Recently, Microsoft has released an update containing an important cybersecurity fix that addresses the Spectre v2 CPU vulnerability. This new mitigation is based on Retpoline – a coding technique developed by Google’s team of developers.
For those unfamiliar with it, Spectre V2 is basically a vulnerability that affects modern processes. By taking advantage of it, an attacker could tamper with the local app isolation and snatch the data from processes running on the local machine.
In 2018, Google made efforts to deploy Retpoline on Linux servers. This was also the year when Retpoline slowly took off on various Linux distros, including:
– Oracle Linux
– Red Hat
The original plans were to deploy the Retpoline mitigations with Windows 10, version 19H1 (scheduled for release during spring). However, according to Alex Ionescu, a CrowdStrike researcher, Microsoft could have shipped the mitigations with the Windows 10 October 2018 Update had they chosen to do so.
Mehmet Iyigun, however, posted a reply on Microsoft Community boards, noting that things are not quite so simple. He went on to explain that in the months to come, Retpoline will be enabled in a phased rollout via cloud configuration.
In 2018, when Google came out with the Retpoline announcement for the very first time, they praised it for its supposed negligible impact on performance. The search engine giant claims that a 1.5% performance has been measured on Google Cloud servers. Looking at the 10% to 20% impact other Linux distros are reporting, this is quite impressive in comparison.