Friday 26 January 2018

Windows Patches for Meltdown and Spectre remediation

Or, All you need to know about windows patches for Meltdown and Spectre vulnerabilities

Or, Microsoft Windows Operating Systems Patches for Meltdown and Spectre Vulnerabilities

Microsoft's process for releasing Windows updates addressing Meltdown and Spectre has been a good and well as problematic causing high-profile incompatibility issues with third-party antivirus (AV) software and AMD processors. In some cases, delivery of the latest security update has been restricted or suspended by Microsoft.

More details and direct download links to the updates below:  
What they addressed in these fixes
  • Spectre variant 1, bounds check bypass (CVE-2017-5753)
  • Meltdown, rogue data cache load (CVE-2017-5754)

    UPDATE (1/17/18): As readers have pointed out, it appears Windows patches for 32-bit systems (x86-based systems) do not provide Meltdown mitigations.
    Per Microsoft:
The existing 32 bit update packages listed in this advisory fully address CVE-2017-5753 and CVE-2017-5715, but do not provide protections for CVE-2017-5754 at this time. Microsoft is continuing to work with affected chip manufacturers and investigate the best way to provide mitigations for x86 customers, which may be provided in a future update.

What they don't address in these fixes:
  • Spectre variant 2, branch target injection (CVE-2017-5715) — firmware updates are required to fully address Spectre variant 2. 
Known issues with AV agents (also explained in MS Advisory):
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
This has created a lot of confusion, especially since the response from AV vendors has varied, with some setting the registry key for their customers and others recommending users set it, themselves, manually. The situation only gets more complicated considering many organizations have more than one AV solution installed. 
Update: Microsoft has clarified that Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are compatible with the update and do set the required registry key.

That means as long as you have one of these built-in Microsoft protections enabled the registry key should be set automatically — no further, manual action should be necessary. 

Be careful: If you are using third party software that Microsoft offically recognizes as AV, it is important to note that, by default, Windows Defender and Microsoft Security Essentials will turn themselves off. That means the registry key won't be added unless you or your AV actively do it. 
It’s better approach that, you first reach out to your AV vendor and ask for AV update/upgrade patches which ensures the compatibility with these MS updates. After installing AV patches, you should proceed with windows patches installation for smooth deployment. This means not that, you can’t update windows patches without updating AV.

Some Additional References:

ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

Question: I have an AMD-based device and compatible antivirus software, but I am not getting the January 2018 Windows Security Update. Why is that?

Answer: Microsoft has received reports that some devices using certain AMD processors can enter an unbootable state after installing the January Windows security updates. To prevent this, Microsoft has temporarily suspended automatically sending the following Windows security updates to devices with affected AMD processors:
·         KB4056892
·         KB4056891
·         KB4056890
·         KB4056888
·         KB4056893
·         KB4056898
·         KB4056897
·         KB4056894
·         KB4056895

Microsoft is working with AMD to resolve this issue and to resume offering Windows security updates to the affected AMD devices via Windows Update and WSUS as soon as possible. For AMD device-specific information please contact AMD.

Server Operating Systems (Affected Table):

Operating system version
Update KB
Windows Server, version 1709 (Server Core Inst..)
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Not available
Windows Server 2008 R2
Windows Server 2008
Not available

Windows Client:

AV Agent Relational Advisory by MS:

Unbootable state for AMD devices in Windows 8.1 and Windows Server 2012 R2

Reference KBs

KB4073576 is not applicable for Intel platform

KB4073576 is applicable for Client machines on Windows 8.1 AMD platform

Cheers, Please write me back if you have any feedback or suggestions..

No comments:

Post a Comment