Info Meltdown and Spectre Vulnerabilities Information

[Isaiah4110]

January 3, 2018—KB4056892 (OS Build 16299.192)

Applies to: Windows 10 version 1709
Improvements and fixes
This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

Addresses issue where event logs stop receiving events when a maximum file size policy is applied to the channel.
Addresses issue where printing an Office Online document in Microsoft Edge fails.
Addresses issue where the touch keyboard doesn’t support the standard layout for 109 keyboards.
Addresses video playback issues in applications such as Microsoft Edge that affect some devices when playing back video on a monitor and a secondary, duplicated display.
Addresses issue where Microsoft Edge stops responding for up to 3 seconds while displaying content from a software rendering path.
Addresses issue where only 4 TB of memory is shown as available in Task Manager in Windows Server version 1709 when more memory is actually installed, configured, and available.
Security updates to Windows SMB Server, the Windows Subsystem for Linux, Windows Kernel, Windows Datacenter Networking, Windows Graphics, Microsoft Edge, Internet Explorer, and the Microsoft Scripting Engine.
If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.

Manual Download Link
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4056892

Microsoft released a slew of "one-off" or "off schedule" patches yesterday (one for each currently supported OS revision it seems) to fix this issue. You can kind of get the feel for the patch numbers by looking at a few of them. For example:

• 
  Windows 8.1 gets patch KB4056898
  Windows 10 update 1607 gets patch KB4056890
  Windows 10 update 1703 gets patch KB4056891
  Windows 10 update 1709 gets patch KB4056892

 

[YoAndy]

This is from Linus, read it well Andy:

Why is this all done without any configuration options?

A *competent* CPU engineer would fix this by making sure speculation
doesn't happen across protection domains. Maybe even a L1 I$ that is
keyed by CPL.

I think somebody inside of Intel needs to really take a long hard look
at their CPU's, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed.

.. and that really means that all these mitigation patches should be
written with "not all CPU's are crap" in mind.

Or is Intel basically saying "we are committed to selling you shit
forever and ever, and never fixing anything"?

Because if that's the case, maybe we should start looking towards the
ARM64 people more.

Please talk to management. Because I really see exactly two possibibilities:

- Intel never intends to fix anything

OR

- these workarounds should have a way to disable them.

Which of the two is it?

Linus

The problem with Intel here is the usual way "it's not us" attitude they've had with this issue. They even said it's "working as intended". For crying out loud, so it's "intended" for Intel to allow malicious code exploitation in their CPU designs? That is where most of the anger stems from. Not because of the bug, not because it's Intel... Well, it's because Intel is behaving like Intel.

This might seem like an over-stretch, but did your parents ever tell you "no, just deny you did anything wrong and keep saying you're not the only one at fault; instead try to blame it on others as well".

Cheers!

I have been reading a lot toady and talking to colleagues and trying to understand what's happening(everyone is talking about it),Spectre is way more widespread that what people think, is actually affecting CPUs from AMD, Intel, and even ARM chips on mobile devices and if we want to completely get rid of it, it’s a far more serious problem that will likely need wholly redesigned processors to fix in future hardware generations. Normal flaws in the designs of microprocessors, which go through rigorous testing and verification, are usually easily fixed by patches in the code that they use to communicate with the rest of the computer. At the end even after some people would cry about it, we all know that Intel’s microprocessors are the fundamental building block of the internet, corporate networks and PCs, Programmers have been working for two months to try to patch the flaw in open-source Linux system, adding that Microsoft was expected to release a patch for the issue soon. This mess affects everyone and only blaming intel for it is nuts.

 

[-Fran-]

I have been reading a lot toady and talking to colleagues and trying to understand what's happening(everyone is talking about it),Spectre is way more widespread that what people think, is actually affecting CPUs from AMD, Intel, and even ARM chips on mobile devices and if we want to completely get rid of it, it’s a far more serious problem that will likely need wholly redesigned processors to fix in future hardware generations. Normal flaws in the designs of microprocessors, which go through rigorous testing and verification, are usually easily fixed by patches in the code that they use to communicate with the rest of the computer. At the end even after some people would cry about it, we all know that Intel’s microprocessors are the fundamental building block of the internet, corporate networks and PCs, Programmers have been working for two months to try to patch the flaw in open-source Linux system, adding that Microsoft was expected to release a patch for the issue soon. This mess affects everyone and only blaming intel for it is nuts.

