Microsoft rolls out Google’s Retpoline Spectre mitigation to Windows 10 users


Microsoft has rolled out today cumulative update KB4482887, an update that includes an important security fix, a new mitigation for the Spectre v2 CPU vulnerability.

This new mitigation is based on a coding technique called Retpoline, developed by Google engineers.

Code written using Retpoline protections are safe from Spectre v2 (CVE-2017-5715), a vulnerability in modern processors that allows attackers to break the isolation between different applications and steal data from locally running processes.

Google has already deployed Retpoline on its Linux-based servers and also contributed patches to the Linux kernel last year. Throughout 2018, Retpoline slowly made its way down major Linux distros such as Red HatSUSEUbuntu, and Oracle Linux 6 and 7.

Microsoft began working on integrating Retpoline into the Windows kernel last year, and initially, the company planned to deploy the Retpoline mitigations with the next version of Windows 10, 19H1, which is due out this spring.

At the time, some Windows kernel experts, such as CrowdStrike researcher Alex Ionescu, claimed the mitigations would have been compatible with the Windows 10 October 2018 Update, if Microsoft wanted to ship them.

But in an update published today on the Microsoft Community page dedicated to the company’s work on mitigating Spectre v2, Windows Kernel Team development manager Mehmet Iyigun said things aren’t that simple.

“Due to the complexity of the implementation and changes involved, we are only enabling Retpoline performance benefits for Windows 10, version 1809 and later releases,” he said. “Over the coming months, we will enable Retpoline as part of phased rollout via cloud configuration.”

Read more