Unless you are living under-the-rock for the past week or two, nobody in the tech world who does not know about the cpu.fail bug, the microprocessor flaws that were revealed by the same group of researchers who discovered last year’s Spectre and Meltdown exploits. The operating system is the interface that serves as the middleman for how the users interact with the device’s hardware, and at the center of the huge patching, cycle to secure Intel-based processors. It is no longer “optional” for users, whether personal computer users or corporate computer users to deliberately “delay” the installation of mitigation MDS (Microarchitectural Data Sampling) updates.
Mitigation is the keyword since no software can fix a flaw in hardware. Intel admitted that all their processors with advanced Speculative Execution feature (basically all their processors released since 2011) are affected. As the company is gearing up to releasing microcode updates (a firmware patch which runs after the UEFI, but before the operating system loads). Users and system administrators had a habit of delaying Windows Updates, due to the annoyance of the machine restarting on its own to install the patches. Unless the machine is based-on an AMD processor, the rival of Intel which produces x64 processors that are not affected by MDS bug, there is no valid reason for an Intel-based machine to evade the microcode updates.
The researchers coined a term for one of the 4 MDS bugs, now known as Zombieload, as it basically “resurrect” previously processed data inside the processor, extract it from its buffers and the attackers can send it back to them. These “resurrected data” can be a useless blob of bytes, a Microsoft Office document containing corporate information or even decryption keys for a system that uses encryption for privacy. This is similar to last year’s Intel-only Meltdown bug, where the data were extracted from the on-die cache. But it is the first time that researchers demonstrated that the “raw data” that the processor is currently being processed can be retrieved later, as Intel processors’ Speculative Execution is flawed.
Speculative Execution makes the processor “guess” with a high degree of probability the next data and instructions that need to be executed. With that requirement, the “raw data” is fed into its buffers inside the processor’s core (which is many times much faster than Level 1 cache itself), with the right tools that exploits the processor, the same “raw data” whatever it contains can be extracted by the attackers remotely in combination with other malware attack, like installation of RAT (Remote Access Trojan).
Coincidentally, the annoyance of Windows Update will be over soon, as Microsoft is preparing its next round of Windows 10 Feature Update. Tentatively called the build 1903, Windows 10 will provide users the capability to choose to defer updates as long as it provides the enterprise users of Windows. Windows 10 1903 will continue to implement Windows Auto-updates, but the users may choose to suppress it for the next 15 days, up to the maximum of 30-days.
Intel is also providing enough warning to users that the Intel microcode mitigation updates may cause the slower performance of the machine as much as 9%. While Apple, upon their initial checks warns its users that as part of the mitigation procedure, Intel’s Hyperthreading technology will be disabled, hence an expected 40% of performance penalty is possible. The decision to fully implement the mitigation belongs to the users if they wish to be secure, yet the performance will be penalized or a certain level of risks but with the expected performance of the processor.
The bottom line, the decision falls on the users if they wish full mitigation or not. Prior to MDS, and even prior to Spectre and Meltdown – users of the operating system made similar decisions. To be updated or not, with varying degrees of risks involved. Microsoft and the rest of the operating system vendors are expecting their users to make the right choice, for themselves and for their respective enterprise.