Yes, you are correct that the other problems affect the others (AMD, ARM-based designs and even IBM's Power) as well, although in difference capacities (AFAIK, less dangerously than Intel). Blaming Intel, although not correct, I just see it as Karma or payback. I can tell you I am angry, because it triggers a lot of extra things we all need to do, but it's just part of finding vulnerabilities anyway, but that anger is fueled by the attitude. So, I can openly admit I am enjoying Intel getting flak because of this. In a simple way to say it: they deserve it. I just feel annoyed this affects the good engineers and not the higher management. Even more, the CEO that should be paying for this, already died!

Cheers!

 

[goldstone77]

Wine Takes Minor Performance Hit Running Windows Programs On Linux With KPTI
Written by Michael Larabel in Computers on 5 January 2018

More benchmarks!

 

[juanrga]

This is from Linus, read it well Andy:

Why is this all done without any configuration options?

A *competent* CPU engineer would fix this by making sure speculation
doesn't happen across protection domains. Maybe even a L1 I$ that is
keyed by CPL.

I think somebody inside of Intel needs to really take a long hard look
at their CPU's, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed.

.. and that really means that all these mitigation patches should be
written with "not all CPU's are crap" in mind.

Or is Intel basically saying "we are committed to selling you shit
forever and ever, and never fixing anything"?

Because if that's the case, maybe we should start looking towards the
ARM64 people more.

Please talk to management. Because I really see exactly two possibibilities:

- Intel never intends to fix anything

OR

- these workarounds should have a way to disable them.

Which of the two is it?

Linus

The problem with Intel here is the usual way "it's not us" attitude they've had with this issue. They even said it's "working as intended". For crying out loud, so it's "intended" for Intel to allow malicious code exploitation in their CPU designs? That is where most of the anger stems from. Not because of the bug, not because it's Intel... Well, it's because Intel is behaving like Intel.

This might seem like an over-stretch, but did your parents ever tell you "no, just deny you did anything wrong and keep saying you're not the only one at fault; instead try to blame it on others as well".

In the first place, this reply ignores completely the point made by YoAndy. He wrote a criticism about the massive FUD and LIES campaign orchestrated this week around this security flaw. Most of what has been published in media was plain wrong: from the LIE this is was a issue only affecting Intel (it was named the "Intel bug" by some media) to the the LIE all Intel users would be massive reductions in performance once the patch applied. Linus Tovardls rants about Intel are irrelevant about this first point.

In the second place, Linus is oversimplifying. If you read the whole thread you can find replies to his post. From the "It's not that simple" of Paolo to the message by Pavel mentioning how the "*competent* CPU engineer fix" that Linus discuss wouldn't be enough to fix the issue, because this stuff is more complex than Linus believes.

I find very interesting lots of news sites are reporting what Linus said, but no one is reporting that developers wrote in reply to him. I guess the reason is point 1 of above: the massive FUD and LIES campain.

 

[juanrga]

Not only consumers almost not being impacted by performance losses. Datacenter also seems almost unnaffected according to Google and Microsoft

There has been speculation that the deployment of KPTI causes significant performance slowdowns. Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.

The majority of Azure customers should not see a noticeable performance impact with this update. We’ve worked to optimize the CPU and disk I/O path and are not seeing noticeable performance impact after the fix has been applied. A small set of customers may experience some networking performance impact. This can be addressed by turning on Azure Accelerated Networking (Windows, Linux), which is a free capability available to all Azure customers. We will continue to monitor performance closely and address customer feedback.

 

[juanrga]

https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00002.html
An update that fixes one vulnerability is now available.

Description:

This update for ucode-intel fixes the following issues:


The CPU microcode for Haswell-X, Skylake-X and Broadwell-X chipsets was
updated to report both branch prediction control via CPUID flag and
ability to control branch prediction via an MSR register.

This update is part of a mitigation for a branch predictor based
information disclosure attack, and needs additional code in the Linux
Kernel to be active (bsc#1068032 CVE-2017-5715)

Note from the SUSE Security Team
SUSE is aware of the Spectre Attack named side channel attack and will be publishing updates.
https://www.suse.com/security/cve/CVE-2017-5715/

So branch prediction is only disabled on AMD CPUs.

