Meltdown and Spectre CPU Vulnerabilities: Security Patches and Tips (Continuous Update)

Meltdown and Spectre CPU Vulnerability Patches Guide

UPDATED: 22 March,2018. Updates from Intel, Microsoft

UPDATED: 6 March,2018. Updates from Intel, Microsoft

UPDATED: 9 February,2018. Updates from Intel, Microsoft

UPDATED: 23 January 2018. Urgent update on Intel CPU patches. TL;DR: Don’t install them, they’re causing errors, Intel is working on fixes.  More details in the Intel article section below.
We update this article regularly with the news about the patches and other information you may need to keep your devices secure.

Meltdown and Spectre Background

News about critical CPU vulnerabilities, dubbed Meltdown and Spectre, hit the media a week before the initial disclosure by CPU and software vendors, originally planned for January 9th.The information about the attacks was available to vendors beforehand, but they have been taking measures to avoid disclosure before mitigation measures are available to general public.

However, once the news broke and started spreading like wildfire, vendors had to roll out initial security updates in a rush, together with official statements and recommendations. LWN.net suggests there have been hints of CPU security risks being actively patched for the Linux kernel back in November 2017, but the information started spreading only early last week. The Register’s tech page was one of the earliest sites to call out some big names (like Intel) and provide information about products susceptible to the attacks.

As the story unfolded, more details surfaced adding other hardware vendors to the list of potential victims, effectively promoting Meltdown and Spectre to the top of the vulnerabilities list in terms of potential risks and attack surface.

For now, it is clear that vulnerabilities may affect desktop and mobile devices like phones, tablets and laptops. Cloud services are also at risk. It is worth mentioning that both Spectre and Meltdown exploit hardware vulnerabilities of affected chips which prolongs the mitigation process.

These 2 facts are important for understanding the scale of a problem, which is truly industry-wide. It has been confirmed by vendors that Intel, Arm, Apple, and AMD are affected by at least one of the vulnerabilities. In our previous article, you can read a detailed history of their discovery and the basics of how these vulnerabilities work.

In this article, we will maintain an updated list of security patches and updates for mitigating CPU flaws on affected devices and operating systems. Before we proceed with the list of security updates, it is worth to outline few key points about the peculiarities of these vulnerabilities. This will also clarify why patching and security updates may be required on various levels—starting from microcode updates for CPUs to operating system (OS) patches and, finally, browser enhancements.

Why Are Meltdown and Spectre Vulnerabilities So Different from Other Security Issues?

As researchers pointed out in their paper on Meltdown, so called “memory isolation” is the foundation of safe computing, meaning that programs/processes shouldn’t be able to access the OS kernel or another program’s memory. Memory isolation barriers are implemented on software and hardware levels. Meltdown and Spectre exploit hardware vulnerabilities in CPU that may enable malicious process to read sensitive data from the memory or browser process.

Both Meltdown and Spectre abuse the CPU performance optimization feature known as speculative execution. In order to improve performance and reduce wait time, CPUs are able to accomplish tasks before their results are actually required. This is possible because another functionality known as “branch prediction” allows the CPU to assume which tasks are most likely going to be needed, work ahead, and roll back if the gamble proves wrong. CPUs are able to run tasks speculatively and in parallel, which together with branch prediction highly increases speed and performance.

However, in the case of Spectre and Meltdown, it turns out that speculative execution has weaknesses long overlooked by CPU designers. Not all of the results for speculative execution are rolled back, with some “leftovers” stored in the CPUs cache memory, used for storing and fetching recent data quickly in case it’s needed again. Due to the nature of speculative execution and the lack of certain checks, it may also leave remnant data it wasn’t supposed to touch in the cache.

This is the problem. Because of these bad data rollback habits, an attacker program may measure the timing of memory reads and be able to “deduce” the sensitive information in the chip’s cache.

