UPDATED: 23 May,2018. Updates from Microsoft
UPDATED: 22 March,2018. Updates from Intel, Microsoft
UPDATED: 6 March,2018. Updates from Intel, Microsoft
UPDATED: 9 February,2018. Updates from Intel, Microsoft
UPDATED: 23 January 2018. Urgent update on Intel CPU patches. TL;DR: Don’t install them, they’re causing errors, Intel is working on fixes. More details in the Intel article section below.
We update this article regularly with the news about the patches and other information you may need to keep your devices secure.
Meltdown and Spectre Background
News about critical CPU vulnerabilities, dubbed Meltdown and Spectre, hit the media a week before the initial disclosure by CPU and software vendors, originally planned for January 9th.The information about the attacks was available to vendors beforehand, but they have been taking measures to avoid disclosure before mitigation measures are available to general public.
However, once the news broke and started spreading like wildfire, vendors had to roll out initial security updates in a rush, together with official statements and recommendations. LWN.net suggests there have been hints of CPU security risks being actively patched for the Linux kernel back in November 2017, but the information started spreading only early last week. The Register’s tech page was one of the earliest sites to call out some big names (like Intel) and provide information about products susceptible to the attacks.
As the story unfolded, more details surfaced adding other hardware vendors to the list of potential victims, effectively promoting Meltdown and Spectre to the top of the vulnerabilities list in terms of potential risks and attack surface.
For now, it is clear that vulnerabilities may affect desktop and mobile devices like phones, tablets and laptops. Cloud services are also at risk. It is worth mentioning that both Spectre and Meltdown exploit hardware vulnerabilities of affected chips which prolongs the mitigation process.
These 2 facts are important for understanding the scale of a problem, which is truly industry-wide. It has been confirmed by vendors that Intel, Arm, Apple, and AMD are affected by at least one of the vulnerabilities. In our previous article, you can read a detailed history of their discovery and the basics of how these vulnerabilities work.
In this article, we will maintain an updated list of security patches and updates for mitigating CPU flaws on affected devices and operating systems. Before we proceed with the list of security updates, it is worth to outline few key points about the peculiarities of these vulnerabilities. This will also clarify why patching and security updates may be required on various levels—starting from microcode updates for CPUs to operating system (OS) patches and, finally, browser enhancements.
Why Are Meltdown and Spectre Vulnerabilities So Different from Other Security Issues?
As researchers pointed out in their paper on Meltdown, so called “memory isolation” is the foundation of safe computing, meaning that programs/processes shouldn’t be able to access the OS kernel or another program’s memory. Memory isolation barriers are implemented on software and hardware levels. Meltdown and Spectre exploit hardware vulnerabilities in CPU that may enable malicious process to read sensitive data from the memory or browser process.
Both Meltdown and Spectre abuse the CPU performance optimization feature known as speculative execution. In order to improve performance and reduce wait time, CPUs are able to accomplish tasks before their results are actually required. This is possible because another functionality known as “branch prediction” allows the CPU to assume which tasks are most likely going to be needed, work ahead, and roll back if the gamble proves wrong. CPUs are able to run tasks speculatively and in parallel, which together with branch prediction highly increases speed and performance.
However, in the case of Spectre and Meltdown, it turns out that speculative execution has weaknesses long overlooked by CPU designers. Not all of the results for speculative execution are rolled back, with some “leftovers” stored in the CPUs cache memory, used for storing and fetching recent data quickly in case it’s needed again. Due to the nature of speculative execution and the lack of certain checks, it may also leave remnant data it wasn’t supposed to touch in the cache.
This is the problem. Because of these bad data rollback habits, an attacker program may measure the timing of memory reads and be able to “deduce” the sensitive information in the chip’s cache.
Meltdown and Spectre (which itself has 2 versions) use different approaches to these weaknesses in processor architecture, but it all comes down to circumventing memory isolation between the OS kernel memory and non-privileged processes (in case of Meltdown) and breaking isolation between processes running on the device (Spectre).
How To Fix Meltdown and Spectre CPU Vulnerabilities?
Meltdown is easier to exploit, but it’s also easier to fix, with patches already available. Spectre in turn is an extremely complicated set of vulnerabilities that require thorough patching, yet researchers agree that even with patches, exploitable variations may surface in future.
- CPU firmware
- OS patches (increased memory isolation to prevent Meltdown)
Decreases in CPU performance is an overhead that’s inevitable in a situation like this, especially given that flaws in CPU design are mostly related to performance optimization features. On the other hand a significant drop in performance hasn’t been reported for the most common usage scenarios. Find the links for updates and news below.
Updated 18 January: In his article Terry Myerson, VP of Windows and Devices Group shares the findings on performance impact that results from applying security patches on Windows PCs running on Intel CPUs. Windows 10 combined with newer Intel CPUs from around 2016 has no noticeable slowdown. At the same time, Windows 10 on chips from 2015 and older may get noticeably slower. Windows 7 / 8 systems running on processors from 2015 and older will also demonstrate visible decline in performance.
Intel News and Updates for Meltdown and Spectre
- Intel Spectre FAQ
- 90+% of Intel CPUs manufactured during the last 5 years will receive firmware updates within a week, updates for remaining ones will ship towards the end of January. (Source)
- Intel is working on a reboot issue for Broadwell and Haswell CPUs after the forthcoming Spectre patch. (Source)
If you are using Intel processors, please contact your device vendor for firmware updates.
Updated 23 January: Intel asks users to abstain from applying their CPU patches until further notice.
Since January 11th, Intel users have been running into the issues with spontaneous reboots and other errors that plagued their computers after applying security patches for Spectre and Meltdown vulnerabilities. On Monday, January 22, Intel updated their guidance for customers and partners. According to Intel, the root cause of problem has been identified and early fixes have been rolled out for testing by Intel’s industry partners over the weekend. For the moment Intel advises its OEM partners, cloud service providers, system manufacturers and consumers to stop deployment of current patches, since:
…they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.—Navin Shenoy, Executive VP, General manager of Data Center Group at Intel Corp.
Meanwhile, Navin Shenoy urges customers to adhere to security best practices and keep their systems up to date, apologizing for the situation.
Updated 9 February: It seems that Intel has finally made some progress with fixes for reboot issues that followed after Spectre microcode patches for CPUs . In his post, Navin Shenoy notified that stable microcode updates have been released for Skylake-based platforms, while Broadwell and Haskell are still in progress. He stated that Intel will be releasing beta microcode updates for their partners to conduct thorough testing prior to production release. Most patches against reboot issues will be delivered along with firmware updates from device vendors. See the table for microcode updates by Intel. Columns marked in green with “Production ” status indicate that the microcode updated may be deployed in production.
Updated 6 March: Intel’s provided an update on February 20th including patches for Spectre and Meltdown CPU exploits.
After extensive testing of the updated microcode patches by Intel’s industry partners and customers, they are ready to be released. As described in previous updates, Intel’s previous microcode patches have led to reboot issues.
“Based on these efforts, we have now released production microcode updates to our OEM customers and partners for Kaby Lake- and Coffee Lake-based platforms, plus additional Skylake-based platforms. This represents our 6th, 7th and 8th Generation Intel® Core™ product lines as well as our latest Intel® Core™ X-series processor family. It also includes our recently announced Intel® Xeon® Scalable and Intel® Xeon® D processors for data center systems.”—Navin Shenoy, Executive VP, General Manager of Data Center Group at Intel Corp.
According to Mr. Shenoy, in the majority of cases, these revised microcode patches will be available to customers through Intel’s OEM firmware partners (device vendors).
Updated 22 March,2018: Intel’s CEO Brian Krzanich mentioned that Intel has released microcode updates intended to protect chips from Spectre and Meltdown vulnerabilities for 100% of products launched during the past five years.
He also announced hardware-based protection coming to company’s chips, which will be implemented for next generation Xeon processors and 8th generation Core processors, released in the second half of 2018. According to Krzanich, Intel has redesigned certain parts of the processors with partitioning to protect them from Spectre Variant 2 and Meltdown.
Think of this partitioning as additional “protective walls” between applications and user-privilege levels to create an obstacle for bad actors.”—Brian Krzanich, Intel CEO
News and Updates for Arm Processors
- Arm FAQ
- Affected Arm processors by vulnerability type
- Arm Partner Information:
- Arm Support: firstname.lastname@example.org
News and Updates for AMD CPU Spectre Vulnerabilities
Even though AMD isn’t susceptible to Meltdown, their processors are still prone to both variants of the Spectre attack. AMD is working closely with Microsoft to fix the issue that paused updates for older AMD chips during this week. Linux vendors are also working on patches for AMD CPUs
Updated 18 January: Microsoft renews security updates for most AMD processors after fixing boot issues. More details in the Windows section of the article.
Windows OS News and Updates
Microsoft Security Advisory contains issue descriptions, FAQ, and a list of security updates for supported Microsoft products that may be affected, including: Windows 7, 8, 10, Internet Explorer 11, and Edge, Microsoft Server, etc.
Microsoft Guidance on Windows Update contains consumer guidance information and articles, links to advisory information from Microsoft partners. Be sure to check out the list of firmware updates and links by vendor, download them if you haven’t done so already. The Windows update schedule for January 2018 is also provided with update descriptions.
- Security updates from Microsoft won’t provide full protection unless you the install firmware update for your device.
- Before installing the Windows security update, make sure you have updated your antivirus (AV) software, if you’re using third-party product (not Windows Defender or Microsoft Security Essentials).
Details on Antivirus Software Updates for Prior to Windows Updates
A specific registry key is required be submitted to the registry to ensure that the AV you use will stay compatible with the changes coming as part of security updates, starting with the January 3 update and all subsequent patches.
If you aren’t receiving the updates yet, there are 2 possible situations taking place:
- Contact your AV vendor’s support and install the registry key by yourself. Install it only in case you fully understand the risks and have carefully read the topics specified in the disclaimer: “Changing keys and values” help topic in the Registry Editor (Regedit.exe) or view the “Add and delete information in the registry” and “Edit registry data” help topics in Regedt32.exe. The key itself is provided in the above linked article from MS knowledge base.
- If you have an older AMD CPU and haven’t been receiving the updates, it is due certain versions of the update rendering PCs unbootable. Here is the separate update , containing the list of paused security patches from Microsoft
Updated 18 January: Microsoft resumed security updates for most AMD processors after fixing boot issues. The list of resumed updates:
Issues fixed in: KB4073578 Unbootable state for AMD devices in Windows 7 SP1 and Windows Server 2008 R2 SP1
Issues fixed in: KB4073576 Unbootable state for AMD devices in Windows 8.1 and Windows Server 2012 R2
4 more updates remain paused. Full list available via link in clause 2 above.
How to Check for Updates in Windows 10
- Go to Start Menu
- Select Settings
- In Settings, click Check for updates.
How to Check for Updates in Windows 8, 8.1
- Go to System Settings
- Click on the Control Panel
- Go to System and Security
- Click Windows Update, and click Check for Updates.
How to Check for Updates on Windows 7
- Open Start Menu
- Click on Control Panel, then click on System and Security
- Select Windows Update, and click Check for Updates.
For some extra peace of mind, follow the instructions from this article from Howtogeek.com to see if your system is patched against Spectre and Meltdown both on the OS and firmware sides.
Updated 18 January: Malwarebytes warns against fake patches for Meltdown and Spectre.
Given that news of Meltdown and Spectre have received massive coverage, there’s no wonder bad actors tried to take advantage of publicity.
In his post on Malwarebytes blog, research lead Jérôme Segura covers the details of phishing campaign reported by German authorities. Phishing emails were luring users to recently registered domain, mimicking German Federal Office For Information Security.
Adversaries even installed an SSL certificate for the domain in an attempt to mislead more vigilant users. It is worth noting that presence of SSL certificate only tells that communication between browser and the website is encrypted, but it doesn’t guarantee that website isn’t malicious. Certificate has been revoked promptly after Malwarebytes reported abuse to certificate authority.
Fake website contained a downloadable archive posing as patch for Intel and AMD CPUs, which in reality was an .exe file that installs Smoke Loader – a piece of software that may download other malicious payloads as instructed by adversary.
Remember: Both software and hardware vendors aren’t normally using email to send patches directly to users. As a rule, patches are available for download from vendor’s website. OS manufacturers may link to vendor’s websites on their support pages since these entities often work collectively on mitigation of threats.
Updated 9 February,2018. Microsoft releases update to disable Intel’s patch for Spectre Variant 2 CVE-2017-5715.
Update released for: Windows 7 SP1, Windows 8.1, Windows 10 (multiple versions), Windows Server 2008 R2 Standard, Windows Server 2012 R2 Standard. Earlier Intel has reported issues with their microcode update for Spectre Variant 2, stating that it could cause reboots and other issues.
Updated 6 March: Windows security updates were released in February, targeting 32-bit (x86) operating system versions. These updates will be downloaded and installed automatically. Partial updates are possible if you have installed earlier updates on your device.
See the full list of Windows 10 and Windows server versions included in the update under the February 2018 Windows operating system updates.
These updates will not disable Spectre variant 2 protection (CVE 2017-5715) like update 4078130, which we mentioned in our entry from February 9th. The need to disable protection in that particular case was caused by unstable PC performance (rebooting, etc.) following Intel’s microcode patch for Spectre variant 2.
Updated 6 March 2018: Windows Operating System Updates
John Cable, Director of Program Management, Windows Servicing and Delivery, wrote a blog post regarding the latest developments in mitigation efforts for CPU vulnerabilities. He announced that on March 1st, Windows made few Intel microcode updates available for Intel Skylake-based systems running the most common version of Windows 10 (Windows 10 Fall Creators Update). For more details please see the description: KB4090007
More microcode updates are on the way, Mr.Cable mentioned. Users can monitor the microcode updates table (linked in the Intel section of the article, entry from February 9th). It is advised to check your device’s chipset and contact a authorized vendor about firmware updates for your specific device model.
Additionally, Mr. Cable stressed that third-party AVs installed on Windows machines are required to be compatible with security updates to prevent unsupported calls to OS kernel memory. Updates will be delivered only to systems with compatible AVs. To check for compatibility, use the link provided in the initial Windows update of this article.
Updated 22,March,2018: Microsoft continues to issue updates for 32 bit (x86) editions of Windows versions 7 SP1, and 8.1. An update shipped on March 13th provides protection from Meltdown vulnerability.
For Windows 10, Microsoft has significantly expanded a list of Intel-validated microcode updates available via the Microsoft Catalog. The list includes Intel platforms such as Skylake, Kaby Lake, and Coffee Lake CPUs available for Windows 10 version 1709. The full list of updates against Spectre, Variant 2 for Windows 10 is available in KB4093836.
Microsoft has been working with third-party AV vendors to achieve security updates compatibility. Certain AV products have been in conflict with Windows security patches, making unsupported calls to OS kernel memory. Microsoft decided to lift its AV-compatibility check for the March Windows Security Updates on supported Windows 10 devices. This change will allow Windows’ cumulative security updates, including protections from Spectre and Meltdown, to be installed on a wider range of devices. To avoid system performance issues, Microsoft continues to require the that AV software is compatible and will block devices with AV-driver compatibility issues from receiving updates.
Important: Microsoft issues a reminder that Windows 10 version 1607 (Anniversary Update) will reach its end of service on April 10, 2018, when its final security update is due to be released. It is recommended to update to the latest and most secure Windows 10 version 1709 (Fall Creators Update). In case you haven’t received a download offer on your older version of Windows, use the link to Software Download Site .
As always, it is recommended to check with your CPU and device manufacturer on the availability of applicable firmware updates for your specific device and also Intel’s Microcode Revision Guidance.
Updated 23 May, 2018 (includes info on April updates):
On April 25th Microsoft released two updates KB4078407 and KB4091666, both of them directed at mitigating Spectre Variant 2, also known as Branch Target Injection Vulnerability.
- Update KB4078407 is intended for the following Windows versions: Windows 10, Windows 10 LTSB, and Windows Server 2016. It can be downloaded from Microsoft Update Catalog and needs to be applied manually. This update provides OS-level fixes. Separate CPU firmware updates are still required.
- Update KB4091666 is Intel-specific, providing microcode patches for vendors’ CPU platforms running on Windows 10. Patches coming in this update are intended for sixth generation Intel Skylake as well as Broadwell and Haswell platforms. Just like the previous one, this update is available for download and installation via the Microsoft Update Catalog.
On May 16th, Microsoft released yet another Intel-specific batch of CPU firmware updates against Spectre Variant 2. This time update KB4100347 is intended for Windows 10 version 1803 and Windows Server version 1803. It may be installed either automatically or manually via Microsoft Update Catalog.
Previously, Microsoft had to disable Intel’s patches delivered for Spectre Variant 2, due to flaws in the initial microcode updates.They caused Windows users problems with unstable PC performance, like surprise rebooting and others. Intel took things back to the lab in order to investigate and fix the issues. A new set of updates was released after a rigorous testing by Intel and their partners, including Microsoft. A new round of patches was planned to be delivered via computer hardware vendors as BIOS updates, but due to delays on the vendors’ side, Microsoft proceeded to release them directly as update KB4090007. Updates KB4091666 and KB4100347 continue the OS vendor effort.
Microsoft Azure Updates Against Spectre
Microsoft has also updated their cloud computing platform Azure
Microsoft Edge and Internet Explorer Updates for Spectre
Microsoft has launched some Edge and IE browser mitigation and patches with January 3 update. Microsoft will continue to look into possible browser-related exploitations of vulnerabilities, issuing additional updates when needed.
Get an Ad Blocker: Minimize Browser Exploitation from Spectre
Google News and Patches for Spectre
Google’s project Zero was one of the teams who discovered the vulnerabilities and worked with vendors on mitigation.
- Google announced that all G-Suite (Gmail, Drive, Calendar, etc.) applications have been updated and that no extra action is required on the users’ side.
- Take a look at the full list of Google products and mitigation status (in most cases everything has been taken care of by Google themselves).
Android Updates for Spectre
Google patched their own devices (Nexus, Pixel, etc.) and shipped the patches to Android device vendors. Check here to see whether your device is getting mitigations soon.
Google Chrome Browser Updates for Spectre
Consider using the site isolation technique that is supported on Chrome ver. 63 and later. It prevents Spectre exploitation. Also, using an ad blocker may provide extra protection. Google’s own mitigation for attacks, Retpoline, is showing negligible impact on performance.
Apple News and Updates for Meltdown and Spectre
Apple has released their advisory document describing the impact of security issues, stating that nearly all of devices are affected, except Apple Watch.
“Apple has already released mitigations for iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. To help defend against Spectre, Apple has released mitigations in iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan. Apple Watch is not affected by either Meltdown or Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, and tvOS.” — Apple Support
Meanwhile, Apple recommends users download software only from trusted sources, since one of the ways to for attack is through apps loaded on a user’s device.
Mozilla News and Updates for Meltdown and Spectre
Since both attacks heavily rely on timing measurements, Mozilla is taking steps to reduce timing measurement sources and disabled a feature that may be abused to create a higher accuracy timer by adversaries. Security mitigations are available starting with Mozilla 57.0.4.
We will be updating this article regularly with the news about the patches and other information you may need to keep your devices secure.
Don’t see your device? Comment us and we’ll see what we can do to help you get the updates you need.