 

[goldstone77]

https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00002.html
An update that fixes one vulnerability is now available.

Description:

This update for ucode-intel fixes the following issues:


The CPU microcode for Haswell-X, Skylake-X and Broadwell-X chipsets was
updated to report both branch prediction control via CPUID flag and
ability to control branch prediction via an MSR register.

This update is part of a mitigation for a branch predictor based
information disclosure attack, and needs additional code in the Linux
Kernel to be active (bsc#1068032 CVE-2017-5715)

Note from the SUSE Security Team
SUSE is aware of the Spectre Attack named side channel attack and will be publishing updates.
https://www.suse.com/security/cve/CVE-2017-5715/

So branch prediction is only disabled on AMD CPUs.

Only parts of it are disable not all of it.

 

[YoAndy]

Everyone (from Intel to Apple to amazon to AMD) are working together trying to fix this problem ,but we always have the crazy media and those good old fans speaking nonsense and twisting the situation. Stay calm...soon to be history.

Intel and AMD both said that Google told the companies about the threats last summer. “Intel is committed to responsible disclosure. In this case, the security researchers presented their findings in confidence, and we and other companies worked together to verify their results, develop and validate firmware and operating system updates for impacted technologies, and make them widely available as rapidly as possible,” the company said in a blog post Wednesday.

Intel also played down concerns about slowed performance because of the updates, noting that for the “average computer user,” the impact should not be significant and will lessen over time. “Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available,” the company said.

On Thursday, Apple confirmed that all Mac systems and iOS devices are affected, but that no known exploits have impacted its customers. In a post on its website, Apple said updates to its operating systems for iPhones (iOS 11.2), Macs (macOS 10.13.2), and Apple TVs (tvOS 11.2) would defend against Meltdown. The company said it will soon release a new version of its Safari web browser to protect customers against Spectre. Further updates of iOS, macOS, tvOS, and watchOS will be released to limit the threat of the vulnerabilities, Apple said.

Microsoft said in a statement Thursday that it is not aware of any of these vulnerabilities being used against its customers. “We are in the process of deploying mitigations to cloud services and released security updates on January 3 to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, Arm, and AMD,” the company said.

Google said in a blog post Wednesday that its popular web browser Chrome, its cloud services and other applications have been or will soon be updated to protect against the newly disclosed vulnerabilities.

Amazon said Wednesday in a blog post that “all but a small single-digit percentage of instances” of its EC2 systems, a service under its cloud computing platform, had already been protected, and urged customers to patch their operating systems using available updates. The founder and chief executive of Amazon.com, Jeffrey P. Bezos, also owns The Washington Post.

The Switch
Apple says Spectre and Meltdown vulnerabilities affect all Mac and iOS devices: https://www.washingtonpost.com/news/the-switch/wp/2018/01/04/tech-companies-work-to-patch-major-computer-vulnerabilities-meltdown-and-spectre/?utm_term=.ccfb221a6072

 

[goldstone77]

Everyone (from Intel to Apple to amazon to AMD) are working together trying to fix this problem ,but we always have the crazy media and those good old fans speaking nonsense and twisting the situation. Stay calm...soon to be history.

Intel and AMD both said that Google told the companies about the threats last summer. “Intel is committed to responsible disclosure. In this case, the security researchers presented their findings in confidence, and we and other companies worked together to verify their results, develop and validate firmware and operating system updates for impacted technologies, and make them widely available as rapidly as possible,” the company said in a blog post Wednesday.

Intel also played down concerns about slowed performance because of the updates, noting that for the “average computer user,” the impact should not be significant and will lessen over time. “Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available,” the company said.

On Thursday, Apple confirmed that all Mac systems and iOS devices are affected, but that no known exploits have impacted its customers. In a post on its website, Apple said updates to its operating systems for iPhones (iOS 11.2), Macs (macOS 10.13.2), and Apple TVs (tvOS 11.2) would defend against Meltdown. The company said it will soon release a new version of its Safari web browser to protect customers against Spectre. Further updates of iOS, macOS, tvOS, and watchOS will be released to limit the threat of the vulnerabilities, Apple said.

Microsoft said in a statement Thursday that it is not aware of any of these vulnerabilities being used against its customers. “We are in the process of deploying mitigations to cloud services and released security updates on January 3 to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, Arm, and AMD,” the company said.

