Microsoft rolls out Google's Retpoline Spectre mitigation to Windows 10 users

Microsoft has rolled out today cumulative update KB4482887, an update that includes an important security fix, a new mitigation for the Spectre v2 CPU vulnerability.

This new mitigation is based on a coding technique called Retpoline, developed by Google engineers.

Code written using Retpoline protections are safe from Spectre v2 (CVE-2017-5715), a vulnerability in modern processors that allows attackers to break the isolation between different applications and steal data from locally running processes.

Google has already deployed Retpoline on its Linux-based servers and also contributed patches to the Linux kernel last year. Throughout 2018, Retpoline slowly made its way down major Linux distros such as Red Hat, SUSE, Ubuntu, and Oracle Linux 6 and 7.

Microsoft began working on integrating Retpoline into the Windows kernel last year, and initially, the company planned to deploy the Retpoline mitigations with the next version of Windows 10, 19H1, which is due out this spring.

At the time, some Windows kernel experts, such as CrowdStrike researcher Alex Ionescu, claimed the mitigations would have been compatible with the Windows 10 October 2018 Update, if Microsoft wanted to ship them.

But in an update published today on the Microsoft Community page dedicated to the company's work on mitigating Spectre v2, Windows Kernel Team development manager Mehmet Iyigun said things aren't that simple.

"Due to the complexity of the implementation and changes involved, we are only enabling Retpoline performance benefits for Windows 10, version 1809 and later releases," he said. "Over the coming months, we will enable Retpoline as part of phased rollout via cloud configuration."

When Google announced Retpoline last year, the search giant boasted about Retpoline's "negligible impact on performance," citing numbers of up to 1.5 percent performance impact on Google Cloud servers.

These numbers were far smaller than the 10-20 percent impact that most other Linux distros were reporting at the time, distros that relied on a mixture of OS updates and CPU microcode updates to handle Spectre v2 mitigations, considered the trickier of the original Meltdown and Spectre vulnerabilities revealed in January 2018.

Update, March 5: Microsoft has also posted instructions on how to enable the Retpoline protections included with KB4482887, which ship disabled by default.

Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

Related cybersecurity news coverage:

• Hackers can hijack bare-metal cloud servers by corrupting their BMC firmware
• Intel open-sources HBFA app to help with firmware security testing
• Researchers hide malware in benign apps with the help of speculative execution
  
• Thunderclap flaws impact how Windows, Mac, Linux handle Thunderbolt peripherals
• Intel SGX Card expands SGX security protections to cloud data centers
• Adobe releases out-of-band update to patch ColdFusion zero-day
  
• Major vulnerability found in Android ES File Explorer app TechRepublic
• Xiaomi electric scooter reportedly vulnerable to hijacking hack CNET