Microsoft releases update to reverse problematic Spectre patch
Click here to post a comment for Microsoft releases update to reverse problematic Spectre patch on our message forum
Noisiv
Quick recap:
https://abload.de/img/screenshot2018-01-291e3sh7.png
Protection Class (1) - Subsequently Microcode Update Fixed Processors
A microcode update is applied, which brings new CPU commands, which provide extensive Specter protection (Meltdown is rendered harmless by means of an operating system update). The same costs a bit of performance (supposedly more with older CPUs than with newer ones), but can be made available in a relatively short time by the CPU developers and motherboard manufacturers. As a disadvantage, many older CPUs (despite the technical possibility) no longer receive such a fix because their support has been discontinued.
Protection class (2) - Factory-fixed by microcode update Processors
Here again, a microcode update is scheduled, which brings new CPU commands, which provide extensive Specter protection (Meltdown is thereby harmless by means of an operating system update) . The same costs a bit of performance (supposedly less on older processors than on older ones) and is mostly already in the delivery state, which is why the CPU manufacturers then talk about "meltdown / Specter-free processors", although there are actually no changes on real hardware Level has given. But this method can be applied to every newly emerging CPU generation and will probably be realized in the same way for all upcoming CPUs.
Protection class (3) - Meltdown / Specter-free CPU architectures
RealNC
Meanwhile, it seems Linux has opted to mitigate Spectre v2 at the compiler level ("retpoline") and not use the microcode, calling Intel's microcode "crap."
On my system:
(There's no mitigation for v1 by anyone yet.)
AFAICT from the LKML posts, the retpoline method is actually faster than using the microcode. Although it gets a bit confusing for non-kernel people like me to interpret the posts, so I could be wrong.
Berke53
My system is behaving erratically so I downloaded the KB4078130 update. I appears to be a small 25 kB executable. When opening it does ablosutly nothing. There is no installer popping up or something. Is this normal? How to install it properly?
Turanis
In short:
Enable and disable Spectre Variant 2 mitigation manually
Microsoft also provides the following registry settings for user who want to enable or disable the Spectre Variant 2 without deploying KB4078130 on their systems:
To enable Variant 2: CVE 2017-5715 "Branch Target Injection":
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 1 /f
To disable Variant 2: CVE 2017-5715"Branch Target Injection":
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 1 /f
KB4078130 isn’t shipped via Windows Update, and can only be downloaded for Windows 7, 8.1, and 10 from the Update Catalog here.
Alessio1989
Good.
Hopefully Microsoft will going to use the "retpoline" soluition.
mbk1969
It is faster because you don`t need to call/read/write out-of-core facilities (like MSR) introduced in updated microcode(s).
The code of all applications you use should be recompiled for that (not only the OS apps/kernel). Linux users can do it themselves (and not only with OS apps/kernel).
Alessio1989
As is needed for Spectre v1. I do not need Spectre v1 and v2 mitigation on all my applications.
Sergio
It adds/alters 2 registry keys after executing, yes it is normal, no popups.
Go to Regedit >
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management >
And check "FeatureSettingsOverride" and "FeatureSettingsOverrideMask" there and both should be "1" after KB execute.
I tested "FeatureSettingsOverride". Changed it to "0" and executed KB exe. It changed to "1".
https://i.imgur.com/5DgPcG7.png
https://i.imgur.com/xD8W0cc.png
mbk1969
By the way, Microsoft in its article about mitigations on client Windows wrote about registry values "FeatureSettingsOverride" and "FeatureSettingsOverrideMask" both equals to "3". Taking to account your info we can assume that value "1" is a mask for Spectre mitigation, and value "2" is a mask for Meltdown mitigation.
RealNC
Only affected applications need to be recompiled. This means applications that execute third-party code inside their process space. Like web browsers, for example (they execute JavaScript.) Though browsers now seem to switch to having every tab being a separate process.
So it's mostly kernels and virtual machines that need to be recompiled.
BlueRay
So why Intel and MS didn't adopt Google's Retpoline solution which doesn't harm performance and works better?
What the hell those companies did all those months when they knew the vulnerabilities will go public but yet didn't deliver a stable fix and now we have all those problematic fixes which do more harm than good?
I opted out of those silly patches for now. I didn't flash the microcode BIOS and I don't plan to do so until I will be sure those fixes are working and do not cause issues. Not to mention the botched performance everywhere. I'm glad I didn't jump on the danger-panic wagon so soon. The fixes were rushed out very amateurishly .
mbk1969
Script engines? Office apps? Messengers? Media players? Any apps with plugins?
Just speculating.
TheDeeGee
No reboots here, then again i'm on 1703 still.
demented brave
I am still using an ivy bridge 3570k. Doesn't look like there will be much done for older CPUs. I was really considering getting a 8700k but this spectre mess along with the crazy memory prices, guess I'll probably hold out a bit longer.
RzrTrek
I uninstalled kb4056892 a few days ago (kept coming back when I restart) but thankfully this band aid mad it less painful.
RealNC
Messengers and media players don't run external code. At least I can't see why they would.
The rest are only affected if they need to sandbox the code they run. So probably the scripting interpreters of office suits need it (and I'm not sure if they need it if there's no JIT involved.) Apps with plugins don't. Plugins are unsafe by nature and don't need Spectre to become unsafe.
fOrTy_7
Great, just yesterday I updated my Win 8.1 with all the Meltdown/Spectre patches thinking they sorted out all this mess by now. Guess I was wrong.
Anyway this new 'critical' patch doesn't do $hit to my system. I had to manually add those registry keys and reboot the system.
Not working 'critical' path for a not working 'critical' patch . It's getting better and better. I'm glad I'm still on Win 8.1 and can decide when to update my system in situations like this.
waltc3
The whole thing reminds me of "net neutrality"--a complex, repressive solution in search of real and authentic problems that may or may not ever exist, but for a fact do not currently exist at all. We seem to be getting dumber these days.
Rich_Guy
Nothing to do with this one https://support.microsoft.com/en-us/help/4056897/windows-7-update-kb4056897 ?, as ive got this one on, and all fine.
EDIT: Ahh, its for those who who experience restart/reboot problems.
JamesSneed
Disagree on your analogy. Net neutrality may be trying to fix something that doesn't exist but many of the issues will exist, it's not an IF its just WHEN since so many ISP's have consolidated over the last decade. We all have seen it over and over companies consolidate to a point they can no longer buy the other guy since all that is left is a few giant companies. So they try to find ways for growth since stockholders demand it and bam you start seeing all sorts of shenanigans.
