Security Advisory-Update ADV180018

[German]Microsoft released several updates for Windows with Intel Microcode updates on August 14. New a revision of the Microsoft Security Advisory Notification for ADV180018 was published on August 24. Here is the notification from Microsoft  – and also an addendum with notes from me.


Advertising

********************************************************************
Title: Microsoft Security Advisory Notification
Issued: August 24, 2018
********************************************************************

Security Advisories Released or Updated on August 24, 2018
===================================================

* Microsoft Security Advisory ADV180018

– Title: Microsoft guidance to mitigate L1TF variant
ADV180018
– Reason for Revision: Microsoft is announcing the availability of
Intel-validated microcode updates for Windows 10 operating
systems. Please see Microsoft Knowledge Base Article 4093836
(https://support.microsoft.com/en-us/help/4093836) for the
current Intel microcode updates.
– Originally posted: August 14, 2018
– Updated: August 24, 2018
– Version: 2.0

Warning: Microsoft's FAQ advices are wrong!

The Microsoft Security Advisory ADV180018 contains also a section '2. How do I enable the mitigation for CVE-2017-5754' where they are writing:


Advertising

To enable protection for CVE-2017-5715 and CVE 2017-5754:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Also the article Windows Server guidance to protect against speculative execution side-channel vulnerabilities contains these registry settings.

German blog reader Karl Wester-Ebbinghaus (a consultant in Windows area) pointed out in a comment at my German blog, that Microsoft's advice is simply wrong. He wrote within this comment: This [the registry entries given above] leads to the deactivation of Microsoft's protection measures to SpectreNG v4 (SSB). Karl then pointed out, that the correct registry settings  for server and clients (AMD and Intel) are:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask
/t REG_DWORD /d 3 /f

And for Hyper-V

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

So please note the amended values.

Similar articles:
Microsoft: Issues with Updates KB4456688/KB4100347?
Intel Microcode Updates KB4346084, KB4346085, KB4346086, KB4346087, KB4346088 (August 20/21, 2018))


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

One Response to Security Advisory-Update ADV180018

  1. Erik says:

    should these registry settings be configured on virtual,physical, or both?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).