How to update your Spectre, Meltdown mitigations for the Retpoline mitigation

Intel recently released a new mitigation for Spectre and Meltdown and some of their variants. Called Retpoline, it might not be enabled with the Windows 10 1809 update. Here's how to find out and implement.

The Spectre and Meltdown vulnerabilities discovered in January 2018 showed that weaknesses in CPUs were a potential attack vector. They allow a rogue process to read memory without authorization. Patches were rolled out along with bios updates from the manufacturer, but they came with a costly side effect: They degraded performance, especially on systems with older CPUs. Microsoft enabled the protections by default on workstations, but not on server platforms.

Intel came up with a new methodology called “Retpoline.” The mitigation technique “is resistant to exploitation and has attractive performance properties compared to other mitigations.” In the May 14, 2019 (and later) updates for Windows 10 1809 and Server 2019 (and newer), Retpoline is enabled by default on supported devices. As Microsoft notes, if the following conditions are met, then the new, less impactful performance patching is enabled:

  • Spectre, variant 2 (CVE-2017-5715) mitigation is enabled.
  • For client SKUs, Spectre variant 2 mitigation is enabled by default.
  • For server SKUs, Spectre variant 2 mitigation is disabled by default. To realize the benefits of Retpoline, admins can enable it on servers following this guidance.
  • Supported microcode/firmware updates are applied to the machine.

Windows patches alone won’t enable these new protections. You must also have the necessary firmware from the OEM manufacturer.

Windows update mitigates MDS attacks

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!