Google said in a blog post Wednesday that its popular web browser Chrome, its cloud services and other applications have been or will soon be updated to protect against the newly disclosed vulnerabilities.

Amazon said Wednesday in a blog post that “all but a small single-digit percentage of instances” of its EC2 systems, a service under its cloud computing platform, had already been protected, and urged customers to patch their operating systems using available updates. The founder and chief executive of Amazon.com, Jeffrey P. Bezos, also owns The Washington Post.

The Switch
Apple says Spectre and Meltdown vulnerabilities affect all Mac and iOS devices: https://www.washingtonpost.com/news/the-switch/wp/2018/01/04/tech-companies-work-to-patch-major-computer-vulnerabilities-meltdown-and-spectre/?utm_term=.ccfb221a6072

YoAndy, what you need to do is start reading from the OP I made, and all subsequent posts to get caught up to the thread. Especially read the PDF's on the attacks, so you understand what they are, and how they are implemented. I already posted a link to all the statements made here http://www.tomshardware.com/forum/id-3609004/cpu-security-vulnerabilities-information/page-2.html#20559997
But I will link again here
https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and-updates/

 

[juanrga]

So branch prediction is only disabled on AMD CPUs.

Only parts of it are disable not all of it.

The patch is pretty clear: "This new firmware disables branch prediction on AMD family 17h processor"

So it disables branch prediction, not parts of it.

 

[goldstone77]

So branch prediction is only disabled on AMD CPUs.

Only parts of it are disable not all of it.

The patch is pretty clear: "This new firmware disables branch prediction on AMD family 17h processor"

So it disables branch prediction, not parts of it.

I think your taking the statement too literal. To completely disable it would cause a serious impact on performance.

Edit: To test this theory ask anyone who has the windows 10 patch installed on a Ryzen system.

 

[goldstone77]

Performance impact of Windows patch and BIOS update (0606) on i7-8700 on ASUS PRIME Z370-A motherboard using Realbench 2.56.
https://np.reddit.com/r/pcmasterrace/comments/7obokl/performance_impact_of_windows_patch_and_bios/

Here are some benchmarks from a reddit post!

 

[-Fran-]

So branch prediction is only disabled on AMD CPUs.

Only parts of it are disable not all of it.

The patch is pretty clear: "This new firmware disables branch prediction on AMD family 17h processor"

So it disables branch prediction, not parts of it.

I think your taking the statement too literal. To completely disable it would cause a serious impact on performance.

Edit: To test this theory ask anyone who has the windows 10 patch installed on a Ryzen system.

It is really not clear what they actually did.

I went through the whole list of changes in the Kernels and I found this:

- x86/CPU/AMD: Add speculative control support for AMD (bsc#1068032).
- x86/CPU/AMD: Make the LFENCE instruction serialized (bsc#1068032).
- x86/CPU/AMD: Remove now unused definition of MFENCE_RDTSC feature
(bsc#1068032).
- x86/CPU: Check speculation control CPUID bit (bsc#1068032).
- x86/enter: Add macros to set/clear IBRS and set IBPB (bsc#1068032).
- x86/entry: Add a function to overwrite the RSB (bsc#1068032).
- x86/entry: Stuff RSB for entry to kernel for non-SMEP platform
(bsc#1068032).
- x86/entry: Use IBRS on entry to kernel space (bsc#1068032).
- x86/feature: Enable the x86 feature to control Speculation (bsc#1068032).

Juan is right they outright say they disabled the branch predictor (indirect? are there 2 types in Zen?), but the actual details in the kernel changes list does not say that explicitly. Quite the contrary: they added speculative control support for AMD. Is that basically to allow programs to know if they can use it or not?

Cheers!

 

[goldstone77]

Amazon AWS customers see slowdown after Meltdown patch
By Paul Hill · 7 hours ago

Amazon’s AWS customers have noticed that since the Meltdown patch was rolled out in December there has been an increase in CPU utilisation by their EC2 virtual machines. Customers are unhappy because it’s forcing them to choose between optimising their application code or to move to more powerful hardware to compensate for the slowdown.

Responding to criticisms from customers, an Amazon employee said:

“The update that is being applied to a portion of EC2 instances can, in some corner cases, require additional CPU resources … For some time we have recommended that customers use our latest generation instances with HVM AMIs to get the best performance from EC2. If moving to a HVM based AMI is not easy, changing your instance size to m3.medium, which provides more compute that m1.medium at a lower price may be a workaround.”

