[German]Microsoft released several updates for Windows with Intel Microcode updates on August 14. New a revision of the Microsoft Security Advisory Notification for ADV180018 was published on August 24. Here is the notification from Microsoft – and also an addendum with notes from me.
Advertising
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: August 24, 2018
********************************************************************
Security Advisories Released or Updated on August 24, 2018
===================================================
* Microsoft Security Advisory ADV180018
– Title: Microsoft guidance to mitigate L1TF variant
– ADV180018
– Reason for Revision: Microsoft is announcing the availability of
Intel-validated microcode updates for Windows 10 operating
systems. Please see Microsoft Knowledge Base Article 4093836
(https://support.microsoft.com/en-us/help/4093836) for the
current Intel microcode updates.
– Originally posted: August 14, 2018
– Updated: August 24, 2018
– Version: 2.0
Warning: Microsoft's FAQ advices are wrong!
The Microsoft Security Advisory ADV180018 contains also a section '2. How do I enable the mitigation for CVE-2017-5754' where they are writing:
Advertising
To enable protection for CVE-2017-5715 and CVE 2017-5754:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Restart the computer for the changes to take effect.
Also the article Windows Server guidance to protect against speculative execution side-channel vulnerabilities contains these registry settings.
German blog reader Karl Wester-Ebbinghaus (a consultant in Windows area) pointed out in a comment at my German blog, that Microsoft's advice is simply wrong. He wrote within this comment: This [the registry entries given above] leads to the deactivation of Microsoft's protection measures to SpectreNG v4 (SSB). Karl then pointed out, that the correct registry settings for server and clients (AMD and Intel) are:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask
/t REG_DWORD /d 3 /f
And for Hyper-V
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
So please note the amended values.
Similar articles:
Microsoft: Issues with Updates KB4456688/KB4100347?
Intel Microcode Updates KB4346084, KB4346085, KB4346086, KB4346087, KB4346088 (August 20/21, 2018))
Advertising
should these registry settings be configured on virtual,physical, or both?