<Google Prject Zero>
It started from “Google Project Zero”.
https://googleprojectzero.blogspot.com/
Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01.
Here is the guide line for SQL Server and Windows Server.
SQL Server – https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server
Windows Server – https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
SQL Server Patch available for below version.
SQL 2012 and SQL 2014 should release soon.
SQL Server 2017 CU3*
SQL Server 2017 GDR
SQL Server 2016 SP1 CU7*
SQL Server 2016 SP1 GDR
SQL Server 2016 RTM CU
SQL Server 2016 RTM GDR
SQL Server 2008 SP4 (This is new version of SP4. Version number is slightly different.)
SQL Server 2008 R2 SP3(This is new version of SP3. Version number is slightly different.)
It seems like not that many articles reported SQL 2008 SP4 and SQL Server 2008 R2 SP3 with this patch.
<Here is the related blogs and articles>
https://www.brentozar.com/archive/2018/01/sql-server-patches-meltdown-spectre-attacks/
https://www.sqlskills.com/blogs/glenn/microsoft-sql-server-updates-for-meltdown-and-spectre-exploits/
Perfermance
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
| ploited Vulnerability |
CVE |
Exploit
Name |
Public Vulnerability Name |
Windows Changes |
Silicon Microcode Update ALSO Required on Host |
| Spectre |
2017-5753 |
Variant 1 |
Bounds Check Bypass |
Compiler change; recompiled binaries now part of Windows Updates
Edge & IE11 hardened to prevent exploit from JavaScript |
No |
| Spectre |
2017-5715 |
Variant 2 |
Branch Target Injection |
Calling new CPU instructions to eliminate branch speculation in risky situations |
Yes |
| Meltdown |
2017-5754 |
Variant 3 |
Rogue Data Cache Load |
Isolate kernel and user mode page tables |
No |
In general, our experience is that Variant 1 and Variant 3 mitigations have minimal performance impact, while Variant 2 remediation, including OS and microcode, has a performance impact.
- With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
- With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
- With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
- Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.
Simon's SQL 