 

[Darkbreeze]

Edit: Also AMD is technically correct. Ryzen and EPYC/TR aren't vulnerable... Anything before is... Google only tested fx and earlier, but it seems that Ryzen doesn't have the issue. Maybe because the fixed it while Intel said "nah" and released the new chips with faults?

If that's the case, then why did AMD release a statement saying they had disabled branch prediction on all 17h family processors? That's Zen, not Bulldozer, Piledriver or Excavator.

 

[Darkbreeze]

I think your taking the statement too literal. To completely disable it would cause a serious impact on performance.

Not that I agree with half of his posts here, maybe more, but in this I have to agree. I take it that way too. So do a great many others with WAY more engineering knowledge than you or I have. Until and unless I see something saying otherwise, I'm assuming the statement saying "disable branch prediction" means exactly that.

I'm also not sure, and somebody who IS can feel free to correct me if I'm wrong, that patching Windows has anything to do with the actual disablement of branch prediction. Unless I'm mistaken this is something that would have to be done via microcode OR maybe through the chipset driver framework itself.

I guess it would also matter whether we are talking about software or hardware branch prediction that has been disabled and to be honest I'm not sure I've seen any statements indicating specifically one or the other. I might have missed some points to this effect though, I'm not claiming to have read every article or post on the current subject, just trying to better understand.

 

[goldstone77]

Speculative Execution Exploit Performance Impacts - Describing the performance impacts to security patches for CVE-2017-5754 CVE-2017-5753 and CVE-2017-5715
Updated Yesterday at 11:23 PM
https://access.redhat.com/articles/3307751

Red Hat has tested complete solutions, including updated kernels and updated microcode, on variants of the following modern high volume Intel systems: Haswell, Broadwell, and Skylake. In each instance, there is performance impact caused by the additional overhead required for security hardening in user-to-kernel and kernel-to-user transitions. The impact varies with workload and hardware implementation and configuration. As is typical with performance, the impact can be best characterized by sharing a range between 1-20% for the ISB set of application workloads tested.

In order to provide more detail, Red Hat’s performance team has categorized the performance results for Red Hat Enterprise Linux 7, (with similar behavior on Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 5), on a wide variety of benchmarks based on performance impact:

Measureable: 8-19% - Highly cached random memory, with buffered I/O, OLTP database workloads, and benchmarks with high kernel-to-user space transitions are impacted between 8-19%. Examples include OLTP Workloads (tpc), sysbench, pgbench, netperf (< 256 byte), and fio (random I/O to NvME).

Modest: 3-7% - Database analytics, Decision Support System (DSS), and Java VMs are impacted less than the “Measurable” category. These applications may have significant sequential disk or network traffic, but kernel/device drivers are able to aggregate requests to moderate level of kernel-to-user transitions. Examples include SPECjbb2005, Queries/Hour and overall analytic timing (sec).

Small: 2-5% - HPC (High Performance Computing) CPU-intensive workloads are affected the least with only 2-5% performance impact because jobs run mostly in user space and are scheduled using cpu-pinning or numa-control. Examples include Linpack NxN on x86 and SPECcpu2006.

Minimal: Linux accelerator technologies that generally bypass the kernel in favor of user direct access are the least affected, with less than 2% overhead measured. Examples tested include DPDK (VsPERF at 64 byte) and OpenOnload (STAC-N). Userspace accesses to VDSO like get-time-of-day are not impacted. We expect similar minimal impact for other offloads.

NOTE: Because microbenchmarks like netperf/uperf, iozone, and fio are designed to stress a specific hardware component or operation, their results are not generally representative of customer workload. Some microbenchmarks have shown a larger performance impact, related to the specific area they stress.

 

[goldstone77]

I think your taking the statement too literal. To completely disable it would cause a serious impact on performance.

Not that I agree with half of his posts here, maybe more, but in this I have to agree. I take it that way too. So do a great many others with WAY more engineering knowledge than you or I have. Until and unless I see something saying otherwise, I'm assuming the statement saying "disable branch prediction" means exactly that.

I'm also not sure, and somebody who IS can feel free to correct me if I'm wrong, that patching Windows has anything to do with the actual disablement of branch prediction. Unless I'm mistaken this is something that would have to be done via microcode OR maybe through the chipset driver framework itself.

