Having trouble keeping up and making sense of all the Meltdown and Spectre patches being released? You're not alone. This guide will help.
Ever since news of Meltdown and Spectre — two massive CPU vulnerabilities affecting nearly every operating systems and device — hit, vendors have been racing to release updates to mitigate the flaws.
Things haven't exactly gone smoothly, with several incompatibility muck ups causing a lot of finger-pointing and frustration. To help clear things up, we've put together a quick guide that walks through the major updates to operating systems and browsers, explaining how they address Meltdown and/or Spectre, what they specifically don't address, and any known compatibility or performance issues that have been reported.
Use the links below to skip ahead:
For even more info, Bleeping Computer has put together a good list of official advisories, notices, patches, and updates organized by vendor.
Before we dive in, here's a quick recap of what Meltdown and Spectre are all about. For more in-depth details see our post, The Meltdown and Spectre CPU Bugs, Explained.
Meltdown is a CPU vulnerability that allows a user mode program to access privileged kernel-mode memory. It affects all out-of-order Intel processors released since 1995 with the exception of Itanium and pre-2013 Atoms. A list of vulnerable ARM processors and mitigations is listed here. No AMD processors are affected by Meltdown.
Of the two bugs, Meltdown is the easier one to fix, and can largely be addressed with operating system updates.
Spectre isn't so much a specific vulnerability as it's a new class of attack. It's enabled by the unintended side effects of speculative execution (something processors do to speed things up by predicting what instructions they're about to recieve and executing them ahead of time).
There are two flavors of Spectre — variant 1 (bounds check bypass, CVE-2017-5753) and variant 2 (branch target injection, CVE-2017-5715). Both can potentially allow attackers to extract information from other running processes (ex: stealing login cookies from browsers).
Intel, ARM, and AMD processors are all reportedly affected by Spectre to some degree, and it poses significant patching problems. While operating system and browser updates have helped mitigate the risk of Spectre to some degree, experts agree the only true fix is a hardware update. As such, Spectre is likely to remain an issue for years to come.
Source: SANS / Rendition Infosec. See the full presentation hereIt's important to note that both vulnerabilities put information disclosure at risk. Neither are remote execution vulnerabilities — in other words, they don't allow attackers to run malware.
Microsoft's process for releasing Windows updates addressing Meltdown and Spectre has been a bumpy road, marred by high-profile incompatibility issues with third-party antivirus (AV) software and AMD processors. In some cases, delivery of the latest security update has been restricted or suspended.
More details and direct download links to the updates below:
The existing 32 bit update packages listed in this advisory fully address CVE-2017-5753 and CVE-2017-5715, but do not provide protections for CVE-2017-5754 at this time. Microsoft is continuing to work with affected chip manufacturers and investigate the best way to provide mitigations for x86 customers, which may be provided in a future update.
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD” Data="0x00000000”
This has created a lot of confusion, especially since the response from AV vendors has varied, with some setting the registry key for their customers and others recommending users set it, themselves, manually. The situation only gets more complicated considering many organizations have more than one AV solution installed.
Update: Microsoft has clarified that Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are compatible with the update and do set the required registry key.
That means as long as you have one of these built-in Microsoft protections enabled the registry key should be set automatically — no further, manual action should be necessary.
Big caveat: If you are using third party software that Microsoft offically recognizes as AV, it is important to note that, by default, Windows Defender and Microsoft Security Essentials will turn themselves off. That means the registry key won't be added unless you or your AV actively do it.
All that said, here is a flow chart that can help you determine your situation:
Windows users who aren't using a third party antivirus and don't have Windows Defender or Microsoft Security Essentials enabled will need to set the registry key themselves, manually. To help, Bleeping Computer has put together a .reg file that automates that task here. Note: They also issue a warning to make absolutely sure you're not running an AV that isn't compatible with the update before using it.
If you are using an AV and haven't received the Windows patch yet, you are advised to wait until your AV vendor either issues an update that sets the registry key for you or specifically recommends that you do so, yourself.
Microsoft has also advised Windows Server customers that they need to take the additional step of adding the following registry keys in order to enable patch protections.
To enable the fix:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f If this is a Hyper-V host and the firmware updates have been applied: fully shutdown all Virtual Machines (to enable the firmware related mitigation for VMs you have to have the firmware update applied on the host before the VM starts). Restart the server for changes to take effect.To disable this fix:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f Restart the server for the changes to take effect. (There is no need to change MinVmVersionForCpuBasedMitigations.)
Microsoft also notes that for Hyper-V hosts, live migration between patched and unpatched hosts may fail. The company also points to an alternative protection mechanism you can use on hosts that don't have updated firmware yet.
To help confirm whether updates have been implemented correctly Microsoft has provided a PowerShell script that system administrators can run to test Meltdown and Spectre mitigations.
The following command will install the PowerShell module:
PS > Install-Module SpeculationControl
Note: There are a couple of requirements for running this command. First, you'll need to be running PowerShell with admin privileges and may need to adjust execution policy. Also, the Install-Module command was introduced to PowerShell in version 5.0. Most Windows 7 machines will not have this version, due to the upgrades being optional and unrelated to security. Any machine with an outdated version of PowerShell can still run the Get-SpeculationControlSettings function below, however, as long as you can obtain the contents of the script and run it ad-hoc.
