We're starting off 2018 with a bang -- a big patching bang. All supported versions of Windows are getting an emergency patch to fix flaws in Intel CPU chips that could lead to attackers gaining more information about your systems including passwords and other confidential information. You'll have read about this -- the press have already labeled the flaws as the Meltdown and Spectre bugs.
As Microsoft said in "ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities:"
Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems including Intel, AMD, and ARM. Note: this issue will affect other systems such as Android, Chrome, iOS, MacOS, so we advise customers to seek out guidance from those vendors.
Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services.
Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues working closely with industry partners including chip makers, hardware OEMs and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and in some cases updates to AV software as well.
Because this is a kernel update that interacts with antivirus utilities, there is a big "BUT" in how you might get this update: You'll receive it once your antivirus vendor has proven that it can handle the update. The proof will be adding a registry key to the operating system. If this registry key is not added, you won't get the update offered up to you.
If you want to visually see if your systems are prepared for this update, you can click on Start, type in regedit and click to approve the elevated prompt. Then you'll need to drill down to review the following registry key. Note that each bullet point represents a level you'll need to drill down to:
- HKEY_LOCAL_MACHINE
- SOFTWARE
- Microsoft
- Windows
- CurrentVersion
- QualityCompat
In the right-hand side in the registry, look for the value as shown below:
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"Type="REG_DWORD”Data="0x00000000”
If you see these values, your antivirus vendor has updated itself and it's safe to install this patch. If you don't see this registry value, this means your system (and, therefore, your antivirus vendor) is not ready for this update. Do not manually enter this key, nor manually download this update from the catalog site to install this update.
This Google docs file is maintaining an unofficial listing of vendors that have updated to support this patch and therefore sidestep the Meltdown and Spectre vulnerabilities.
For Windows 10 you'll see the following updates:
- KB4056892 for Windows 10 1709
- KB4056891 for Windows 10 1703
- KB4056890 for Windows 10 1607
- KB4056888 for Windows 10 1511
- KB4056893 for Windows 10 RTM (for those running Long Term Servicing Branch)
Windows 8.1 and Windows 7 are also receiving out-of-band updates, but only in the WSUS channel. For home users, you'll see the normal cumulative update next week.
For those in businesses, you'll see:
For small businesses, my usual advice to wait for patch side effects to shake out applies: consider waiting until next week to wait to patch.
In addition to these operating systems updates, start looking for firmware updates that eliminate the vulnerabilities introduced via Meltdown and Spectre. I would recommend going to your hardware vendors and look for any firmware
Now comes the bad news: You may see a performance hit by installing this update. Some tech sites are indicating that performance hits on Linux can be as high as 35 percent.
If you want to see whether your systems' computing performance will be impacted, run this CPU benchmark test before the patch and then after the update to see the impact on your own system.
While you are there patching your workstations, review whether you have any additional overdue firmware updates that need to be installed. This isn't the first bug in the Intel chipset; in November, Intel posted about a series of chip bugs that the company has since fixed through firmware updates available via their advisory page. Please review whether you need firmware patches as well by downloading Intel's testing tool.
What to do: I recommend checking to see if your system can receive the update. When your system is ready, test it to see what the performance hit (if any) will be, see if there have been any reports of patch side effects, and then update your system.
