Late last night, Microsoft issued out-of-band updates that address Meltdown and Spectre, two security flaws said to be affecting almost all CPUs released since 1995.
The Redmond-based OS maker was not planning on releasing the updates until next week, on Patch Tuesday, but was forced to roll out fixes after Google went public with details about the two vulnerabilities.
According to a Microsoft security advisories [1, 2], these are the Windows security updates that address the Meltdown and Spectre flaws for various Windows distributions.
|
Operating System Version |
Update KB |
|
Windows Server, version 1709 (Server Core Installation) |
|
|
Windows Server 2016 |
|
|
Windows Server 2012 R2 |
|
|
Windows Server 2012 |
Not available |
|
Windows Server 2008 R2 |
|
|
Windows Server 2008 |
Not available |
|
Windows 10 (RTM, 1511, 1607, 1703, 1709), Windows 8.1, Windows 7 SP1 |
ADV180002 (Multiple KBs, it's complicated) |
The Microsoft updates are not all-out fixes. Some Windows PCs may require additional CPU firmware updates to mitigate Spectre attacks, but the Microsoft updates appear to fully-address the Meltdown flaw.
Problems with some anti-virus software may lead to BSODs
But Microsoft also warns that the Meltdown and Spectre security fixes are incompatible with some anti-virus products.
"During our testing process, we uncovered that some third-party applications have been making unsupported calls into Windows kernel memory that cause stop errors (also known as bluescreen errors) to occur," Microsoft said in a compatibility note for yesterday's security fixes.
"These calls may cause stop errors [...] that make the device unable to boot. To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update."
"If you have not been offered the security update, you may be running incompatible anti-virus software and you should follow up with your software vendor," Microsoft said.
In other words, if users are employing a third-party anti-virus product, they should first check if the AV has updated its anti-virus product to support the Microsoft patches.
There have been no reports of malicious groups using neither Meltdown or Spectre in real-world attacks, so Microsoft is also recommending that users give anti-virus vendors more time to update their products.
Microsoft says that when anti-virus vendors update their product to support the Meltdown and Spectre patches, they've been instructed to create a custom registry key on the OS, which will allow Windows to download and receive the proper security fixes (if the user also agrees to it).
If users aren't willing to search their antivirus product's homepage for such info, if they find the following registry key on their systems, the antivirus product has already been updated to support the Meltdown and Spectre patches.
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”A security researcher is currently keeping a Google Docs spreadsheet with the status of Meltdown and Spectre patches on various anti-virus engines. At the time of writing, only Microsoft, ESET, and Kaspersky AV engines support the patches, with others set to receive updates starting tomorrow.
Other vendors have also issued patches. You can find a full list here.
Comments
Occasional - 8 months ago
Started checking for updates this morning.
A WS2K8 R2 coming up not applicable (haven't looked at reg key yet).
A Win10 1709: No updates available.
A Win10 1607 is DL and installing KB4056890 (which article lists as for WS2016, not Win10).
Occasional - 8 months ago
Just noticed that ADV180002 is not a KB, it's the MS Security Advisor; but as I mentioned, a Win10 box is installing KB4056890.
Guess some confusion is to be expected, with a rush to patch event of this magnitude. Not much most of us can do, but keep checking - and be even more discriminating about where we travel in cyberspace.
Occasional - 8 months ago
Still waiting for results of KB4056890 (Update history shows it was successful), on what was a 1607 build (MS decided this was the right time to update to 1709, right after the KB update - and this while in the middle of a blizzard at my location).
That notebook, and the desktop which shows no updates available are both Enterprise, and only running MS's own Windows Defender; so no idea why one did the update, and the other shows none available.
Hope others will post what works, and doesn't with their systems.
JohnC_21 - 8 months ago
I found the update available on the Microsoft Update Catalog site. Microsoft will not push the update if it sees an AV on the computer that is not compatible. My question is why did it take this long to find the vulnerability.
Occasional - 8 months ago
JC, my take is that the vulnerability is inherent.