Once installed, the following command will run the test to check your system:
PS > Get-SpeculationControlSettings
The output will look something like this:
Results for Spectre protections
The first grouping — "Speculation control settings for CVE-2017-5715 [branch target injection] — refer to protections in place for the Spectre vulneralbility. If the value for "Windows OS support for branch target injection mitigation is present" is "True" then the Windows Security update has been successfully installed.
The other red lines in that section simply confirm that more complete mitigation for Spectre requires firmware updates, which Intel says it's in the process of rolling out. According to the company, updates for more than 90 percent of its processor products should be introduced by the end of next week.
Results for Meltdown protections
The second grouping — "Speculation control settings for CVE-2017-5754 [rogue data cache load] — refer to protections in place for the Meltdown vulneralbility. If you see the following results and no red lines then you've confirmed the Windows Security update has been successfully implemented and the machine is protected:
Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: True Windows OS support for kernel VA shadow is enabled: True Windows OS support for PCID optimization is enabled: True
Test results confirming successful mitigation of the Meltdown vulnerability
If you see any red lines in this section then that means the update has not been successfully applied. For more details on interpreting the PowerShell script output, Microsoft has a full results key here.
Apple included mitigations to address Meltdown in its macOS 10.13.2 and iOS 11.2 updates released in December. It has since followed up with additional mitigations addressing Spectre with the just-issued macOS High Sierra 10.13.2 Supplemental Update and iOS 11.2.2 update.
After being left out of the loop, Linux developers are making significant progress on patches, even if they're not particularly happy about being put in this position. The latest update of the stable Linux kernel (4.14.13) includes patches designed to mitigate Meltdown with Kernel Page Table Isolation (KPTI). More comprehensive patches (including fixes for ARM64 processors) will be available in 4.15, scheduled for release in two weeks.
Patches have also been added to the 4.4 and 4.9 stable kernel trees.
Canonical has released a second update for Ubuntu 16.04 LTS Xenial users after the first caused boot issues. You can find the new update with Linux kernel image 4.4.0-109 here.
A simple script has been developed to help determine whether Linux kernel installations are still vulnerable to Meltdown and Spectre after applying patches. You can find it along with installation instructions here.
Google has announced it will be including mitigations for Spectre starting with Chrome 64, which will be released on or around January 23. In the meantime, Chrome users are advised to turn on site isolation, which can help prevent a site from stealing data from another site.
Mozilla has already issued Firefox version 57.0.4, which helps address Spectre by disabling or reducing Firefox's internal timer functions and disabling the SharedArrayBuffer feature. Firefox users can take additional precaution by enabling site isolation, as well.
Apple has released Safari 11.0.2 to specifically mitigate the effects of Spectre.
Microsoft has made changes to both Internet Explorer 11 and Microsoft Edge to mitigate Spectre. In addition to removing support for SharedArrayBuffer from Edge, it has made changes to reduce the precision of several time sources to make successful attacks more difficult.
OS and browser updates only partially mitigate Meltdown and Spectre. Organizations need to be prepared for UEFI firmware and BIOS updates, as well. When and whether updates will be pushed out will vary from vendor to vendor, adding another layer of complexity and uncertainty to patching. In some cases, admins may have to proactively check for updates from their PC makers periodically over the next few days or weeks.
Update 1/12/18: Intel has released new Linux Processor microcode data files that can be used to add Meltdown and Spectre mitigations without having to perform a BIOS update.
Intel went on record promising firmware updates for 90 percent of affected processors made in the past five years by January 15. So far, it looks as though these microcode fixes apply to a specific list of processors provided here.
The microcode updates can be downloaded directly from Intel, and Bleeping Computer has provided instructions and a video example to help walk admins through the install process here. It should be noted that some issues have already been reported with the updates, specifically around unwanted reboots. While Intel initially confirmed machines with Broadwell and Haswell CPUs were experiencing that issue, later the company said machines running newer processors were affected, too (more details below).
Windows users need to wait until Microsoft finishes testing the microcode and releases an additional update.
Update 1/12/18: AMD has officially acknowledged that its processors are vulnerable to both variants of Spectre, but not Meltdown. While the company says OS patches are enough to mitigate Spectre variant 1, it will be rolling out optional microcode updates this week, starting with fixes for Ryzen and EPYC processors.
According to IBM, firmware patches for POWER7+, POWER8, and POWER9 platforms are all currently available via FixCentral. The company says Power7 patches will be available February 7. In addition, it estimates IBM i operating system patches (also available via FixCentral) will finish rolling out on February 12, and AIX patches will be available starting January 26.
For now, the generally recommended course of action is not to panic and instead take the time to properly assess, test, and carefully implement OS and firmware updates as they are made available — especially since there have been a variety of widespread compatibility issues already.
Information around Meltdown and Spectre is still being circulated, debated, and processed, so there is likely much more to come. We'll be following closely and providing updates as they become available.
Get the latest security news, tips, and trends straight to your inbox.