Or, All you need to know about windows patches
for Meltdown and Spectre vulnerabilities
Descriptions
Microsoft's
process for releasing Windows updates addressing Meltdown and Spectre has been
a good and well as problematic causing high-profile incompatibility issues with
third-party antivirus (AV) software and AMD processors. In some cases, delivery
of the latest security update has been restricted or suspended by Microsoft.
More
details and direct download links to the updates below:
- Windows 10
Various Versions
- Windows 8
and Windows Server 2012
- Windows
8.1 and Server 2012 R2— KB4056898 (issued 1/3/18)
- No patches
available for Windows Server 2012 non-R2 version
- Windows 7
and Windows Server 2008
- Windows 7
SP1 and Server 2008 R2 SP1 — KB4056897 (Security only, issued 1/3/18)
- Windows 7
SP1 and Server 2008 R2 SP1 — KB4056894 (Monthly rollup, issued 1/4/18)
- No patches
available for Windows Server 2008 non-R2 version
What they addressed in these fixes
- Spectre
variant 1, bounds check bypass (CVE-2017-5753)
- Meltdown,
rogue data cache load (CVE-2017-5754)
UPDATE (1/17/18): As readers have pointed out, it appears Windows patches for 32-bit systems (x86-based systems) do not provide Meltdown mitigations.
Per Microsoft:
The existing 32 bit update packages listed in this advisory
fully address CVE-2017-5753 and CVE-2017-5715, but do not provide protections
for CVE-2017-5754 at this time. Microsoft is continuing to work with affected
chip manufacturers and investigate the best way to provide mitigations for x86
customers, which may be provided in a future update.
What they don't address in these fixes:
- Spectre
variant 2, branch target injection (CVE-2017-5715) — firmware updates are
required to fully address Spectre variant 2.
Known issues with AV agents (also explained in MS Advisory):
- AV
compatibility issues: During
tests, Microsoft discovered that a compatibility issue with "a small
number of antivirus software products" was causing system crashes. As
a result, the company has made
delivery of the Windows security updates linked to above contingent on the
presence of a special registry key, which it has instructed all AV
vendors to add to customer devices only after they've confirmed their
products are compatible.
This deserves reiterating — Microsoft will not deliver the Windows update unless the following registry key exists (more details here):
Key="HKEY_LOCAL_MACHINE"
Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Data="0x00000000”
This
has created a lot of confusion, especially since the response from AV vendors
has varied, with some setting the registry key for their customers and others
recommending users set it, themselves, manually. The situation only gets
more complicated considering many organizations have more than one AV solution
installed.
Update: Microsoft has clarified
that Windows Defender Antivirus, System Center Endpoint Protection, and
Microsoft Security Essentials are compatible with the update and do set
the required registry key.
That means as long as you have one of these built-in Microsoft protections enabled the registry key should be set automatically — no further, manual action should be necessary.
That means as long as you have one of these built-in Microsoft protections enabled the registry key should be set automatically — no further, manual action should be necessary.
Be careful: If you are
using third party
software that Microsoft offically recognizes as AV, it is important to
note that, by default, Windows Defender and Microsoft Security Essentials will
turn themselves off. That means the registry key won't be added unless you or
your AV actively do it.
It’s
better approach that, you first reach out to your AV vendor and ask for AV
update/upgrade patches which ensures the compatibility with these MS updates.
After installing AV patches, you should proceed with windows patches
installation for smooth deployment. This means not that, you can’t update
windows patches without updating AV.
Some Additional References:
ADV180002 | Guidance to mitigate speculative
execution side-channel vulnerabilities
Question: I have an AMD-based device and
compatible antivirus software, but I am not getting the January 2018 Windows
Security Update. Why is that?
Answer: Microsoft has received reports that some devices
using certain AMD processors can enter an unbootable state after installing the
January Windows security updates. To prevent this, Microsoft has temporarily
suspended automatically sending the following Windows security updates to
devices with affected AMD processors:
·
KB4056892
·
KB4056891
·
KB4056890
·
KB4056888
·
KB4056893
·
KB4056898
·
KB4056897
·
KB4056894
·
KB4056895
Microsoft is working with AMD to resolve this issue
and to resume offering Windows security updates to the affected AMD devices via
Windows Update and WSUS as soon as possible. For AMD device-specific
information please contact AMD.
Server
Operating Systems (Affected Table):
|
Operating
system version
|
Update
KB
|
|
Windows
Server, version 1709 (Server Core Inst..)
|
|
|
Windows
Server 2016
|
|
|
Windows
Server 2012 R2
|
|
|
Windows
Server 2012
|
Not
available
|
|
Windows
Server 2008 R2
|
|
|
Windows
Server 2008
|
Not
available
|
Windows
Client:
AV Agent
Relational Advisory by MS:
Unbootable
state for AMD devices in Windows 8.1 and Windows Server 2012 R2
Reference
KBs
KB4073576
is not applicable for Intel platform
KB4073576 is
applicable for Client machines on Windows 8.1 AMD platform
Cheers, Please write me back if you have any feedback or suggestions..
