A Step-By-Step Guide to Patching Windows for the Spectre and Meltdown Vulnerabilities
(Updated 2/1/2018 10:00 AM CST)
If you’ve landed here, then you’re probably as confused as we have been about how to address the Meltdown / Spectre vulnerabilities in your computing environment. It’s not your fault: the announcement->patch->withdraw patch->wait cycle has been frustrating. This post will hopefully eliminate some of the confusion by giving you a peek into how we’re approaching this in-house, as well as with our own customers.
What are the Spectre / Meltdown vulnerabilities?
First of all, you should know that the details are incredibly complicated, as are possible attacks
(in fact, almost a month post-announcement, no exploit in the wild has yet been discovered). Update: On Feb. 1, SecurityWeek announced that 139 Proof of Concept samples had been received. See full article here). In a nutshell, a collection of vulnerabilities has been built into the architecture of virtually every modern processor on the market. Where this affects you is that whatever processor you’re using in your Windows computer, be it Intel or AMD, it needs to be patched. (It was originally thought that AMD processors were not included in the vulnerabilities, but, alas, on January 11, 2018, AMD announced that it, too, was vulnerable, to at least a subset of the listed bugs [AMD Announcement]).
These bugs, referred to as “side-channel attacks”, allow programs executing in the processor or performing memory operations in the processor, to peek across their boundaries into other processes that they don’t have explicit permission to read. So, for instance, if you’ve downloaded and executed malicious code on your computer, it could look across its boundaries into memory used by your password vault to read and export usernames and passwords. This is, admittedly, a very simple example, but this isn’t intended to be a detailed breakdown of the exploits; that’s been done very well here (original announcement), here (Google Project Zero) and here (Cyberus Technology).
Have Spectre and Meltdown been exploited in the wild?
As of January 31, 2018, no malicious programs have been found exploiting these vulnerabilities. (Update: On Feb. 1, SecurityWeek announced that 139 Proof of Concept samples had been received. See full article here. TLDR: This is not yet exploit code, but coders are obviously working their way toward that end.)
How do I start patching?
- Start with antivirus. Early in the patching process, it was determined that several antivirus vendors were making kernel calls that would crash Windows once operating system patches were applied. These calls were never recommended by Microsoft, and now we know why. As a part of its own set of patches, Microsoft included a new registry key that antivirus products would have to add to their update process to verify they were now compliant. Without this registry key, Microsoft will not apply operating system patches. If you have Windows Defender as your antivirus, then you’re good to go. If not, you may want to contact your A/V vendor directly, check this list for its status, or go straight to the registry and check for the key manually. (See link, above for key location).
- Update Windows. Once the A/V registry key has been entered, your computer should receive the Spectre / Meltdown operating system patches through Windows Update. You can manually force the update by visiting Start / Settings / Update & Security / Check for Updates (Windows 10) or Start / Control Panel / System and Security / Windows Update / Check for Updates (Windows 7). If you’re not using Automatic Updates, you can manually download and install the update for Windows 10 and Windows Server 2016 x64 here, Windows 10 x86 here, and Windows 7 and Windows Server 2008 R2 here.
- (Don’t) Update Firmware. That’s right do not update your computer’s firmware. To their credit, several hardware vendors including Lenovo, Dell, and HP rushed to get firmware out to address Spectre variant 2. This firmware was based on Intel’s own code, which, as it turns out, started crashing computers, and in some cases causing data loss. On January 22, 2018, Intel released a statement saying “We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior.” At this point, because there are still no active exploits for this vulnerability, and because the cure seems to be worse than the disease, we’re recommending that you wait to update your firmware.
- Download “Inspectre” From GRC. Because there are so many convoluted steps involved in patching for Spectre / Meltdown, it would be nice to have a tool that will examine your system to see that everything’s been applied successfully. Enter InSpectre from GRC. This great little utility serves several useful functions. First, it scans your system to see if all the operating system / firmware patches have been applied. Second, it provides an intelligent explanation of your system’s current status in each area, and any recommendations. Third, it gives you the ability to turn protection on or off. Why would you want to dis-able protection? One reason is performance: especially on older processors and operating systems, the impact on system performance has been reported to be considerable. If you decide the trade-off between security and performance is too high, you may want to disable protection. Second, if you have updated your system and notice instability, you may want to disable protection.
- Download Update KB4078130 (Optional). After Intel released its statement recommending users halt installation of new firmware microcode, Microsoft provided a tool to disable previously installed microcode. Once you download the update and run it, the buggy microcode will be disabled on your system. If this sounds a lot like the InSpectre tool, above, you’re correct; clicking the “Disable Spectre Protection” button in InSpectre does the same thing, and provides visual confirmation. For some reason, Microsoft’s tool provides no interface or confirmation that it does anything. I ran it several times, thinking it wasn’t doing anything. Thankfully, InSpectre showed me that the microcode had, in fact, been disabled by Microsoft.
This is the process we’re currently following at Shoestring Networks. As this is in a constant state of flux, and we’re still waiting for Intel to release reliable microcode, we’ll update this post as more information becomes available. This is going to be a long process: there’s no telling, once Intel’s code makes it into circulation, how long it will take to become available through PC manufacturers, or whether certain models (especially older computers) will get updated at all.
All in all, this is a great time to invest in computer stocks. As new processors hit the market Dell, HP and Lenovo are going to have a banner year.