Microsoft has released the update KB4482887 which includes a major security fix, a new mitigation for the Spectre v2 CPU vulnerability.
This new mitigation is based on a coding technique developed by the engineers at Google and is called Retpoline. The code which are written using Retpoline protections are safe from the vulnerability Spectre v2 dubbed as CVE-2017-571. This flaw is present in the modern processors which permits the attackers to break the isolation between different applications and steal data from locally running processes.
The Retpoline was already deployed on Google’s Linux based servers and have patched the Linux kernels last year. It was already distributed in the various Linux distributions like Red Hat, SUSE, Ubuntu, and Oracle Linux 6 and 7.
The integration of Retpoline into the Windows Kernel was started by Microsoft since last year, and so they have planned to deploy the Retpoline mitigations with the next version of Windows 10, 19H1, which will be out in this spring.
Windows kernel experts, such as CrowdStrike researcher Alex Ionescu, claimed the mitigations would have been compatible with the Windows 10 October 2018 Update.
The Microsoft Community page made an update that states that mitigating Spectre v2 is not as simple as it is. Windows Kernel Team development manager Mehmet Iyigun said that due to the complexity of the implementation and changes involved, Retpoline is enabled only for Windows 10, version 1809 and later releases. It will be enabled soon as part of phased rollout via cloud configuration.
According to Google, Retpoline has negligible impact on performance citing numbers of up to 1.5 percent performance impact on Google Cloud servers. This is small when compared to the 10-20 percent impact that most other Linux distros were reporting at the time. Those distros which depended on a mixture of OS updates and CPU microcode has been updated to handle Spectre v2 mitigations which is trickier than the original Meltdown and Spectre vulnerabilities revealed in January 2018.