for this mitigations is available.

If it tells you to update your device firmware, you need to check with your oem, or you will be vulnerable anyway.

@Xavier_2020 


The first point is not my experience.

 

In a PC with updated CPU microcode, AND Windows with all latest updates done by Windows Update is not enough to mitigate all CPU vulnerabilities according “PowerShell SpeculationControl script”.

I still need to edit registry, and “PowerShell SpeculationControl script” confirm that (before and after test output to control that). Mitigations was already done before 1909 build updates.

 

Just to help users and administrators here, the link of the “PowerShell SpeculationControl script”.

 

https://www.powershellgallery.com/packages/SpeculationControl/ 

https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrols... 

To give you some real-world examples, I checked three different machines with freshly installed Windows 10 1909 and Windows Server 2019. One machine uses a 7th gen Core i7, the other one a 10th gen and the server uses a Xeon D. As you see, only the Windows Server instance would need a registry setting to enable BTIWindowsSupport. The Windows 10 Clients have all needed mitigations enabled without touching the registry. System-Wide SSBD being the only exception, which, as I explained, should not be necessary on a normal system.

 

Windows 10 1909 on Intel(R) Core(TM) i7-7500U

BTIHardwarePresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : False
BTIKernelImportOptimizationEnabled : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable : True
L1TFWindowsSupportEnabled : True
L1TFInvalidPteBit : 45
L1DFlushSupported : True
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : True
MDSWindowsSupportEnabled : True

 

Windows 10 1909 on Intel(R) Core(TM) i7-1065G7

BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : False
BTIKernelImportOptimizationEnabled : True
KVAShadowRequired : False
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable : False
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : False
L1TFInvalidPteBit : 0
L1DFlushSupported : True
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : False
MDSWindowsSupportEnabled : False

 

Windows Server 2019 on Intel(R) Xeon(R) D-2183IT

BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : True
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : False
BTIKernelImportOptimizationEnabled : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : True
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : True
L1TFInvalidPteBit : 45
L1DFlushSupported : True
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : True
MDSWindowsSupportEnabled : True

 

If you don't understand the output of get-speculationcontrolsettings, just ask for specifics and I'll try to explain.

@Xavier_2020 

@dretzer 

 

Hello,

 

Thank-you for your test and explaination.

I have done some tests on my own personal computer with new installed Windows 10 1909 build with AMD CPU.

  • CVE 2017-5715 (Spectre Variant 2) mitigation is now applied by default.
  • CVE 2018-3639 (Speculative Store Bypass) mitigation is still not applied by default.

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True

 

Speculation control settings for CVE-2017-5754 [rogue data cache load]

 

Hardware requires kernel VA shadowing: False

 

Speculation control settings for CVE-2018-3639 [speculative store bypass]

 

Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: False

 

Speculation control settings for CVE-2018-3620 [L1 terminal fault]

 

Hardware is vulnerable to L1 terminal fault: False

 

Speculation control settings for MDS [microarchitectural data sampling]

Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: False


BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : True
BTIKernelImportOptimizationEnabled : True
KVAShadowRequired : False
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable : False
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : False
L1TFInvalidPteBit : 0
L1DFlushSupported : False
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : False
MDSWindowsSupportEnabled : False

 

Same results as you.

The question is for sensitives PC who need to have “SSBDWindowsSupportEnabledSystemWide” activated, how to do this? If VBS (Virtualization-based security) is running, do we have now to understand that Hyper-V is installed for 1909 build? I don’t think so, even if Windows server has some specific additional lines for Hyper-V on AMD, but Intel based CPU Windows 10 has to deal with this choice.

 

Link for Servers:

https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-v... 

 

For my understanding, we just need to add this two lines for AMD:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

 

And for Intel based CPU with only VBS activated, do we have to integrate that Hyper-V is installed or not?

If you are using VBS, with or without Hyper-V virtual machines, you can only mitigate L1TF/MDS fully if you disable hyper-threading (SMT). You have to do this either in firmware or via registry (firmware is preferable). There is no way around this. If you use VBS and have hyper-threading enabled, VBS secrets will be vulnerable to L1TF and MDS exploits.

Hyper-V itself does not need special attention on a client. If you have Windows Server 2016 Hyper-V, you should enable the core-scheduler for Hyper-V.

 

If you have to enable all mitigations, with no regards for performance, use the following settings (works the same for Intel and AMD CPU's, and needs current microcode for the CPU):

 

Set the following registry keys:

 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f​

 

 

If you are using VBS and/or WDAG:

  • Disable SMT/HT in firmware
  • If you can't disable SMT/HT in firmware, use the following registry keys instead:

 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f​

 

 

If you are using Hyper-V on Windows Server 2016:

  • Enable core scheduler and set all your VMs to utilize SMT:

 

bcdedit /set hypervisorschedulertype core​
Set-VMProcessor -VMName <VMName> -HwThreadCountPerCore 2​

 

 

 

 

  • If you use VMs older than 8.0 (this is needed for WS2019 as well if you use old VM-configurations):

 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f​

 

@Xavier_2020 

@dretzerThank-you dretzer.

@Xavier_2020 . I have  applied the same registrykeys to windows 1909, but  stii some processors  are  vulnerable , eventhough microsoft cant fix those. 

Which processors and why Microsoft can't fix them? source?