Updates Aren’t Just for Social Media
Two years ago, a serious hardware flaw was discovered in one of the world’s most used series of processors from arguably the world’s largest manufacturer, Intel. This hardware flaw was found in processors with two functions; one called speculative execution and the other called indirect branch prediction. These two functions individually don’t cause problems but combined they may allow information in a computer’s memory to be divulged to third parties through a sophisticated and well-choreographed attack. As soon as the flaw was released, major technology companies around the world scrambled to update the core of their operating systems to mitigate what is now known as the Spectre V2, or CVE-2017-5715 by the Common Vulnerabilities and Exposures List.ᶦ
When vulnerabilities are reported properly to the manufacturer of the hardware or software, the usual course of action is to research a fix, also knows as a patch, and to release that patch publicly for all affected products. In the case of Spectre V2, the companies that stepped up to mitigate the flaw were mostly those that design and develop under the Linux family of operating systems; Debian, SUSE, Oracle, Hewlett Packard Enterprise, FreeBSD, Google, and RedHat, among others. The technology industry’s top networking hardware provider, Cisco Systems, also released updates to its ubiquitous routing and switching operating system, known as IOS. Cisco was possibly the most important vendor to release patching for Spectre V2, as their equipment keeps the Internet functioning as we all know and love it.
Noticeably missing from the initial list of software and hardware vendors that patched Spectre V2 was a company that touches the lives of almost every computer end-user on the planet, Microsoft. Whether we realize it or not, Windows is the most pervasive operating system on the face of the planet when it comes to the average consumer. For instance, even users who prefer Apple Computers may find themselves having to install Windows in order to run certain programs that are only compatible with Windows 7, 8, 8.1, or the newest version, Windows 10. It wasn’t until October 2018 that Microsoft decided to release their fix, known as the Retpoline Patch, in their regular cumulative update for Windows-based systems. Too bad for end-users, Microsoft’s October 2018 updates were themselves flawed, and the update was held-back until January 2019.
Retpoline itself is a Google-createdᶦᶦ portmanteau of “return” and “trampoline.” Return, because of the flawed processor function that moves (returns) the execution of a process to a predefined area, and trampoline for the mechanism that bounces the execution back to where it should be. What few expected to see after applying the update, was the patch is effectively disabled for what Microsoft refers to as “production Windows 10 client devices.”ᶦᶦᶦ They know there’s a big bad bug out there that could menace anyone with this very commonplace Intel processor and very prevalent operating system. Intel has very little to do in this scenario as they’ve already modified their silicone templates to mitigate or eliminate the bug in future iterations. We know many vendors of business operating systems and software have already patched their product catalogs. So why hasn’t Microsoft enabled the Retpoline Patch on all Windows 10 installations?
The answer is stunningly simple, the patch would slow down the computers it’s installed on. When, then, could regular users expect to see Microsoft’s Retpoline Patch enabled on their systems? For the anxious among us, the update is available to be installed manually under Microsoft knowledge base article KB4482887.ᶦᵛ Whether you update now, or update later, the most important idea I’d like to leave everyone with is, updates aren’t just for your social media. Do everyone a favor and keep your computer updated with the latest patches from Microsoft, Apple, Dell, or whatever company made it. Spectre V2 may not be targeting your PC, but there are plenty of other bugs out there that are!ᵛ
