Me, myself & IT

Meltdown, Spectre, Spectre-NG and Foreshadow Update Check Utility

Purpose
Background Information
Operation
Implementation and Build Details
Authenticity and Integrity
Makefile and Build Instructions

Purpose

The Windows^® application BTI_RDCL.EXE displays the status of the mitigations for the vulnerabilities CVE-2017-5715 alias Branch Target Injection and CVE-2017-5754 alias Rogue Data Cache Load, better known by their nicknames Meltdown and Spectre, as well as the mitigations for the vulnerability CVE-2018-3639 alias Speculative Store Bypass, also known as Spectre-NG or Variant 4, CVE-2018-3640 alias Rogue System Register Read, also known as Spectre-NG or Variant 3a, and CVE-2018-3615, CVE-2018-3620 plus CVE-2018-3646 alias L1 Terminal Fault, also known by its nickname Foreshadow.
The mitigations are installed by one of the security updates 4056888, 4056890, 4056891, 4056892, 4056893, 4056894, 4056895, 4056896, 4056897, 4056898 and 4056899, the subsequent updates 4057142, 4057144, 4075199, 4075200, 4057400, 4057401, 4057402, 4073290, 4073291, 4073576 and 4073578, and their successors.

Note: the status of the mitigations for the vulnerabilities CVE-2017-5753 alias Bounds Check Bypass and CVE-2018-3693 alias Bounds Check Bypass Store can’t be shown: every sequence of machine code which is susceptible to these vulnerabilities needs to be fixed individually!

Background Information

The MSKB articles 4072698, 4072699, 4073065, 4073119, 4073225, 4073229, 4073237, 4073707, 4073757, 4078130 and 4078407 provide information about the updates.

The MSKB articles 4090007, 4091663, 4091664, 4091666, 4093836, 4100347, 4346084, 4346085, 4346086, 4346087, 4346088 and 4465065 provide information about the microcode updates distributed through the Microsoft Update Catalog.

The posts Mitigating speculative execution side channel hardware vulnerabilities, KVA Shadow: Mitigating Meltdown on Windows, Analysis and mitigation of speculative store bypass (CVE-2018-3639) and Analysis and mitigation of L1 Terminal Fault (L1TF) on Microsoft’s Security Research and Defense Blog give additional information.

The article series Deep Dive: Introduction to Speculative Execution Side Channel Methods, Deep Dive: Analyzing Potential Bounds Check Bypass Vulnerabilities, Deep Dive: Intel Analysis of Speculative Behavior of SWAPGS and Segment Registers, Deep Dive: Indirect Branch Restricted Speculation, Deep Dive: Single Thread Indirect Branch Predictors, Deep Dive: Indirect Branch Predictor Barrier, Deep Dive: Retpoline: A Branch Target Injection Mitigation, Deep Dive: Managed Runtime Speculative Execution Side Channel Mitigations, Deep Dive: Intel Analysis of Microarchitectural Data Sampling, Deep Dive: Intel Analysis of L1 Terminal Fault, Deep Dive: Snoop-assisted L1 Data Sampling, Deep Dive: Intel^® Transactional Synchronization Extensions (Intel^® TSX) Asynchronous Abort, Deep Dive: Load Value Injection and Deep Dive: CPUID Enumeration and Architectural MSRs, plus More information on SWAPGS and Speculative only Segment Loads, An Optimized Mitigation Approach for Load Value Injection and Refined Speculative Execution Terminology give more details, while Processors Affected: Speculative Behavior of SWAPGS and Segment Registers, Processors Affected: Microarchitectural Data Sampling, Processors Affected: L1 Terminal Fault, Processors Affected: L1D Eviction Sampling, Processors Affected: Vector Register Sampling, Processors Affected: Snoop-assisted L1 Data Sampling and Processors Affected: Load Value Injection list the affected Intel processors.

Operation

[Screenshot of BTI_RDCL.EXE without security update for 'Meltdown' (CVE-2017-5754), 'Spectre' (CVE-2017-5715, CVE-2017-5753) and 'Spectre-NG' (CVE-2018-3639, CVE-2018-3640)]

Without security update installed, BTI_RDCL.EXE displays two message boxes like that shown on the right.

With security update installed, BTI_RDCL.EXE displays two message boxes like those shown below.

[Screenshot of BTI_RDCL.EXE with active mitigation for 'Meltdown' (CVE-2017-5754)]

Implementation and Build Details

BTI_RDCL.EXE is a pure Win32 application, written in ANSI C, built with the ~~Platform SDK for Windows Server 2003 R2~~ Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows ~~2000~~ XP and newer versions of Windows NT as well as Windows PE.

