Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: macdude91
macdude91 Author
User level: Level 1
6 points

Spectre Variant 2 Microcode Update

It looks like Intel has released a microcode update (Download Linux* Processor Microcode Data File) for most of their processors to mitigate one part of the Spectre (CVE-2017-5715) issue. I noticed that in Bootcamp, while all the Windows updates are installed to support the OS half of the mitigation, the CPU mitigation is not available (see screenshot). This means that when Bootcamp Windows is running my Macbook Pro is vulnerable to this issue. I can also see in a CPU tool that my Microcode is version 12, when the latest is ~23. So it seems like mine has never been updated.


Does anyone know if Apple will be releasing a firmware update to include this? I would imagine the CPU level mitigation would be useful in MacOS to head off this issue, no? At the very least it should be available for those of us who use Bootcamp to ensure our machines are secure.


User uploaded file

MacBook Pro (Retina, 15-inch, Mid 2014), macOS High Sierra (10.13.2), CVE-2017-5715

Posted on Jan 10, 2018 1:07 AM

Reply
6 replies
User profile for user: pmontelo
pmontelo
User level: Level 1
4 points

Jan 22, 2018 10:42 AM in response to macdude91

I believe the core issue is that the microcode updates are causing instability (reboot problems). From reading around on this issue, it sounds like vendors like Redhat are no longer going to load the updated microcode.


After re-reading this About speculative execution vulnerabilities in ARM-based and Intel CPUs - Apple Support


"Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. On January 8th Apple released updates for Safari on macOS and iOS to mitigate these exploit techniques. Our current testing indicates that the Safari mitigations have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, and tvOS. watchOS is unaffected by Spectre."

This doesn't say Apple is loading the patched Intel microcode yet. I suspect that is probably to avoid the instability problems others like Redhat are having by doing so.


I did find out that you can find the microcode version from a terminal window with the following command:

sysctl -a | grep microcode

For more details use:

sysctl -a | grep cpu


The microcode verision number you get will vary depending upon processor family-model-stepping.

If you boot a linux distro from a usb stick, you can compare that to the output of this command:

grep 'microcode' /proc/cpuinfo

The good news is that Spectre variant 2 appears to be hard to exploit, so you may be better off at this point without the patched microcode if it causes instability, so long as the browser vendors have closed down the Javascript vulnerabilities well.

Reply
User profile for user: VikingOSX
VikingOSX
Community+ 2024
User level: Level 10
111,563 points

Jan 10, 2018 3:21 AM in response to macdude91

This is a user-to-user support community where no one has inside information, or should speculate, on Apple's future product plans.


Apple has addressed the software side of the recent threats. If and when they are ready to address the hardware side of things is an Intel/Arm/Apple release schedule. Apple will let us know when that time arrives.

Reply
User profile for user: pmontelo
pmontelo
User level: Level 1
4 points

Jan 21, 2018 6:08 PM in response to macdude91

I see the same results on all of my Windows PCs, as well as Windows VMs running on my Mac under Parallels. It sounds like Windows isn't loading the patched microcode from Intel at boot time like some Linux distros can. Perhaps Microsoft is still working on this. I'm still looking for a Mac utility that can show me what version of microcode is loaded, but I haven't found one yet.

Reply
User profile for user: macdude91
macdude91 Author
User level: Level 1
6 points

Jan 22, 2018 7:06 AM in response to pmontelo

I get the feeling that Microsoft isn't handling this update in that fashion. They are relying on OEMs to push BIOS or EFI updates to update the Microcode for this. So if Apple never gets around to updating the firmware, Windows will never been fully protected on Macs from this point forward. I wish Microsoft would have just bucked up and implemented Retpoline to save us the need of a microcode update and subsequent performance hit and then just loaded the firmware on the necessary machines at boot like Linux. I think they chose to do LFENCES and the IBRS stuff.


My guess would be that MacOS is going to implement Retpoline like the Linux kernel and will not likely need the microcode update (except for Skylake and up) to be as protected as we can be against these flaws.


But still I would like to see the update so my Bootcamp is protected. I suspect that many OEMs will not be releasing updated firmware for their machines and Microsoft will have to come back and revisit this though.


As far as getting the Microcode version from MacOS, I'm sure there has to be a way to do it through the terminal, but I was unable to find one. I ended up booting into my Bootcamp Windows and running HWInfo to get the microcode version number, which is 12 for me. What is yours?

Reply
User profile for user: macdude91
macdude91 Author
User level: Level 1
6 points

Jan 22, 2018 11:04 AM in response to pmontelo

Correct, for Haswell (Broadwell?) and lower Intel released a bad microcode update that causes instability. I'm cool with Apple holding off until stuff is stable, but I would be mighty upset if they never pushed the microcode update. Especially since I have a 2014 and a brand new 2015 sitting right in front of me. They are literally the same computer as far as the processor goes. One is still under warranty, so they can't say they aren't supporting Haswell machines in order to implement this. Even still... if they fix the issues within MacOS without needing the microcode patch (using retpoline) I still boot my computer into Windows often and need it there.


I am a software dev, mobile, not kernel. But from my understanding the microcode has new instruction sets that can be enabled/disabled via a flag that the OS sets upon boot. So booting an OS with retpoline would theoretically disable IBRS if it's not needed and circumvent the performance hit. So MacOS could chose to disable it and Windows could enable it. So the performance hit is wholly dependent on the OS requirements (retpoline or not basically).


Also, I thought the JS vuln bug fixes in browsers were to head off Spectre 1, not 2?


Edit: Thanks for the commands as well! Good find!

Reply

Spectre Variant 2 Microcode Update

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up