UPDATED: 9 February,2018. Updates from Intel, Microsoft
UPDATED: 23 January 2018. Urgent update on Intel CPU patches. TL;DR: Don’t install them, they’re causing errors, Intel is working on fixes. More details in the Intel article section below.
We update this article regularly with the news about the patches and other information you may need to keep your devices secure.
Meltdown and Spectre Background
News about critical CPU vulnerabilities, dubbed Meltdown and Spectre, hit the media a week before the initial disclosure by CPU and software vendors, originally planned for January 9th.The information about the attacks was available to vendors beforehand, but they have been taking measures to avoid disclosure before mitigation measures are available to general public.
However, once the news broke and started spreading like wildfire, vendors had to roll out initial security updates in a rush, together with official statements and recommendations. LWN.net suggests there have been hints of CPU security risks being actively patched for the Linux kernel back in November 2017, but the information started spreading only early last week. The Register’s tech page was one of the earliest sites to call out some big names (like Intel) and provide information about products susceptible to the attacks.
As the story unfolded, more details surfaced adding other hardware vendors to the list of potential victims, effectively promoting Meltdown and Spectre to the top of the vulnerabilities list in terms of potential risks and attack surface.
For now, it is clear that vulnerabilities may affect desktop and mobile devices like phones, tablets and laptops. Cloud services are also at risk. It is worth mentioning that both Spectre and Meltdown exploit hardware vulnerabilities of affected chips which prolongs the mitigation process.
These 2 facts are important for understanding the scale of a problem, which is truly industry-wide. It has been confirmed by vendors that Intel, Arm, Apple, and AMD are affected by at least one of the vulnerabilities. In our previous article, you can read a detailed history of their discovery and the basics of how these vulnerabilities work.
In this article, we will maintain an updated list of security patches and updates for mitigating CPU flaws on affected devices and operating systems. Before we proceed with the list of security updates, it is worth to outline few key points about the peculiarities of these vulnerabilities. This will also clarify why patching and security updates may be required on various levels—starting from microcode updates for CPUs to operating system (OS) patches and, finally, browser enhancements.
Why Are Meltdown and Spectre Vulnerabilities So Different from Other Security Issues?
As researchers pointed out in their paper on Meltdown, so called “memory isolation” is the foundation of safe computing, meaning that programs/processes shouldn’t be able to access the OS kernel or another program’s memory. Memory isolation barriers are implemented on software and hardware levels. Meltdown and Spectre exploit hardware vulnerabilities in CPU that may enable malicious process to read sensitive data from the memory or browser process.
Both Meltdown and Spectre abuse the CPU performance optimization feature known as speculative execution. In order to improve performance and reduce wait time, CPUs are able to accomplish tasks before their results are actually required. This is possible because another functionality known as “branch prediction” allows the CPU to assume which tasks are most likely going to be needed, work ahead, and roll back if the gamble proves wrong. CPUs are able to run tasks speculatively and in parallel, which together with branch prediction highly increases speed and performance.
However, in the case of Spectre and Meltdown, it turns out that speculative execution has weaknesses long overlooked by CPU designers. Not all of the results for speculative execution are rolled back, with some “leftovers” stored in the CPUs cache memory, used for storing and fetching recent data quickly in case it’s needed again. Due to the nature of speculative execution and the lack of certain checks, it may also leave remnant data it wasn’t supposed to touch in the cache.
This is the problem. Because of these bad data rollback habits, an attacker program may measure the timing of memory reads and be able to “deduce” the sensitive information in the chip’s cache.
Meltdown and Spectre (which itself has 2 versions) use slightly different approaches to these weaknesses in processor architecture, but it all comes down to circumventing memory isolation between the OS kernel memory and non-privileged processes (in case of Meltdown) and breaking isolation between processes running on the device (Spectre).
How To Fix Meltdown and Spectre CPU Vulnerabilities?
Meltdown is easier to exploit, but it’s also easier to fix, with patches already available. Spectre in turn is an extremely complicated set of vulnerabilities that require thorough patching, yet researchers agree that even with patches, exploitable variations may surface in future.
- CPU firmware
- OS patches (increased memory isolation to prevent Meltdown)
Decreases in CPU performance is an overhead that’s inevitable in a situation like this, especially given that flaws in CPU design are mostly related to performance optimization features. On the other hand a significant drop in performance hasn’t been reported for the most common usage scenarios. Find the links for updates and news below.
Updated 18 January: In his article Terry Myerson, VP of Windows and Devices Group shares the findings on performance impact that results from applying security patches on Windows PCs running on Intel CPUs. Windows 10 combined with newer Intel CPUs from around 2016 has no noticeable slowdown. At the same time, Windows 10 on chips from 2015 and older may get noticeably slower. Windows 7 / 8 systems running on processors from 2015 and older will also demonstrate visible decline in performance.
Intel News and Updates for Meltdown and Spectre
- Intel Spectre FAQ
- 90+% of Intel CPUs manufactured during the last 5 years will receive firmware updates within a week, updates for remaining ones will ship towards the end of January. (Source)
- Intel is working on a reboot issue for Broadwell and Haswell CPUs after the forthcoming Spectre patch. (Source)
If you are using Intel processors, please contact your device vendor for firmware updates.
Updated 23 January: Intel asks users to abstain from applying their CPU patches until further notice.
Since January 11th, Intel users have been running into the issues with spontaneous reboots and other errors that plagued their computers after applying security patches for Spectre and Meltdown vulnerabilities. On Monday, January 22, Intel updated their guidance for customers and partners. According to Intel, the root cause of problem has been identified and early fixes have been rolled out for testing by Intel’s industry partners over the weekend. For the moment Intel advises its OEM partners, cloud service providers, system manufacturers and consumers to stop deployment of current patches, since:
…they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.—Navin Shenoy, Executive VP, General manager of Data Center Group at Intel Corp.
Meanwhile, Navin Shenoy urges customers to adhere to security best practices and keep their systems up to date, apologizing for the situation.
Updated 9 February: It seems that Intel has finally made some progress with fixes for reboot issues that followed after Spectre microcode patches for CPUs . In his post, Navin Shenoy notified that stable microcode updates have been released for Skylake-based platforms, while Broadwell and Haskell are still in progress. He stated that Intel will be releasing beta microcode updates for their partners to conduct thorough testing prior to production release. Most patches against reboot issues will be delivered along with firmware updates from device vendors. See the table for microcode updates by Intel. Columns marked in green with “Production ” status indicate that the microcode updated may be deployed in production.
News and Updates for Arm Processors
- Arm FAQ
- Affected Arm processors by vulnerability type
- Arm Partner Information:
- Arm Support: firstname.lastname@example.org
News and Updates for AMD CPU Spectre Vulnerabilities
Even though AMD isn’t susceptible to Meltdown, their processors are still prone to both variants of the Spectre attack. AMD is working closely with Microsoft to fix the issue that paused updates for older AMD chips during this week. Linux vendors are also working on patches for AMD CPUs
Updated 18 January: Microsoft renews security updates for most AMD processors after fixing boot issues. More details in the Windows section of the article.
Windows OS News and Updates
Microsoft Security Advisory contains issue descriptions, FAQ, and a list of security updates for supported Microsoft products that may be affected, including: Windows 7, 8, 10, Internet Explorer 11, and Edge, Microsoft Server, etc.
Microsoft Guidance on Windows Update contains consumer guidance information and articles, links to advisory information from Microsoft partners. Be sure to check out the list of firmware updates and links by vendor, download them if you haven’t done so already. The Windows update schedule for January 2018 is also provided with update descriptions.
- Security updates from Microsoft won’t provide full protection unless you the install firmware update for your device.
- Before installing the Windows security update, make sure you have updated your antivirus (AV) software, if you’re using third-party product (not Windows Defender or Microsoft Security Essentials).
Details on Antivirus Software Updates for Prior to Windows Updates
A specific registry key is required be submitted to the registry to ensure that the AV you use will stay compatible with the changes coming as part of security updates, starting with the January 3 update and all subsequent patches.
If you aren’t receiving the updates yet, there are 2 possible situations taking place:
- Contact your AV vendor’s support and install the registry key by yourself. Install it only in case you fully understand the risks and have carefully read the topics specified in the disclaimer: “Changing keys and values” help topic in the Registry Editor (Regedit.exe) or view the “Add and delete information in the registry” and “Edit registry data” help topics in Regedt32.exe. The key itself is provided in the above linked article from MS knowledge base.
- If you have an older AMD CPU and haven’t been receiving the updates, it is due certain versions of the update rendering PCs unbootable. Here is the separate update , containing the list of paused security patches from Microsoft
Updated 18 January: Microsoft resumed security updates for most AMD processors after fixing boot issues. The list of resumed updates:
Issues fixed in: KB4073578 Unbootable state for AMD devices in Windows 7 SP1 and Windows Server 2008 R2 SP1
Issues fixed in: KB4073576 Unbootable state for AMD devices in Windows 8.1 and Windows Server 2012 R2
4 more updates remain paused. Full list available via link in clause 2 above.
How to Check for Updates in Windows 10
- Go to Start Menu
- Select Settings
- In Settings, click Check for updates.
How to Check for Updates in Windows 8, 8.1
- Go to System Settings
- Click on the Control Panel
- Go to System and Security
- Click Windows Update, and click Check for Updates.
How to Check for Updates on Windows 7
- Open Start Menu
- Click on Control Panel, then click on System and Security
- Select Windows Update, and click Check for Updates.
For some extra peace of mind, follow the instructions from this article from Howtogeek.com to see if your system is patched against Spectre and Meltdown both on the OS and firmware sides.
Updated 18 January: Malwarebytes warns against fake patches for Meltdown and Spectre.
Given that news of Meltdown and Spectre have received massive coverage, there’s no wonder bad actors tried to take advantage of publicity.
In his post on Malwarebytes blog, research lead Jérôme Segura covers the details of phishing campaign reported by German authorities. Phishing emails were luring users to recently registered domain, mimicking German Federal Office For Information Security.
Adversaries even installed an SSL certificate for the domain in an attempt to mislead more vigilant users. It is worth noting that presence of SSL certificate only tells that communication between browser and the website is encrypted, but it doesn’t guarantee that website isn’t malicious. Certificate has been revoked promptly after Malwarebytes reported abuse to certificate authority.
Fake website contained a downloadable archive posing as patch for Intel and AMD CPUs, which in reality was an .exe file that installs Smoke Loader – a piece of software that may download other malicious payloads as instructed by adversary.
Remember: Both software and hardware vendors aren’t normally using email to send patches directly to users. As a rule, patches are available for download from vendor’s website. OS manufacturers may link to vendor’s websites on their support pages since these entities often work collectively on mitigation of threats.
Updated 9 February,2018. Microsoft releases update to disable Intel’s patch for Spectre Variant 2 CVE-2017-5715.
Update released for: Windows 7 SP1, Windows 8.1, Windows 10 (multiple versions), Windows Server 2008 R2 Standard, Windows Server 2012 R2 Standard. Earlier Intel has reported issues with their microcode update for Spectre Variant 2, stating that it could cause reboots and other issues.
Microsoft Azure Updates Against Spectre
Microsoft has also updated their cloud computing platform Azure
Microsoft Edge and Internet Explorer Updates for Spectre
Microsoft has launched some Edge and IE browser mitigation and patches with January 3 update. Microsoft will continue to look into possible browser-related exploitations of vulnerabilities, issuing additional updates when needed.
Get an Ad Blocker: Minimize Browser Exploitation from Spectre
Google News and Patches for Spectre
Google’s project Zero was one of the teams who discovered the vulnerabilities and worked with vendors on mitigation.
- Google announced that all G-Suite (Gmail, Drive, Calendar, etc.) applications have been updated and that no extra action is required on the users’ side.
- Take a look at the full list of Google products and mitigation status (in most cases everything has been taken care of by Google themselves).
Android Updates for Spectre
Google patched their own devices (Nexus, Pixel, etc.) and shipped the patches to Android device vendors. Check here to see whether your device is getting mitigations soon.
Google Chrome Browser Updates for Spectre
Consider using the site isolation technique that is supported on Chrome ver. 63 and later. It prevents Spectre exploitation. Also, using an ad blocker may provide extra protection. Google’s own mitigation for attacks, Retpoline, is showing negligible impact on performance.
Apple News and Updates for Meltdown and Spectre
Apple has released their advisory document describing the impact of security issues, stating that nearly all of devices are affected, except Apple Watch.
“Apple has already released mitigations for iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. To help defend against Spectre, Apple has released mitigations in iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan. Apple Watch is not affected by either Meltdown or Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, and tvOS.” — Apple Support
Meanwhile, Apple recommends users download software only from trusted sources, since one of the ways to for attack is through apps loaded on a user’s device.
Mozilla News and Updates for Meltdown and Spectre
Since both attacks heavily rely on timing measurements, Mozilla is taking steps to reduce timing measurement sources and disabled a feature that may be abused to create a higher accuracy timer by adversaries. Security mitigations are available starting with Mozilla 57.0.4.
We will be updating this article regularly with the news about the patches and other information you may need to keep your devices secure.
Don’t see your device? Comment us and we’ll see what we can do to help you get the updates you need.