Authenticity and Integrity

BTI_RDCL.EXE is digitally signed using an X.509 certificate issued by WEB.DE TrustCenter E-Mail Certification Authority.

Serial number of the certificate: 73780985; 0x0465CEF9
Fingerprint of the certificate: MD5: 33 33 6e 1d 26 18 a7 c2 be 87 11 68 05 2c 70 09; SHA-1: 8c 5b 75 21 40 41 77 ac 54 13 13 02 06 6b b0 69 10 2e 83 0e

Download and install the CA and root X.509 certificates of WEB.DE to validate and verify the digital signature.

Note: due to its counter signature alias timestamp the digital signature remains valid past the X.509 certificates expiration date!

Makefile and Build Instructions

Optionally perform the following 4 simple steps to build BTI_RDCL.EXE from the source and sign it with your own X.509 certificate.

Download the makefile BTI_RDCL.MAK and save it in an arbitrary, preferable empty directory.
Note: the makefile contains the sources as inline files.
Download the Meltdown icon and save it as MELTDOWN.ICO in the directory used in step 1.
Download the Spectre icon and save it as SPECTRE.ICO in the directory used in step 1.

Run the following command line to build BTI_RDCL.EXE:

NMAKE.EXE /R /F BTI_RDCL.MAK

Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

Microsoft (R) Program Maintenance Utility Version 10.00.40219.01
Copyright (C) Microsoft Corporation.  All rights reserved.

	RC.EXE /DUNICODE /FoBTI_RDCL.RES /L 0 /N /R /V nm2A7.tmp
Microsoft (R) Windows (R) Resource Compiler Version 6.1.7600.16385
Copyright (C) Microsoft Corporation.  All rights reserved.

Using codepage 1252 as default
Creating BTI_RDCL.RES
C:\Program Files\Microsoft Visual Studio 10.0\VC\Include\string.h(54) : warning RC4011: identifier truncated to '_CRT_SECURE_CPP_OVERLOAD_STANDA'
C:\Program Files\Microsoft Visual Studio 10.0\VC\Include\string.h(76) : warning RC4011: identifier truncated to '_CRT_SECURE_CPP_OVERLOAD_SECURE'

nm2A7.tmp.
Writing ICON:1, lang:0x0,       size 9640
Writing ICON:2, lang:0x0,       size 4264
Writing ICON:3, lang:0x0,       size 1128
Writing GROUP_ICON:1,   lang:0x0,       size 48.
Writing ICON:4, lang:0x0,       size 9640
Writing ICON:5, lang:0x0,       size 4264
Writing ICON:6, lang:0x0,       size 1128
Writing GROUP_ICON:2,   lang:0x0,       size 48.
Writing 24:1,   lang:0x0,       size 1308.
Writing VERSION:1,      lang:0x0,       size 1720
	CL.EXE /c /FoBTI_RDCL.OBJ /GA /GF /GS- /Gy /nologo /O1 /Os /Tcnm2A8.tmp /W4 /we4013 /Zl
nm2A8.tmp
	CL.EXE /c /FoBTI_RDCL.TMP /nologo /Tcnm2A9.tmp /W4 /wd4100 /Zl
nm2A9.tmp
	LINK.EXE /LIB /DEF /EXPORT:NtQuerySystemInformation /EXPORT:RtlNtStatusToDosError /NAME:NTDLL /NODEFAULTLIB /NOLOGO /OUT:BTI_RDCL.LIB BTI_RDCL.TMP
   Creating library BTI_RDCL.LIB and object BTI_RDCL.exp
	CERTUTIL.EXE /DecodeHex /F /V nm2AA.tmp BTI_RDCL.DOS
Input Length = 730
Output Length = 160
CertUtil: -decodehex command completed successfully.
	LINK.EXE /LINK /DYNAMICBASE /ENTRY:wWinMainCRTStartup /FIXED:NO /IGNORE:4060 /LARGEADDRESSAWARE /NODEFAULTLIB /NOLOGO /NXCOMPAT /OPT:REF /OSVERSION:5.0 /OUT:BTI_RDCL.EXE /RELEASE /STUB:BTI_RDCL.DOS /SUBSYSTEM:WINDOWS /SWAPRUN:CD,NET /VERSION:1.0 BTI_RDCL.OBJ BTI_RDCL.RES BTI_RDCL.LIB KERNEL32.LIB USER32.LIB
	".\BTI_RDCL.EXE"

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

the (pseudonymised) IP address;
the date and time of the request;
the URL of the requested web page or file;
the Referer and User-Agent HTTP headers sent by the web browser;
the result (success or failure) of the request;
the amount of data received and sent.