You're question is a two edged sword: you could be asking "Why has it taken so long for - chip and software vendors, and security researchers - to find this vulnerability?" OR be asking "Why has it taken so long for - bad actors to find and exploit this vulnerability?".
The answer to both versions of the question probably lies with the motivations, available resources and risk/reward evaluation of those coming at this from either perspective. Consider how long it took chip vendors, and those that reviewed new offerings, to even mention security features - people only wanted to know about performance and capabilities, not how someone with malicious intent might redirect those capabilities.
DoNotSpamMe - 8 months ago
Another possibility is that this vulnerability has been exploited for quite some time already, albeit by the likes of nation state actors who likely would have used the utmost discretion and only taken advantage of it on rare occasions, thereby ensuring that their efforts would not set off alarm bells across the board.
Occasional - 8 months ago
Agreed. That coincides with suggestion that exploitation would be against high-value targets, by sophisticated attackers. Nation-state and non-state political entities top the list of suspects; but don't rule out industrial espionage as a motive.
cat1092 - 8 months ago
Probably because of all of these 'backward compatibility' issues that been forced on Intel by OS distributors, having to keep the '86x64' (or whatever) is a double edged sword. I covered this in a Topic over in the Linux section, backed by an article, and have went on a limb for years commenting on these tech forums that keeping 32 bit was going to be one huge backfire.
http://www.zdnet.com/article/why-intel-x86-must-die-our-cloud-centric-future-depends-on-open-source-chips-meltdown/
Now it's exploded & will affect everyone, Intel nor all of the OEM's won't 'fix' still in use Core2Duo/Quad, P4, Celeron, and many CPU's that preceded the 1st gen 'i' series (if that soon). These computers will continue to be used & will be a threat to everyone in some manner, how bad is yet to be seen.
Makes me wonder if this has been a coverup on the part of Intel, kind of like they didn't want consumers to know they done away with soldering the IHS onto the die for better cooling & long lifespan, beginning with Ivy Bridge or 3rd gen 'i' series. Many never knew this until way after the release of Haswell CPU's (4th gen) & Intel still has yet to give a straight answer as to why they choose to save $10 (max) on a vital component that enthusiasts will cover the cost of. Intel has been in the business for a long time & can do better.
Now they pass this upon us, seems that since they have VPro inbuilt into many CPU's, they could push a massive fix to all who has these, maybe that's just too much work for their engineers to handle, they'd rather push their job off on the OEM's. Whom didn't have anything to do with manufacturing the CPU, only installed in their computers shipped out. Had they known that these were defective, likely would had sent back & went with another supplier (AMD) instead.
Intel's stock will plunge huge before this is over, this is far from over & will have an impact on their rushing out newer models. AMD will get yet another shot in the arm over this deal.
Cat
Occasional - 8 months ago
Chips, software, even programming languages have all been effected by continuity pressures. Whether it's to protect investments in hardware, software or training/skill sets; marketing incentives force compromises on vendor/providers. There's inconsistency too; as good technology is often orphaned if the profit "sweat spot" has moved on, and junk carried along if there's still money to be made.
Perhaps it would have been easier to drop 32 bit capabilities in chips, if software/firmware vendors had continued to develop/update 32 bit for still wholly viable (if no longer competitive), 32 bit systems.
You obviously track CPU manufacturing practices much better than I do; but your point about their shaving a few dollars per unit, at the cost of reliability is no surprise - that "penny wise, pound foolish" practice is seen everywhere.
preppz - 8 months ago
I have updated my Win10 machine with the latest updates through windows update. But Google should really issue an emergency fix for Chrome. Later this month is too late!
AnguelS - 8 months ago
I had a problem that was caused by a GPO setting blocking the Windows update and therefore the Microsoft Powershell test script completely failed. Details on my blog:
https://techie-blog.blogspot.de/2018/01/gpo-blocks-windows-meltdown-spectre-update-kb4056892.html
Anguel