Meltdown and Spectre (which itself has 2 versions) use slightly different approaches to these weaknesses in processor architecture, but it all comes down to circumventing memory isolation between the OS kernel memory and non-privileged processes (in case of Meltdown) and breaking isolation between processes running on the device (Spectre).

How To Fix Meltdown and Spectre CPU Vulnerabilities?

Meltdown is easier to exploit, but it’s also easier to fix, with patches already available. Spectre in turn is an extremely complicated set of vulnerabilities that require thorough patching, yet researchers agree that even with patches, exploitable variations may surface in future.

Another risk that comes with Spectre is related to its ability to attack through weaponized Javascript executed in the browser. Any weaponized advertisement that loads in the browser may leak sensitive contents of the computer’s memory to an attacker. Adversaries using malvertising for their attacks may try to use Spectre on unsuspecting users, so patching your browser and having an ad blocker installed may decrease the chances of your computer being compromised. In fact, it is known that neither of these attacks is detected at this time, so the wisest thing to do is consider applying patches for:

  • CPU firmware
  • OS patches (increased memory isolation to prevent Meltdown)
  • Browsers

Decreases in CPU performance is an overhead that’s inevitable in a situation like this, especially given that flaws in CPU design are mostly related to performance optimization features. On the other hand a significant drop in performance hasn’t been reported for the most common usage scenarios. Find the links for updates and news below.

Updated 18 January: In his article Terry Myerson, VP of Windows and Devices Group shares the findings on performance impact that results from applying security patches on Windows PCs running on Intel CPUs.  Windows 10 combined with newer Intel CPUs  from around 2016 has no noticeable slowdown.  At the same time, Windows 10 on chips from 2015 and older may  get noticeably  slower.  Windows 7 / 8 systems running on processors from 2015 and older will also demonstrate visible  decline in performance.

Intel News and Updates for Meltdown and Spectre

  • Intel Spectre FAQ
  • 90+% of Intel CPUs manufactured during the last 5 years will receive firmware updates within a week, updates for remaining ones will ship towards the end of January. (Source)
  • Intel is working on a reboot issue for Broadwell and Haswell CPUs after the forthcoming Spectre patch. (Source)

If you are using Intel processors, please contact your device vendor for firmware updates.

Updated 23 January:  Intel  asks users to  abstain from applying their CPU patches until further notice. 

Since January 11th, Intel users have been running into the issues with spontaneous reboots and other errors that plagued their computers after applying security patches for Spectre and Meltdown vulnerabilities. On Monday, January 22, Intel updated their guidance for customers and partners.  According to Intel, the root cause of problem has been identified and early fixes have been rolled out for testing by Intel’s industry partners over the weekend. For the moment Intel advises its OEM partners, cloud service providers, system manufacturers and consumers to stop deployment of current patches, since:

…they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.—Navin Shenoy, Executive VP, General manager of Data Center Group at Intel Corp.

Meanwhile, Navin Shenoy urges customers to adhere to security best practices and keep their systems up to date, apologizing for the situation.

Updated 9 February: It seems that Intel has finally made some progress with fixes for reboot issues that followed after Spectre microcode patches for CPUs . In his post, Navin Shenoy notified that stable microcode updates have been released for Skylake-based platforms, while Broadwell and Haskell  are still in progress.  He stated that Intel will be releasing beta microcode updates for their partners to conduct thorough testing prior to production release. Most patches  against  reboot issues will be delivered along with  firmware updates from device vendors.  See the  table for microcode updates by Intel. Columns marked in green with “Production ” status  indicate that  the microcode updated may be deployed in production.

Updated 6 March:  Intel’s provided an update on February 20th including patches for Spectre and Meltdown CPU exploits.

After extensive testing of the updated microcode patches by Intel’s industry partners and customers, they are ready to be released. As described in previous updates, Intel’s previous microcode patches have led to reboot issues.

“Based on these efforts, we have now released production microcode updates to our OEM customers and partners for Kaby Lake- and Coffee Lake-based platforms, plus additional Skylake-based platforms. This represents our 6th, 7th and 8th Generation Intel® Core™ product lines as well as our latest Intel® Core™ X-series processor family. It also includes our recently announced Intel® Xeon® Scalable and Intel® Xeon® D processors for data center systems.”—Navin Shenoy, Executive VP, General Manager of Data Center Group at Intel Corp.

According to Mr. Shenoy, in the majority of cases, these revised microcode patches will be available to customers through Intel’s OEM firmware partners (device vendors).

Updated 22 March,2018: Intel’s CEO Brian Krzanich mentioned that Intel has released microcode updates intended to protect chips from Spectre and Meltdown vulnerabilities for 100% of products launched during the past five years.

He also announced hardware-based protection coming to company’s chips, which will be implemented for next generation Xeon processors and 8th generation Core processors, released in the second half of 2018. According to Krzanich, Intel has redesigned certain parts of the processors with partitioning to protect them from Spectre Variant 2 and Meltdown.

Think of this partitioning as additional “protective walls” between applications and user-privilege levels to create an obstacle for bad actors.”—Brian Krzanich, Intel CEO

News and Updates for Arm  Processors

News and Updates for AMD CPU Spectre Vulnerabilities

Even though AMD isn’t susceptible to Meltdown, their processors are still prone to both variants of the Spectre attack. AMD is working closely with Microsoft to fix the issue that paused updates for older AMD chips during this week. Linux vendors are also working on patches for AMD CPUs

AMD News Update

Updated 18 January: Microsoft renews security updates for most AMD processors after fixing boot issues. More details in the Windows section of the article.

Windows OS News and Updates 

Microsoft Security Advisory contains issue descriptions, FAQ, and a list of security updates for supported Microsoft products that may be affected, including: Windows 7, 8, 10, Internet Explorer 11, and Edge, Microsoft Server, etc.

Microsoft Guidance on Windows Update contains consumer guidance information and articles, links to advisory information from Microsoft partners. Be sure to check out the list of firmware updates and links by vendor, download them if you haven’t done so already. The Windows update schedule for January 2018 is also provided with update descriptions.

Please note:

  • Security updates from Microsoft won’t provide full protection unless you the install firmware update for your device.
  • Before installing the Windows security update, make sure you have updated your antivirus (AV) software, if you’re using third-party product (not Windows Defender or Microsoft Security Essentials).

Check this doc to see whether your AV is compatible with the security update. Read this Microsoft knowledge base article explaining the reasons for AV update requirement.

Details on Antivirus Software Updates for Prior to Windows Updates

A specific registry key is required be submitted to the registry to ensure that the AV you use will stay compatible with the changes coming as part of security updates, starting with the January 3 update and all subsequent patches.

If you aren’t receiving the updates yet, there are 2 possible situations taking place:

  1. Contact your AV vendor’s support and install the registry key by yourself. Install it only in case you fully understand the risks and have carefully read the topics specified in the disclaimer:  “Changing keys and values” help topic in the Registry Editor (Regedit.exe) or view the “Add and delete information in the registry” and “Edit registry data” help topics in Regedt32.exe.  The key itself is provided in the above linked article from MS knowledge base.
  2. If you have an older AMD CPU and haven’t been receiving the updates, it is due certain versions of the update rendering PCs unbootable. Here is the separate update , containing the list of paused security patches from Microsoft

Updated 18 January: Microsoft resumed security updates for most AMD processors after fixing boot issues. The list of resumed updates:

January 3, 2018—KB4056897 (Security-only update) for Windows7 SP1 , Windows Server 2012 R2.  January 4, 2018—KB4056894 (Monthly Rollup) 

Issues fixed in: KB4073578 Unbootable state for AMD devices in Windows 7 SP1 and Windows Server 2008 R2 SP1

January 3, 2018—KB4056892 (OS Build 16299.192) for Windows 10 ver.1709.  Fixed in:  KB4073290 Unbootable state for AMD devices in Windows 10 Version 1709

January 3, 2018—KB4056898 (Security-only update) for Windows 8.1,Windows Server 2012 R2. January 8, 2018—KB4056895 (Monthly Rollup) for Windows 8.1,Windows Server 2012 R2

Issues fixed in: KB4073576 Unbootable state for AMD devices in Windows 8.1 and Windows Server 2012 R2

4 more updates remain paused. Full list available via link in clause 2 above.

How to Check for Updates in Windows 10  

  1. Go to Start Menu
  2. Select Settings
  3. In Settings, click Check for updates.

How to Check for Updates in Windows 8, 8.1

  1. Go to System Settings
  2. Click on the Control Panel
  3. Go to System and Security
  4. Click Windows Update, and click Check for Updates.

How to Check for Updates on Windows 7

  1. Open Start Menu
  2. Click on Control Panel, then click on System and Security
  3. Select Windows Update, and click Check for Updates.

For some extra peace of mind, follow the instructions from this article from Howtogeek.com to see if your system is patched against Spectre and Meltdown both on the OS and firmware sides.

Updated 18 January: Malwarebytes warns against fake patches for Meltdown and Spectre.

Given that news of Meltdown and Spectre have received massive coverage, there’s no wonder bad actors tried to take advantage of publicity.
In his post on Malwarebytes blog, research lead Jérôme Segura covers the details of phishing campaign reported by German authorities. Phishing emails were luring users to recently registered domain, mimicking German Federal Office For Information Security.
Adversaries even installed an SSL certificate for the domain in an attempt to mislead more vigilant users. It is worth noting that presence of SSL certificate only tells that communication between browser and the website is encrypted, but it doesn’t guarantee that website isn’t malicious. Certificate has been revoked promptly after Malwarebytes reported abuse to certificate authority.

Fake website contained a downloadable archive posing as patch for Intel and AMD CPUs, which in reality was an .exe file that installs Smoke Loader – a piece of software that may download other malicious payloads as instructed by adversary.

Remember: Both software and hardware vendors aren’t normally using email to send patches directly to users. As a rule, patches are available for download from vendor’s website. OS manufacturers may link to vendor’s websites on their support pages since these entities often work collectively on mitigation of threats.

Updated 9 February,2018. Microsoft releases update to disable Intel’s patch for Spectre Variant 2  CVE-2017-5715.

Update released for:  Windows 7 SP1, Windows 8.1, Windows 10 (multiple versions), Windows Server 2008 R2 Standard, Windows Server 2012 R2 Standard. Earlier Intel has reported issues with their microcode update for Spectre Variant 2, stating that it could cause reboots and other issues. 

Updated 6 March: Windows security updates were released in February, targeting 32-bit (x86) operating system versions. These updates will be downloaded and installed automatically. Partial updates are possible if you have installed earlier updates on your device.

See the full list of Windows 10 and Windows server versions included in the update under the  February 2018 Windows operating system updates.

These updates will not disable Spectre variant 2 protection (CVE 2017-5715) like update 4078130, which we mentioned in our entry from February 9th. The need to disable protection in that particular case was caused by unstable PC performance (rebooting, etc.) following Intel’s microcode patch for Spectre variant 2.

Updated 6 March 2018: Windows Operating System Updates

John Cable, Director of Program Management, Windows Servicing and Delivery, wrote a blog post regarding the latest developments in mitigation efforts for CPU vulnerabilities. He announced that on March 1st, Windows made few Intel microcode updates available for Intel Skylake-based systems running the most common version of Windows 10 (Windows 10 Fall Creators Update). For more details please see the description: KB4090007

More microcode updates are on the way, Mr.Cable mentioned. Users can monitor the microcode updates table (linked in the Intel section of the article, entry from February 9th). It is advised to check your device’s chipset and contact a authorized vendor about firmware updates for your specific device model.

Additionally, Mr. Cable stressed that third-party AVs installed on Windows machines are required to be compatible with security updates to prevent unsupported calls to OS kernel memory. Updates will be delivered only to systems with compatible AVs. To check for compatibility, use the link provided in the initial Windows update of this article.

