Microsoft To Set Fixes in Place of Meltdown and Spectre Flaws

Jason-Meilleur-Headshot-Square
Written by: Jason Meilleur
Published: January 9, 2018
 

After last week’s news broke on the Intel’s security flaw, developers and cloud based supporters have been scrambling to adjust and create patches to help secure a single fix against the Meltdown and Spectre exploit. As the issue continues to affect other operating systems such as Android, Chrome, iOS and MacOS, provider’s such as Microsoft have already begun releasing several updates and patches to help mitigate the vulnerabilities.

Microsoft began beta-testing Meltdown protection as of late November last year, and as of January 3rd they have released Security-only Updates. Below you will find a complete list of all Microsoft Security fixes as well as additional Microsoft resources to help you protect your server against future vulnerabilities.

Updated February 2, 2018

As of January 31st, Microsoft has released its third cumulative update for the Windows 10 Fall Creators Update (version 1709) for the month of January. The update takes Windows 10 build 16299.214 and resolves issues in KB4056892 that was pushed out earlier in January in response to help fix the Meltdown and Spectre exploits. There are no new features in this update, just a range of bug fixes, quality improvements and fixes for compatibility issues.
The KB4056892 fixes are

  • Addresses a compatibility issue where colors are distorted when the system is connected to displays that support wide color gamut.
  • Addresses a condition where a second monitor that is connected to legacy AMD display adapters flashes after waking from sleep.
  • Addresses issue that causes delays when switching keyboard languages using Alt+Shift.
  • Addresses compatibility issues when rendering certain closed captions or subtitle formats during video playback.
  • Addresses issue where the Microsoft Edge Allow Extension Group Policy for the disabled state was not working.
  • Provides additional protections for 32-bit (x86) versions of Windows 10, version 1709.
  • Resolves the issue reported by some customers on a small subset of older AMD processors where the processor entered an unbootable state after installing January 3, 2018—KB4056892 (OS Build 16299.192).

There are three known issues in this update.

  1. An odd bug is causing Windows Update History to report that KB4054517 from December 12 has failed to install. Users can select Check for updates to ensure they’re not missing any available updates. Microsoft is working on a fix.
  2.  There are also remaining problems caused by the compatibility requirements Microsoft has imposed on third-party antivirus as a result of its fixes for Meltdown and Spectre.
  3. After installing this update, users may also notice problems logging into some websites when using third-party account credentials in Edge. Microsoft says it is working on a resolution.

Microsoft Set Fixes

  1. Microsoft has released a PowerShell Script that can check if your PC is vulnerable to Meltdown and Spectre. The script outlines recommended actions and a step-by-step process that customers can run on their systems to ensure key security settings are enabled.

Use the following steps to install and run the test:

  1. Press the Windows key and type PowerShell.
  2. Right click the PowerShell shortcut and select Run as Administrator.
  3. Type Install-Module SpeculationControl and press Enter.
  4. If you are prompted to install the NuGet provider, type Y and press Enter, and repeat if you are warned about installing from an untrusted repository.
  5. With the installation complete, type Import-Module SpeculationControl and press Enter.
  6. Type Get-SpeculationControlSettings and press Enter.
  1. In addition, Microsoft recommends modifying Edge and Internet Explorer as they are at particular risk for this type of attack. The modification will remove support for SharedArrayBuffer from Microsoft Edge, and will also reduce the resolution of performance.now() in Microsoft Edge and Internet Explorer from 5 microseconds to 20 microseconds, with variable jitter of up to an additional 20 microseconds.
  1. Microsoft has also updated their Azure Cloud Computing platform to protect against Meltdown. This is a planned maintenance at the HyperVision level, meaning that any Virtual Machines (VM) running on Azure will not need to be patched to protect against Meltdown.

These improved security updates and increased quality control will substantially increase the difficulty of browser-based attacks such as password theft.

ATTENTION!

Microsoft Has Blocked a Number of Security Updates for Some AMD Based PC’s after discovering that installing the security updates (stated above) has left some devices unable to boot.
Some supports claim that the compatibility with some set Microsoft fixes is freezing some PCs with AMD chips. As a result, Microsoft will temporarily pause sending the following Windows system updates devices with AMD processors:

  • January 3, 2018–KB4056897 (Security-only update)
  • January 9, 2018–KB4056894 (Monthly Rollup)
  • January 3, 2018–KB4056888 (OS Build 10586.1356)
  • January 3, 2018–KB4056892 (OS Build 16299.192)
  • January 3, 2018–KB4056891 (OS Build 15063.850)
  • January 3, 2018–KB4056890 (OS Build 14393.2007)
  • January 3, 2018–KB4056898 (Security-only update)
  • January 3, 2018–KB4056893 (OS Build 10240.17735)
  • January 9, 2018–KB4056895 (Monthly Rollup)

What You Can Do?

If you are unable to install the Meltdown patch at this time. It is essential that you update your browser. Firefox, Chrome, Internet Explorer, and Edge have all been updated with protections against the exploit. In addition, be sure to keep an eye on your security software when working without the Patch. Keeping an up to date software can keep malware off your PC.

We will continue to monitor this issue and provide any updates on this post as they arise. If you would like to receive more up to date information about technology related news, please sign up for our newsletter at the bottom of the page.

For additional Microsoft Resources see:

Security Advisory ADV180002 | A Microsoft Security Update Guide
Windows Security Update | Released January 3, 2018, and antivirus software
Windows Client Guidance for IT Pros | To protect against speculative execution side-channel vulnerabilities
Windows Server Guidance | To protect against speculative execution side-channel vulnerabilities
Microsoft Edge and Internet Explorer | How to mitigate speculative execution and side-channel attacks
Microsoft Cloud Protections | against speculative execution side-channel vulnerabilities
Guide to protect SQL Server | against speculative execution side-channel vulnerabilities

After last week’s news broke on the Intel’s security flaw, developers and cloud based supporters have been scrambling to adjust and create patches to help secure a single fix against the Meltdown and Spectre exploit. As the issue continues to affect other operating systems such as Android, Chrome, iOS and MacOS, provider’s such as Microsoft have already begun releasing several updates and patches to help mitigate the vulnerabilities.

