Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

Intel's Spectre Variant 4 Microcode Update Off by Default

In this Ask the Admin, I look at Spectre Variant 4 and whether it will affect performance as its distributed over the coming weeks.



Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Unless you’ve been hiding under a rock since January, you probably know about the Spectre and Meltdown vulnerabilities that were made public at the beginning of 2018. Spectre and Meltdown could allow a malicious program to access protected memory using speculative execution and caching, two techniques that improve the performance of modern processors. Spectre and Meltdown are both forms of side-channel attack where a malicious program establishes the location of data in the CPU cache.

Microsoft issued patches for CVE-2017-5753 (Spectre Bounds Check Bypass – Variant 1), CVE-2017-5715 (Spectre Branch Target Injection – Variant 2), and CVE-2017-5754 (Meltdown Rogue Data Cache Load – Variant 3) in January’s round of cumulative updates for Windows. For complete protection against the three vulnerabilities listed above, a microcode update from Intel also needs to be applied.

The January updates protect against three specific ways of exploiting the Spectre and Meltdown vulnerabilities. But last month, Google Project Zero made public a new way to exploit Spectre. Intel has dubbed the new threat as a Speculative Store Bypass (SSB). Or Spectre Variant 4. It has been assigned a Common Vulnerability and Exposures (CVE) number: CVE-2018-3639. Additionally, another vulnerability has been identified. Rogue System Register Read (RSRR), or Spectre Variant 3a (CVE-2018-3640) as it’s also known. Although, this one is thought to be less serious than Spectre Variant 4.

According to Intel, “Most leading browser providers have recently deployed mitigations in their Managed Runtimes — mitigations that substantially increase the difficulty of exploiting side channels in a modern web browser. These techniques would likewise increase the difficulty of exploiting a side channel in a browser based on SSB.”

So, these new vulnerabilities are less likely to be a problem if your operating system and browsers are running the latest versions and patches.

Intel Microcode Updates

Nevertheless, Intel has distributed beta microcode updates to hardware manufacturers to protect against both SSB and RSRR. One side effect of the fixes is that it will impact performance by up to eight percent. According to Intel executive vice president Leslie Culbertson, “If enabled, we’ve observed a performance impact of approximately two to eight percent based on overall scores for benchmarks like SYSmark® 2014 SE and SPEC integer rate on client and server test systems”.

Because existing browser patches for Spectre Variant 1 help protect against Variant 4, Intel plans to ship the fixes for Spectre Variant 3a and 4 ‘turned-off’ by default because the risk is deemed to be low. Intel and AMD are recommending leaving the mitigations for these vulnerabilities disabled. But if an OEM or use chooses to enable them, a performance hit can be expected.

Unless the advice from Intel, or other chip manufacturers changes, I recommend leaving the fixes disabled. But a risk assessment should be performed for each device to establish whether the performance tradeoff might be worth taking to get the extra protection that will come with the updated microcode.

In this Ask the Admin, I looked at the risk associated with the Spectre Variant 3a and 4 exploits and how existing patches already provide some protection.

Follow Russell on Twitter @smithrussell.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: