none
Meltdown and Spectre related question RRS feed

  • Question

  • Hi,

    I received an advisory from TrendMicro related to potential problem with automatic application of new MS patches (Meldown and Spectre). It reffers to updating a registry key for possibility of automatic updates.

    I guess that WSUS clients will be affected the same way as machines getting patches directly from MS catalog.

    But decided to ask... May be WSUS environment will not be affected?

    Thx.

    ***********************

    Summary:

    On January 3, 2018, Microsoft began to release its monthly Security Bulletin early for some platforms due to newly revealed CPU security flaws - commonly referred to as "Meltdown" and "Spectre".  Microsoft's January 2018 patches implement new requirements (KB4072699) to target the delivery of the patches and to ensure that security and anti-malware software is compatible.  
    Microsoft has requested that security vendors verify product compatibility with this new patch, and Trend Micro commercial endpoint and server security products - including Trend Micro OfficeScan, Worry-Free Business Security, and Deep Security - are affected by these new Microsoft requirements.  Our compatibility testing is underway and the latest information can be found below.  
    If the Trend Micro products you are using are listed as compatible, customers running these products will require a new Microsoft Windows registry key to allow the Windows Update to occur automatically.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Friday, January 5, 2018 2:13 PM

Answers

  • Hi,

    >>Anyway, would be interesting what CPUs are affected.

    As for Intel CPU , the article below mentioned the lists :

    https://www.tweaktown.com/news/60411/heres-list-intel-cpus-affected-spectre-meltdown/index.html

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by pob579 Tuesday, January 9, 2018 12:36 PM
    Tuesday, January 9, 2018 2:15 AM
    Moderator
  • with so many info about Melt and Spec often a bit contradictory I would like to ask a question...

    One of colleagues mentioned that Meltdown could not be patched on OS level.

    Only BIOS update can protect against Meltdown.

    He stated that Microsoft patches (obviously talking only about Windows) are only for patching Spectre issue.

    Can somebody provide a link to clear explanation (don't need extremly technical) of what patches are actually doing (covering).

    Your colleague is mistaken (but, it is a complex set of scenarios, so can be forgiven ;)

    https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

    See the section titled: 

    What Steps Should I Take to Help Protect My System?

    Spectre : CVE-2017-5753 : Variant 1 : Bounds Check Bypass
    Compiler change; recompiled binaries now part of Windows Updates
    Edge & IE11 hardened to prevent exploit from JavaScript
    Silicon Microcode Update ALSO Required on Host : No

    Spectre : CVE-2017-5715 : Variant 2 : Branch Target Injection
    Calling new CPU instructions to eliminate branch speculation in risky situations
    Silicon Microcode Update ALSO Required on Host : Yes

    Meltdown : CVE-2017-5754 : Variant 3 : Rogue Data Cache Load
    Isolate kernel and user mode page tables
    Silicon Microcode Update ALSO Required on Host : No

    Microcode updates availability can be found here: https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown

    Also, note that there are particular steps MSFT are taking, as to not-activate the corrections for some situations, this is to avoid BSOD the pc dur to anti-virus software incompatibilities.

    Also, note that Windows Client OS (7/8/10) are being treated differently than Windows Server OS - so take special care to read the details very thoroughly..

    Also note that there are extra considerations for virtualization scenarios (because hypervisors use firmware emulation = microcode for each guest VM)

    NB: microcode = the firmware which needs updating, and is shipped as a 'BIOS' update


    Don [doesn't work for MSFT, and they're probably glad about that ;]




    • Edited by DonPick Saturday, January 13, 2018 4:50 AM
    • Marked as answer by pob579 Saturday, January 13, 2018 12:55 PM
    Saturday, January 13, 2018 4:47 AM

All replies

  • I've recieved the same info from Trend,

    https://success.trendmicro.com/solution/1119183
    and seems I just need to make a registry entry to allow clients to get the updated from Windows updates. But do I need to make the change on all my clients that get their update from WSUS too?

    Friday, January 5, 2018 2:48 PM
  • Looks like Trend Micro just release a patch to automatically push registry key to clients. 
    Friday, January 5, 2018 9:30 PM
  • I would like to have an answer from Microsoft people...

    Is Update functionality affected on WSUS client machines by latest changes on UPDATE side?


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Saturday, January 6, 2018 11:18 AM
  • I would like to have an answer from Microsoft people...

    Is Update functionality affected on WSUS client machines by latest changes on UPDATE side?


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Hi,

    Yes , the WSUS client machines may be affected to receive "security updates" of January 2018 .

    The similar issue was mentioned in following thread:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/fccffe10-4131-4c9a-964b-39a33f9c09de/update-kb4056892-approved-and-not-being-seen-by-any-client?forum=winserverwsus

    As the article "4072699" mentioned : "The antivirus software must set a registry key as described below in order to receive the January 2018 security updates."

    https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

    If any clients can not receive January 2018 updates ,please first check the registry was configured or not .

    If not , you may manually edit it to install security updates of Jan-2018 .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by RabanserD Monday, January 8, 2018 8:15 AM
    Monday, January 8, 2018 2:25 AM
    Moderator
  • Been doing some testing.  My machine looks at MS for it's updates. Windows update said no updates available, I made the registry key manually, and did another scan and it picked up the update.

    I've changed the registry on a machine that connects to our WSUS server but it's not reporting that the update is needed.  The KB4056888 update is showing in WSUS, but no clients needing it.

    Monday, January 8, 2018 10:34 AM
  • This is a good test, that I guess allows to conclude that only the machines with old procs require this update.

    May be there is an info what gens of procs are under the fire.

    It could be easier then to identify very few old machines (if any) in a large network.

    And it may simiplify the task.

    Edited: or of course that the registry key must be updated on all machines that will get updates from WSUS.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis


    • Edited by pob579 Monday, January 8, 2018 1:47 PM
    Monday, January 8, 2018 1:29 PM
  • I read few days ago that OLD procs are affected...

    Now found: _Antivirus firms are gradually adding support for Microsoft's Windows patch for the Meltdown and Spectre attack methods that affect most modern CPUs.

    So my conclusion about old CPUs is wrong...

    Better to deploy the KEY.

    Anyway, would be interesting what CPUs are affected... Probably, it will come later.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Monday, January 8, 2018 1:53 PM
  • I've deployed the key via GPO, and will keep an eye on my WSUS server over the next couple of days to see if any clients report they need any "2018-01 Cumulative Update...."

    Apparently if clients don't have the key, they won't get 2018-01 update, or any subsequant updates.

    Also noticed that https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 claims that Windows 10 1511 points to article 4056888, which also mentions "This update can be applied to Windows 10 Enterprise and Windows 10 Education editions only. This update isn't applicable to Windows 10 Pro or Windows 10 Home editions and won't install."

    We're on Windows 10 Pro, so unless i'm looking at the wrong update, i'm not sure how/what I'll be applying after I've added the Key that needs adding. 

    Monday, January 8, 2018 2:57 PM
  • Hi,

    >>Anyway, would be interesting what CPUs are affected.

    As for Intel CPU , the article below mentioned the lists :

    https://www.tweaktown.com/news/60411/heres-list-intel-cpus-affected-spectre-meltdown/index.html

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by pob579 Tuesday, January 9, 2018 12:36 PM
    Tuesday, January 9, 2018 2:15 AM
    Moderator
  • What about the new pause for AMD machines?

    If I approve the patch AND have the reg key on an AMD based machine, will it show as needed from WSUS? O do I need to further filter the devices?


    • Edited by Fullvacation Wednesday, January 10, 2018 8:32 PM
    Wednesday, January 10, 2018 8:29 PM
  • I've deployed the key via GPO, and will keep an eye on my WSUS server over the next couple of days to see if any clients report they need any "2018-01 Cumulative Update...."

    Apparently if clients don't have the key, they won't get 2018-01 update, or any subsequant updates.

    Also noticed that https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 claims that Windows 10 1511 points to article 4056888, which also mentions "This update can be applied to Windows 10 Enterprise and Windows 10 Education editions only. This update isn't applicable to Windows 10 Pro or Windows 10 Home editions and won't install."

    We're on Windows 10 Pro, so unless i'm looking at the wrong update, i'm not sure how/what I'll be applying after I've added the Key that needs adding. 

    1511 reached end-of-support in October 2017: https://support.microsoft.com/en-au/help/4035050/windows-10-version-1511-will-no-longer-receive-security-updates

    (but as we've seen, MSFT grants some latitude to large customers who invest in ENT/EDU products)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, January 10, 2018 10:06 PM
  • with so many info about Melt and Spec often a bit contradictory I would like to ask a question...

    One of colleagues mentioned that Meltdown could not be patched on OS level.

    Only BIOS update can protect against Meltdown.

    He stated that Microsoft patches (obviously talking only about Windows) are only for patching Spectre issue.

    Can somebody provide a link to clear explanation (don't need extremly technical) of what patches are actually doing (covering).

    Thx.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis


    • Edited by pob579 Friday, January 12, 2018 3:19 PM
    Friday, January 12, 2018 3:18 PM
  • with so many info about Melt and Spec often a bit contradictory I would like to ask a question...

    One of colleagues mentioned that Meltdown could not be patched on OS level.

    Only BIOS update can protect against Meltdown.

    He stated that Microsoft patches (obviously talking only about Windows) are only for patching Spectre issue.

    Can somebody provide a link to clear explanation (don't need extremly technical) of what patches are actually doing (covering).

    Your colleague is mistaken (but, it is a complex set of scenarios, so can be forgiven ;)

    https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

    See the section titled: 

    What Steps Should I Take to Help Protect My System?

    Spectre : CVE-2017-5753 : Variant 1 : Bounds Check Bypass
    Compiler change; recompiled binaries now part of Windows Updates
    Edge & IE11 hardened to prevent exploit from JavaScript
    Silicon Microcode Update ALSO Required on Host : No

    Spectre : CVE-2017-5715 : Variant 2 : Branch Target Injection
    Calling new CPU instructions to eliminate branch speculation in risky situations
    Silicon Microcode Update ALSO Required on Host : Yes

    Meltdown : CVE-2017-5754 : Variant 3 : Rogue Data Cache Load
    Isolate kernel and user mode page tables
    Silicon Microcode Update ALSO Required on Host : No

    Microcode updates availability can be found here: https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown

    Also, note that there are particular steps MSFT are taking, as to not-activate the corrections for some situations, this is to avoid BSOD the pc dur to anti-virus software incompatibilities.

    Also, note that Windows Client OS (7/8/10) are being treated differently than Windows Server OS - so take special care to read the details very thoroughly..

    Also note that there are extra considerations for virtualization scenarios (because hypervisors use firmware emulation = microcode for each guest VM)

    NB: microcode = the firmware which needs updating, and is shipped as a 'BIOS' update


    Don [doesn't work for MSFT, and they're probably glad about that ;]




    • Edited by DonPick Saturday, January 13, 2018 4:50 AM
    • Marked as answer by pob579 Saturday, January 13, 2018 12:55 PM
    Saturday, January 13, 2018 4:47 AM
  • Don, as usually appreciate your answer.

    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Saturday, January 13, 2018 12:55 PM