Updated 22,March,2018: Microsoft continues to issue updates for 32 bit (x86) editions of Windows versions 7 SP1, and 8.1. An update shipped on March 13th provides protection from Meltdown vulnerability.

For Windows 10, Microsoft has significantly expanded a list of Intel-validated microcode updates available via the Microsoft Catalog. The list includes Intel platforms such as Skylake, Kaby Lake, and Coffee Lake CPUs available for Windows 10 version 1709. The full list of updates against Spectre, Variant 2 for Windows 10 is available in KB4093836.

Microsoft has been working with third-party AV vendors to achieve security updates compatibility. Certain AV products have been in conflict with Windows security patches, making unsupported calls to OS kernel memory. Microsoft decided to lift its AV-compatibility check for the March Windows Security Updates on supported Windows 10 devices. This change will allow Windows’ cumulative security updates, including protections from Spectre and Meltdown, to be installed on a wider range of devices. To avoid system performance issues, Microsoft continues to require the that AV software is compatible and will block devices with AV-driver compatibility issues from receiving updates.

Important: Microsoft issues a reminder that Windows 10 version 1607 (Anniversary Update) will reach its end of service on April 10, 2018, when its final security update is due to be released. It is recommended to update to the latest and most secure Windows 10 version 1709 (Fall Creators Update). In case you haven’t received a download offer on your older version of Windows, use the link to Software Download Site .

As always, it is recommended to check with your CPU and device manufacturer on the availability of applicable firmware updates for your specific device and also Intel’s Microcode Revision Guidance.   

Microsoft Azure Updates Against Spectre

Microsoft has also updated their cloud computing platform Azure

Microsoft Edge and Internet Explorer Updates for Spectre

Microsoft has launched some Edge and IE browser mitigation and patches with January 3 update. Microsoft will continue to look into possible browser-related exploitations of vulnerabilities, issuing additional updates when needed.

Get an Ad Blocker: Minimize Browser Exploitation from Spectre

Installing an ad blocker creates an extra layer of protection for your browser against possible Spectre exploitation through weaponized ads and malvertising.

Google News and Patches for Spectre

Google’s project Zero was one of the teams who discovered the vulnerabilities and worked with vendors on mitigation.

  • Google announced that all G-Suite (Gmail, Drive, Calendar, etc.) applications have been updated and that no extra action is required on the users’ side.  
  • Take a look at the full list of Google products and mitigation status (in most cases everything has been taken care of by Google themselves).

Android Updates for Spectre

Google patched their own devices (Nexus, Pixel, etc.) and shipped the patches to Android device vendors. Check here to see whether your device is getting mitigations soon.

Google Chrome Browser Updates for Spectre

Consider using  the site isolation technique that is supported on Chrome ver. 63 and later. It prevents Spectre exploitation. Also, using an ad blocker may provide extra protection. Google’s own mitigation for attacks, Retpoline, is showing negligible impact on performance.

Apple News and Updates for Meltdown and Spectre

Apple has released their advisory document describing the impact of security issues, stating that nearly all of devices are affected, except Apple Watch.

“Apple has already released mitigations for iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. To help defend against Spectre, Apple has released mitigations in iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan. Apple Watch is not affected by either Meltdown or Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, and tvOS.”Apple Support

Meanwhile, Apple recommends users download software only from trusted sources, since one of the ways to for attack is through apps loaded on a user’s device.

Mozilla News and Updates for Meltdown and Spectre

Since both attacks heavily rely on timing measurements, Mozilla is taking steps to reduce timing measurement sources and disabled a feature that may be abused to create a higher accuracy timer by adversaries. Security mitigations are available starting with Mozilla 57.0.4.

We will be updating this article regularly with the news about the patches and other information you may need to keep your devices secure.

Don’t see your device? Comment us and we’ll see what we can do to help you get the updates you need.

 

Share