As part of the latest round of operating system patches, Microsoft has released KB4482887 for Windows 10. Prior Spectre and Meltdown mitigations required additions to the registry to account for antivirus validations before they would be applied. This check was later removed yet the enforcement of the necessary protections was not enabled by default. This newest release provides the necessary mechanisms to use retpoline. However, we’re back to the “here’s a patch that isn’t enforced yet” conundrum that transforms risk management or vulnerability mitigation into a drinking game.
What’s the point of providing an update when its protections aren’t being actively enforced? Why release a game-hindering patch when the workaround involves removing what was recommended for installation? Since 2015, Microsoft has released a few patches in the name of security which do not enforce the necessary protections for the attack vector. Executing an authenticated scan using a market-leading vulnerability assessment tool will reinforce that applying a patch is no longer sufficient for Windows.
If you’re interested in being ahead of the curve and leveraging the retpoline additions for KB4482887. the registry values provided at BleepingComputer will get you most of the way there. The reason we’re saying “most” is because of the post-modification checks we executed using the Get-SpeculationControlSettings Powershell cmdlet. This wonderful cmdlet will aid in determining which protections are active. Declarations are well spelled out and account for the need to enforce protections based upon your processor of choice (Intel, AMD, and ARM derivatives). Needless to say, the true value which will be assigned to the FeatureSettingsOverride registry key involves a bitwise or to facilitate values of True for Speculative Store Bypass on a system wide basis and for Retpoline.
Multiple knowledge base articles pertaining to protection against speculative execution side-channel vulnerabilities are… well.. multiple. The value of FeatureSettingsOverride will ultimately be yet another value based on the evaluation of the bitwise or between the data provided by BleepingComputer and the data contained in the guidance for IT Pros. For Ryzen processors, 0x448 (1096) is the pro play.