Microsoft began beta-testing Meltdown protection as of late November last year, and as of January 3rd they have released Security-only Updates. Below you will find a complete list of all Microsoft Security fixes as well as additional Microsoft resources to help you protect your server against future vulnerabilities.

Updated February 2, 2018

As of January 31st, Microsoft has released its third cumulative update for the Windows 10 Fall Creators Update (version 1709) for the month of January. The update takes Windows 10 build 16299.214 and resolves issues in KB4056892 that was pushed out earlier in January in response to help fix the Meltdown and Spectre exploits. There are no new features in this update, just a range of bug fixes, quality improvements and fixes for compatibility issues.
The KB4056892 fixes are

  • Addresses a compatibility issue where colors are distorted when the system is connected to displays that support wide color gamut.
  • Addresses a condition where a second monitor that is connected to legacy AMD display adapters flashes after waking from sleep.
  • Addresses issue that causes delays when switching keyboard languages using Alt+Shift.
  • Addresses compatibility issues when rendering certain closed captions or subtitle formats during video playback.
  • Addresses issue where the Microsoft Edge Allow Extension Group Policy for the disabled state was not working.
  • Provides additional protections for 32-bit (x86) versions of Windows 10, version 1709.
  • Resolves the issue reported by some customers on a small subset of older AMD processors where the processor entered an unbootable state after installing January 3, 2018—KB4056892 (OS Build 16299.192).

There are three known issues in this update.

  1. An odd bug is causing Windows Update History to report that KB4054517 from December 12 has failed to install. Users can select Check for updates to ensure they’re not missing any available updates. Microsoft is working on a fix.
  2.  There are also remaining problems caused by the compatibility requirements Microsoft has imposed on third-party antivirus as a result of its fixes for Meltdown and Spectre.
  3. After installing this update, users may also notice problems logging into some websites when using third-party account credentials in Edge. Microsoft says it is working on a resolution.

Microsoft Set Fixes

  1. Microsoft has released a PowerShell Script that can check if your PC is vulnerable to Meltdown and Spectre. The script outlines recommended actions and a step-by-step process that customers can run on their systems to ensure key security settings are enabled.

Use the following steps to install and run the test:

  1. Press the Windows key and type PowerShell.
  2. Right click the PowerShell shortcut and select Run as Administrator.
  3. Type Install-Module SpeculationControl and press Enter.
  4. If you are prompted to install the NuGet provider, type Y and press Enter, and repeat if you are warned about installing from an untrusted repository.
  5. With the installation complete, type Import-Module SpeculationControl and press Enter.
  6. Type Get-SpeculationControlSettings and press Enter.
  1. In addition, Microsoft recommends modifying Edge and Internet Explorer as they are at particular risk for this type of attack. The modification will remove support for SharedArrayBuffer from Microsoft Edge, and will also reduce the resolution of performance.now() in Microsoft Edge and Internet Explorer from 5 microseconds to 20 microseconds, with variable jitter of up to an additional 20 microseconds.
  1. Microsoft has also updated their Azure Cloud Computing platform to protect against Meltdown. This is a planned maintenance at the HyperVision level, meaning that any Virtual Machines (VM) running on Azure will not need to be patched to protect against Meltdown.

These improved security updates and increased quality control will substantially increase the difficulty of browser-based attacks such as password theft.

ATTENTION!

Microsoft Has Blocked a Number of Security Updates for Some AMD Based PC’s after discovering that installing the security updates (stated above) has left some devices unable to boot.
Some supports claim that the compatibility with some set Microsoft fixes is freezing some PCs with AMD chips. As a result, Microsoft will temporarily pause sending the following Windows system updates devices with AMD processors:

  • January 3, 2018–KB4056897 (Security-only update)
  • January 9, 2018–KB4056894 (Monthly Rollup)
  • January 3, 2018–KB4056888 (OS Build 10586.1356)
  • January 3, 2018–KB4056892 (OS Build 16299.192)
  • January 3, 2018–KB4056891 (OS Build 15063.850)
  • January 3, 2018–KB4056890 (OS Build 14393.2007)
  • January 3, 2018–KB4056898 (Security-only update)
  • January 3, 2018–KB4056893 (OS Build 10240.17735)
  • January 9, 2018–KB4056895 (Monthly Rollup)

What You Can Do?

If you are unable to install the Meltdown patch at this time. It is essential that you update your browser. Firefox, Chrome, Internet Explorer, and Edge have all been updated with protections against the exploit. In addition, be sure to keep an eye on your security software when working without the Patch. Keeping an up to date software can keep malware off your PC.

We will continue to monitor this issue and provide any updates on this post as they arise. If you would like to receive more up to date information about technology related news, please sign up for our newsletter at the bottom of the page.

For additional Microsoft Resources see:

Security Advisory ADV180002 | A Microsoft Security Update Guide
Windows Security Update | Released January 3, 2018, and antivirus software
Windows Client Guidance for IT Pros | To protect against speculative execution side-channel vulnerabilities
Windows Server Guidance | To protect against speculative execution side-channel vulnerabilities
Microsoft Edge and Internet Explorer | How to mitigate speculative execution and side-channel attacks
Microsoft Cloud Protections | against speculative execution side-channel vulnerabilities
Guide to protect SQL Server | against speculative execution side-channel vulnerabilities

Related Posts