USB Intel Microcode Boot Loader for Spectre mitigation

[German]Intel offers a Microcode Boot Loader that creates a bootable USB stick. It automatically applies the latest Intel microcodes to the identified CPU during boot. This should protect the system from Spectre vulnerabilities.


Advertising

A few days ago I came across this article at Bleeping-Computer. Spectre is a side-channel attack technique that lets you use Intel, AMD, etc. CPUs on a computer to obtain data from processes. Although Intel has released microcode updates that patches Intel CPUs, most board vendors doesn't provide BIOS/UEFI firmware updates.

Microcode update available, how to apply?

After Intel released microcode updates, this updates need to be installed via UEFI/BIOS updates. This is where the board manufacturers come into the game. Many board manufacturers never released such firmware updates. But another approach is to load the microcode updates when booting the operating system. For users of Windows 10 and Windows Server 2016, Microsoft has automatically distributed these microcode updates as Windows updates. The microcode update is getting loaded during system boot.

Bleeping Computer writes that older operating systems, and therefore the CPUs they run, have not been provided with this update. But this is not quite true in my eyes – at least in my blog post Patchday: Updates for Windows 7/8.1/Server (August 14, 2018) I described updates for Windows 7 SP1/Windows 8.1 and the corresponding Server versions, that patches against Spectre variants. However, only certain CPU types are supported.

The Intel Microcode Boot Loader should fix it

But if someone wants to be on the safe side with different CPUs: That's where the Intel Intel Microcode Boot Loader from Eran "Regeneration" Badit may help. The tool uses the Intel BIOS Implementation Test Suite (BITS) and the Syslinux Bootloader to automatically detect and apply the latest microcodes to an Intel processor. The tool also includes all known microcode updates for various CPU models. This makes it possible to protect computers with old processors against Spectre attacks.

(Source: YouTube)


Advertising

The video above shows the operation. A USB stick needs to be created with the tool. This USB stick is used to boot the computer at every startup. The the microcode updates matching the CPU are getting loaded. Afterward, the actual operating system is booted, which is then protected against Spectre. 

My two cents

At first glance, the approach looks tremendous – a USB stick and you're systems are protected. But there are risks: A USB medium has to be used on every machine start. The boot sequence has to be changed so that the syslinux can boot from the USB stick in order to install the microcode updates and start the actual operating system. But this opens another attack vector. If a user accidentally inserts another USB stick into the machine, it may boot from this medium. If the USB stick is 'infected with a boot virus', an infection occurs. Admittedly: Somewhat unlikely, but never excluded. In addition, it seems that we discuss theoretical threat scenarios at a 'high level' with regard to Meltdown and Spectre, while the actual attacks take place via 'typically for 100 days unpatched flash and other vulnerabilities' or social engineering. So I don't see the need for consumer systems to be protected in that way against Spectre. Or what do you think about this topic?


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.