User Profile
Xavier_2020
Copper Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Re: Windows Update and security fixes.
dretzer Hello, Thank-you for your test and explaination. I have done some tests on my own personal computer with new installed Windows 10 1909 build with AMD CPU. CVE 2017-5715 (Spectre Variant 2) mitigation is now applied by default. CVE 2018-3639 (Speculative Store Bypass) mitigation is still not applied by default. Speculation control settings for CVE-2017-5715 [branch target injection] Hardware support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is enabled: True Speculation control settings for CVE-2017-5754 [rogue data cache load] Hardware requires kernel VA shadowing: False Speculation control settings for CVE-2018-3639 [speculative store bypass] Hardware is vulnerable to speculative store bypass: True Hardware support for speculative store bypass disable is present: True Windows OS support for speculative store bypass disable is present: True Windows OS support for speculative store bypass disable is enabled system-wide: False Speculation control settings for CVE-2018-3620 [L1 terminal fault] Hardware is vulnerable to L1 terminal fault: False Speculation control settings for MDS [microarchitectural data sampling] Windows OS support for MDS mitigation is present: True Hardware is vulnerable to MDS: False BTIHardwarePresent : True BTIWindowsSupportPresent : True BTIWindowsSupportEnabled : True BTIDisabledBySystemPolicy : False BTIDisabledByNoHardwareSupport : False BTIKernelRetpolineEnabled : True BTIKernelImportOptimizationEnabled : True KVAShadowRequired : False KVAShadowWindowsSupportPresent : True KVAShadowWindowsSupportEnabled : False KVAShadowPcidEnabled : False SSBDWindowsSupportPresent : True SSBDHardwareVulnerable : True SSBDHardwarePresent : True SSBDWindowsSupportEnabledSystemWide : False L1TFHardwareVulnerable : False L1TFWindowsSupportPresent : True L1TFWindowsSupportEnabled : False L1TFInvalidPteBit : 0 L1DFlushSupported : False MDSWindowsSupportPresent : True MDSHardwareVulnerable : False MDSWindowsSupportEnabled : False Same results as you. The question is for sensitives PC who need to have “SSBDWindowsSupportEnabledSystemWide” activated, how to do this? If VBS (Virtualization-based security) is running, do we have now to understand that Hyper-V is installed for 1909 build? I don’t think so, even if Windows server has some specific additional lines for Hyper-V on AMD, but Intel based CPU Windows 10 has to deal with this choice. Link for Servers: https://support.microsoft.com/fr-fr/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities For my understanding, we just need to add this two lines for AMD: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f And for Intel based CPU with only VBS activated, do we have to integrate that Hyper-V is installed or not?5KViews0likes2CommentsRe: Windows Update and security fixes.
dretzer dretzer a écrit : If you have all Updates installed on a current Windows 10 (1809, 1903, 1909), and your firmware has the correct cpu microcode, you don't have to edit the registry. If you want to know the protection state of a system, open powershell and install the speculationcontrol module. With this module you can use "get-speculationcontrolsettings" to get a complete rundown of side-channel-protections and vulnerabilites. It will tell you if your hardware is vulnerable in the first place, if os-mitigations are enabled and if hardware-support for this mitigations is available. If it tells you to update your device firmware, you need to check with your oem, or you will be vulnerable anyway. Xavier_2020 The first point is not my experience. In a PC with updated CPU microcode, AND Windows with all latest updates done by Windows Update is not enough to mitigate all CPU vulnerabilities according “PowerShell SpeculationControl script”. I still need to edit registry, and “PowerShell SpeculationControl script” confirm that (before and after test output to control that). Mitigations was already done before 1909 build updates. Just to help users and administrators here, the link of the “PowerShell SpeculationControl script”. https://www.powershellgallery.com/packages/SpeculationControl/ https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell5.1KViews0likes4CommentsWindows Update and security fixes.
Hi all, Since several years, many securities issues has been discovered in CPU. Microsoft has been able to update CPU microcode revision which is prerequisite to handle mitigation OS fixes on some CPU. That is a good point for overall security. Unfortunately, that is not enough, and our computer are still vulnerable, because there are other actions that are not done by Windows Update. After that, you have to update registry like this page: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in Actually, no information about 1909 build, but Microsoft tell me that mitigations are still not installed on this new build. And consequently, there will be a lot of users and administrators that thought that they are secured with there computer, which is not the case. For the future next Windows build, it would be very good that Windows Update install all securities fixes and mitigations by default, to secured all computers that is very important in our dangerous world, and only allow for specific user's needs that have computer that are not connected to the network, the ability to remove some specific Windows security fixes. Hope that this very important security improvement will be soon applied by Windows Update by default. Best regards Xavier5.5KViews0likes13Comments
Recent Blog Articles
No content to show