I guess it would also matter whether we are talking about software or hardware branch prediction that has been disabled and to be honest I'm not sure I've seen any statements indicating specifically one or the other. I might have missed some points to this effect though, I'm not claiming to have read every article or post on the current subject, just trying to better understand.

Looking at Yuka's post I think will lead to the answers, but I'm not a programmer and couldn't tell you though you might be able to ask someone with more knowlege:

It is really not clear what they actually did.

I went through the whole list of changes in the Kernels and I found this:

- x86/CPU/AMD: Add speculative control support for AMD (bsc#1068032).
- x86/CPU/AMD: Make the LFENCE instruction serialized (bsc#1068032).
- x86/CPU/AMD: Remove now unused definition of MFENCE_RDTSC feature
(bsc#1068032).
- x86/CPU: Check speculation control CPUID bit (bsc#1068032).
- x86/enter: Add macros to set/clear IBRS and set IBPB (bsc#1068032).
- x86/entry: Add a function to overwrite the RSB (bsc#1068032).
- x86/entry: Stuff RSB for entry to kernel for non-SMEP platform
(bsc#1068032).
- x86/entry: Use IBRS on entry to kernel space (bsc#1068032).
- x86/feature: Enable the x86 feature to control Speculation (bsc#1068032).

Juan is right they outright say they disabled the branch predictor (indirect? are there 2 types in Zen?), but the actual details in the kernel changes list does not say that explicitly. Quite the contrary: they added speculative control support for AMD. Is that basically to allow programs to know if they can use it or not?

Cheers!

http://www.tomshardware.com/forum/id-3609004/cpu-security-vulnerabilities-information/page-2.html#20562226

For Intel I know there is both a OS software patch, and motherboard bios update.

Microsoft releases PowerShell script to check if your PC is vulnerable to Meltdown and Spectre
By Mark Wycislik-WilsonPublished 12 hours ago
https://betanews.com/2018/01/05/microsoft-powershell-meltdown-spectre-script/

In a support article, Microsoft offers the reassurance that it is unaware of any instance of the chip vulnerabilities being used to attack customers. The firm points out that it has already released a patch, and says that it is working with other companies to offer further protection to people. In the meantime, Microsoft offers a three-point protection plan:

Verify that you are running a supported antivirus application before you install OS or firmware updates. Contact the antivirus software vendor for compatibility information.
Apply all available Windows operating system updates, including the January 2018 Windows security updates.
Apply the applicable firmware update that is provided by the device manufacturer.
On top of this, the company has also produced a PowerShell script that checks whether your PC is vulnerable. Use the following steps to install and run the test.

Press the Windows key and type PowerShell.
Right click the PowerShell shortcut and select Run as Administrator.
Type Install-Module SpeculationControl and press Enter.
If you are prompted to install the NuGet provider, type Y and press Enter, and repeat if you are warned about installing from an untrusted repository.
With the installation complete, type Import-Module SpeculationControl and press Enter.
Type Get-SpeculationControlSettings and press Enter.
In the list of results that's displayed, you're looking to see that a series of protections are enabled -- this will be listed as True. Microsoft explains that the ideal set of results looks like this:

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is enabled: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: True

Windows OS support for PCID optimization is enabled: True

I'm not 100% sure about AMD processors. I personally am running three Intel machines at home.

 

[goldstone77]

Just a side note most of the benchmarks don't include the micro code update just the window/lunix patch.

 

[goldstone77]

https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

Warning

Customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer.


Note Surface customers will receive a microcode update via Windows update.

 

[randomizer]

Unfortunately the last time I had a microcode update was March 2011 :lol:

 

[goldstone77]

Unfortunately the last time I had a microcode update was March 2011 :lol:

Yeah, I wonder how many processors older than skylake will receive microcode updates?

 

[Supernova1138]

Unfortunately the last time I had a microcode update was March 2011 :lol:

Yeah, I wonder how many processors older than skylake will receive microcode updates?

I think Intel said they are providing Microcode updates to all processors back to 2011's Sandy Bridge. Now whether the motherboard vendors will provide these updates in their BIOSes for older boards is an open question.

 

[randomizer]

Well that isn't enough to help me as I'm running Nehalem.

Applicable xkcd: https://xkcd.com/1938/