Meltdown and Spectre logos

Late last night, Microsoft issued out-of-band updates that address Meltdown and Spectre, two security flaws said to be affecting almost all CPUs released since 1995.

The Redmond-based OS maker was not planning on releasing the updates until next week, on Patch Tuesday, but was forced to roll out fixes after Google went public with details about the two vulnerabilities.

According to a Microsoft security advisories [1, 2], these are the Windows security updates that address the Meltdown and Spectre flaws for various Windows distributions.

Operating System Version

Update KB

Windows Server, version 1709 (Server Core Installation)

4056892

Windows Server 2016

4056890

Windows Server 2012 R2

4056898

Windows Server 2012

Not available

Windows Server 2008 R2

4056897

Windows Server 2008

Not available

Windows 10 (RTM, 1511, 1607, 1703, 1709), Windows 8.1, Windows 7 SP1

ADV180002  (Multiple KBs, it's  complicated)

The Microsoft updates are not all-out fixes. Some Windows PCs may require additional CPU firmware updates to mitigate Spectre attacks, but the Microsoft updates appear to fully-address the Meltdown flaw.

Problems with some anti-virus software may lead to BSODs

But Microsoft also warns that the Meltdown and Spectre security fixes are incompatible with some anti-virus products.

"During our testing process, we uncovered that some third-party applications have been making unsupported calls into Windows kernel memory that cause stop errors (also known as bluescreen errors) to occur," Microsoft said in a compatibility note for yesterday's security fixes.

"These calls may cause stop errors [...] that make the device unable to boot. To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update."

"If you have not been offered the security update, you may be running incompatible anti-virus software and you should follow up with your software vendor," Microsoft said.

In other words, if users are employing a third-party anti-virus product, they should first check if the AV has updated its anti-virus product to support the Microsoft patches.

There have been no reports of malicious groups using neither Meltdown or Spectre in real-world attacks, so Microsoft is also recommending that users give anti-virus vendors more time to update their products.

Microsoft says that when anti-virus vendors update their product to support the Meltdown and Spectre patches, they've been instructed to create a custom registry key on the OS, which will allow Windows to download and receive the proper security fixes (if the user also agrees to it).

If users aren't willing to search their antivirus product's homepage for such info, if they find the following registry key on their systems, the antivirus product has already been updated to support the Meltdown and Spectre patches.

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”

A security researcher is currently keeping a Google Docs spreadsheet with the status of Meltdown and Spectre patches on various anti-virus engines. At the time of writing, only Microsoft, ESET, and Kaspersky AV engines support the patches, with others set to receive updates starting tomorrow.

Other vendors have also issued patches. You can find a full list here.