Meltdown and Spectre on Windows CE / Embedded Compact

Submitted by Michel on January 16, 2018 - 23:55

Meltdown
Spectre
Meltdown and Spectre have hit the world by storm and of course the Windows CE / Embedded Compact OS is also affected by these processor bugs.

See this ARM bulletin: https://developer.arm.com/support/security-update
And this PDF: https://developer.arm.com/support/security-update/download-the-whitepaper

At GuruCE we of course want to release patches to prevent malicious attacks through these attack vectors, but unfortunately the required code changes are all in places we do not have source code for or that we can't compile:

Variant 1 (Spectre) needs an update of the ARM compiler in CE/EC: https://developer.arm.com/support/security-update/compiler-support-for-mitigations
Variant 2 (Spectre) needs updates to the COREOS code (scheduler / vm code)
Variant 3 (Meltdown) does not apply to the Cortex-A9 (so does not apply to our iMX6 BSP)

We have therefore asked Microsoft for their plans on releasing patches for Windows CE/EC, and today (January 16, 2018) we received an answer:

"Since the desktop fixes were just released we are just beginning our investigation of the backports for CE7 and Compact 2013. Since CE6 and Handheld were based on XP it is unlikely that we will see a fix unless there is a fix released for XP desktop client."

Please note the above comment is not an "official Microsoft" statement. The comment was received by us in an email from a Microsoft support manager.

So, that is at least some good news. There are still a lot of devices around that run Windows CE 6.0, so in that respect not fixing that OS version is bad, but at least both WEC7 and WEC2013 are now being investigated to see what it takes to be patched by Microsoft.

No timeline yet, but we will keep pushing MS and keep you updated on progress.

The official information pages from Microsoft are here:

https://support.microsoft.com/en-us/help/4073757/protect-your-devices-against-spectre-meltdown
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems

There is no official info about Windows CE/EC on those pages yet, but hopefully CE/EC info will be added soon to the official pages, together with a timeline of when to expect the patches for CE/EC.

Comments

Jared - January 17, 2018 - 19:24

According to https://support.microsoft.com/en-us/help/4043450/products-reaching-end-of-support-for-2018, CE6 is still supported until April 10th. I would hope that they can backport a fix for CE6 before then.

Michel - January 17, 2018 - 19:44

Yes, but CE 6.0 is in extended support already, so it would need a company to pay MS for adding that support. After April 10 2018 even paying for support on CE 6.0 is not possible anymore...

Jared - January 18, 2018 - 20:10

Thanks for the quick response & informative post Michel!