News

Microsoft Touts Using HyperClear To Address Intel Processor Woes

Microsoft is again promoting its HyperClear Hyper-V hypervisor technology as a potential balm for organizations trying to come to grips with Intel's latest speculative execution side-channel attack disclosures.

On Tuesday, Intel described microarchitectural data sampling (MDS) vulnerabilities in older Intel processors that were discovered by researchers. Four new attack approaches were discovered, which Intel subsequently announced. These MDS attack methods constitute a new subgroup of speculative execution side-channel attack methods that are different from Intel's "Meltdown" and "Spectre" disclosures more than a year ago. The vulnerabilities could be used in information disclosure types of exploits by attackers, although no known active attacks have been described at present.

In response to the MDS vulnerabilities, operating system patches and firmware ("microcode") updates are being issued, and both need to be applied to protect systems. Intel explained that the microcode updates typically get issued by "OEMs," by which it means original equipment manufacturers of PCs and servers, such as Dell, HP and Toshiba, among others. Intel's microcode release progress per supported processor is described in this Intel guide.

In August, Microsoft had described its HyperClear Hyper-V technology as adding support for addressing the L1 Terminal Fault "Foreshadow" exploit, another speculative execution side-channel attack method. HyperClear technology is present in Windows Server 2016 and newer products, and it's also used in Microsoft Azure datacenters. Microsoft had indicated back then that HyperClear allowed organizations to continue to safely use Intel's Hyper-Threading technology with virtual machines, instead of having to disable it to address the Foreshadow vulnerabilities.

This week, Microsoft renewed its HyperClear claims with regard to the MDS disclosures. HyperClear was updated, allowing it to address the new MDS avenues of attack in virtual machines without having to disable Hyper-Threading, Microsoft's Tuesday announcement explained:

Fortunately for us and for our customers, HyperClear has proven to be an excellent foundation for mitigating this new set of side channel vulnerabilities. In fact, HyperClear required a relatively small set of updates to provide strong inter-VM and intra-OS protections for our customers. These updates have been deployed to Azure and are available in Windows Server 2016 and later supported releases of Windows and Windows Server. Just as before, the HyperClear mitigation allows for safe use of hyper-threading in a multi-tenant virtual machine hosting environment.

Intel Hyper-Threading is a form of Simultaneous Multi-Threading (SMT) technology. Intel and Microsoft have both warned that disabling Hyper-Threading will result in performance decrements. HyperClear apparently lets organizations continue to run Hyper-Threading in virtual machines, although advice from Microsoft and Intel seems somewhat murky.

Intel, for instance, doesn't recommend disabling Hyper-Threading to address the latest MDS vulnerabilities, but its FAQ included the following caveat:

It may be appropriate for some customers to consider additional steps [to address MDS]. This includes customers who cannot guarantee that trusted software is running on their system(s) and are using Simultaneous Multi-Threading (SMT). In these cases, customers should consider how they utilize SMT for their particular workload(s), guidance from their OS and VMM software providers, and the security threat model for their particular environment.

Microsoft's advice in Security Advisory ADV190013 seems more stark:

To be fully protected, customers may also need to disable Hyper-Threading (also known as Simultaneous Multi Threading (SMT)). Please see Knowledge Base Article 4073757 for guidance on protecting Windows devices.

That Knowledge Base article doesn't answer whether Hyper-Threading needs to be disabled or not. However, it does explain that Hyper-Threading typically gets disabled via a system's BIOS settings: "The steps that are necessary to disable Hyper-Threading will differ from OEM to OEM but are generally part of the BIOS or firmware setup and configuration tools," the Knowledge Base article stated.

So, the case for HyperClear isn't altogether clear. One the one hand, Microsoft is promoting HyperClear as a solution for the MDS dilemma. On the other hand, it's saying that organizations may still have to disable Hyper-Threading after all.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • How To Replace an Aging Domain Controller

    If the hardware behind your domain controllers has become outdated, here's a step-by-step guide to performing a hardware refresh.

  • Azure Backup for SQL Server 2008 Available at Preview Stage

    Microsoft added the option of using the Azure Backup service to provide recovery support for SQL Server 2008 and SQL Server 2008 R2 when those workloads are hosted on Azure virtual machines.

  • Microsoft Suggests Disabling Old Protocols with Exchange Server 2019

    Exchange Server 2019 with Cumulative Update 2 (CU2) can help organizations rid themselves of old authentication protocols, which constitute a potential security risk.

  • Microsoft Previews New Edge Browser on Windows 7 and Windows 8.1

    Microsoft announced this week that it has released previews of its Chromium-based Microsoft Edge Web browsers for use on Windows 7, Windows 8 and Windows 8.1 systems.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.