Two massive CPU vulnerabilities are sending organizations and vendors scrambling. Here are three practical steps you can take right now to assess and mitigate your risk.
News of Meltdown and Spectre — two CPU vulnerabilities affecting nearly all operating systems and devices — has taken the IT and security worlds by storm. We've provided basic details on both bugs in a previous blog post, including background on how they were disclosed and ways they can be potentially exploited.
With these vulnerabilities having such a widespread impact across vendors and operating systems, however, practical information has been scattered and difficult to sort through. Recommendations are coming in from a lot of different directions, covering a broad spectrum of scenarios. To top it off, patching is complicated and a bit of a mess.
To help, here are three practical things Windows users specifically can do to a) determine whether machines are protected or vulnerable; and b) further reduce the risk of attackers using Meltdown and Spectre against you.
Microsoft's update process for Windows has been complicated by compatibility issues with some antivirus products (more on that below), making it more difficult for admins to confirm whether their organizations' machines are protected or not.
To help, the company has provided a PowerShell script that system administrators can run to verify whether the security updates are in fact installed properly.
The following command will install the PowerShell module:
PS > Install-Module SpeculationControl
Note: There are a couple of requirements for running this command. First, you'll need to be running PowerShell with admin privileges and may need to adjust execution policy. Also, the Install-Module command was introduced to PowerShell in version 5.0. Most Windows 7 machines will not have this version, due to the upgrades being optional and unrelated to security. Any machine with an outdated version of PowerShell can still run the Get-SpeculationControlSettings function below, however, as long as you can obtain the contents of the script and run it ad-hoc.
Once installed, the following command will run the test to check your system:
PS > Get-SpeculationControlSettings
The output will look something like this:
Results for Spectre protections
The first grouping — "Speculation control settings for CVE-2017-5715 [branch target injection] — refer to protections in place for the Spectre vulneralbility. If the value for "Windows OS support for branch target injection mitigation is present" is "True" then the Windows Security update has been successfully installed.
The other red lines in that section simply confirm that more complete mitigation for Spectre requires firmware updates, which Intel says it's in the process of rolling out. According to the company, updates for more than 90 percent of its processor products should be introduced by the end of next week.
Results for Meltdown protections
The second grouping — "Speculation control settings for CVE-2017-5754 [rogue data cache load] — refer to protections in place for the Meltdown vulneralbility. If you see the following results and no red lines then you've confirmed the Windows Security update has been successfully implemented and the machine is protected:
Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: True Windows OS support for kernel VA shadow is enabled: True Windows OS support for PCID optimization is enabled: True
Test results confirming successful mitigation of the Meltdown vulnerability
If you see any red lines in this section then that means the update has not been successfully applied. If that's the case, you'll need to follow step #2 below.
When both sections of these results are all green with no red lines that means the machine is verified as protected from Meltdown and Spectre exploitation.
If you haven't received the latest Windows Security update or your tests results are coming back negative, it may be because the antivirus product you're running hasn't verified it is compatible with the update.
During tests, Microsoft apparently saw that some AVs weren't getting along with the update and causing BSOD crashes. As a result, the company decided to put the onus on AV vendors to proactively confirm their products have been tested and/or updated and would not cause crashes. The way AV vendors verify this is by creating the following registry key on users' machines:
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD” Data="0x00000000”
Note: Microsoft will not deliver the Windows update unless that registry key exists (more details here).
This has created a lot of confusion, especially since the response from AV vendors has varied, with some setting the registry key for their customers, others recommending users set it themselves manually, and others experiencing incompatibility issues. You can see an incomplete list of status details and updates put together by security researcher Kevin Beaumont here.
Update 1/12/18: Microsoft has clarified that Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are compatible with the update and do set the required registry key.
That means as long as you have one of these built-in Microsoft protections enabled the registry key should be set automatically — no further, manual action should be necessary.
Big caveat: If you are using third party software that Microsoft offically recognizes as AV, it is important to note that, by default, Windows Defender and Microsoft Security Essentials will turn themselves off. That means the registry key won't be added unless you or your AV actively do it.
Here is a flow chart that can help you determine your situation:
Windows users who aren't using third party antivirus and don't have Windows Defender or Microsoft Security Essentials enbaled also need to set the registry key, themselves, manually. To help, Bleeping Computer has put together a .reg file that automates that task here. They also issue a warning to make absolutely sure you're not running an AV that isn't compatible with the update before using it.
If you are using an AV and haven't received the Windows updates yet, you're advised to wait until your AV vendor either issues an update that sets the registry key for you, or recommends that you do so, yourself.
Though not recommended, you can also download the appropriate Windows Security update for your systems directly from Microsoft.
Google, meanwhile, has announced patches for Spectre and Meltdown will be included in its next Chrome update scheduled for January 23. In the meantime, Chrome users are advised to turn on site isolation, which can help prevent a site from stealing data from another site. Firefox users can take additional precaution and enable site isolation, as well.
Apple has released Safari 11.0.2 with additional mitigations designed to defend against Spectre.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.