Spectre Meltdown Microsoft Patch Download
I’m increasingly skeptical of security holes that have their own logos and PR campaigns. Yesterday’s sudden snowballing of disclosures about two groups of vulnerabilities, now known as Meltdown and Spectre, has led to enormous numbers of reports of varying quality, and widespread panic in the streets. In the case of Intel's stock price, that's more like blood in the streets.
- Meltdown/Spectre patch download links for Windows users. Confusingly, rather than a separate KB with different downloadables/payloads for each operating system, Microsoft is publishing their mitigation for Meltdown/Spectre as a series of separate KBs, each applicable to different systems.
- Microsoft's mystifying Meltdown/Spectre patches for AMD processors Take a look inside the new January Security-only patches specifically for Win7 and 8.1 AMD machines that were blue-screend by the.
- A Clear Guide to Meltdown and Spectre Patches. Updated 4/27/18 to confirm Microsoft has released two new updates designed to mitigate Spectre variant 2.
Meltdown & Spectre: Microsoft releases emergency patches, US-CERT says to replace CPU If you didn't receive the emergency Windows Meltdown patch, then your antivirus is incompatible.
While it’s true that both vulnerabilities affect nearly every computer made in the past two decades, it’s also true that the threat — especially for plain-vanilla Windows users — isn’t imminent. You should be aware of the situation, but avoid the stampede. The sky isn’t falling.
How the Meltdown and Spectre flaws were discovered
Here’s how it all unwound. Back in June 2017, a security researcher named Jann Horn, working for Google’s Project Zero team, discovered a way for a sneaky program to steal information from parts of a computer that are supposed to be off limits. Horn and Project Zero notified the major vendors — Google, of course, as well as Intel, Microsoft, Apple, AMD, Mozilla, the Linux folks, Amazon and many more — and a quiet effort began to plug the security holes without alerting “the bad guys.”
Although the Linux community leaked details, with the KAISER series of patches posted in October, few realized the enormity of the problem. By and large, people in the know agreed to keep it all quiet until Jan. 9 — this month’s Patch Tuesday.
On Monday, Jan. 1, the beans started spilling. An anonymous poster calling him/herself Python Sweetness put it out in the open:
There is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads.
John Leyden and Chris Williams at The Register turned the leak into a gush on Tuesday, with details about the effort to plug the Meltdown security hole:
A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.
Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: These changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.
By Wednesday, the Patch Tuesday gag was thrown to the wind, with a definitive statement by Google’s Project Zero, festooned with official logos (“free to use, rights waived, via CCO”) and metric tons of ink followed. There are thousands of explainer articles circulating at the moment.
If you need an overview, look at Catalin Cimpanu’s essay in BleepingComputer or The New York Times piece from Cade Metz and Nicole Perlroth. The Times says:
The Meltdown flaw is specific to Intel, but Spectre is a flaw in design that has been used by many processor manufacturers for decades. It affects virtually all microprocessors on the market, including chips made by AMD that share Intel’s design and the many chips based on designs from ARM in Britain.
Those of you hating on Intel should note that there’s plenty of blame to go around. That said, I still cast a jaundiced eye at CEO Brian Krzanich selling $24 million in INTC stock on Nov. 29.
Microsoft releases Windows patches
Yesterday evening, Microsoft released Windows patches — Security-only Updates, Cumulative Updates, and Delta Updates — for a wide array of Window versions, from Win7 onward. See the Update Catalog for details. (Thx, @Crysta). Note that the patches are listed with a “Last Updated” date of Jan. 4, not Jan. 3, the nominal release date. The Win7 and 8.1 patches are Security Only (the kind you have to install manually). I’ve been assured that the Win7 and 8.1 Monthly Rollups will come out next week on Patch Tuesday.
The Win10 patch for Fall Creators Update, version 1709, contains other security fixes besides those related to Meltdown. The other Win10 patches appear to be Meltdown-only. Those of you running the beta version of Win10 1803, in the Insider Program, have already received the patches.
BUT… you won’t get any patches installed unless and until your antivirus software sets a specific registry key. (It now appears as if the value of the key doesn’t matter; just the presence of the registry entry turns on Meltdown protection. Thx, @abbodi86, @MrBrian.) If you’re running third-party antivirus, it has to be updated before the Meltdown patch installer will run. It looks as if there are known problems with bluescreens for some antivirus products.
There are also cumulative updates for Internet Explorer 11 in various versions of Win7 and 8.1 listed in the Update Catalog. The fixes for Win10, and for Edge, are inside the respective Win10 cumulative updates. Microsoft has also released fixes for SQL Server 2016 and 2017.
Note that the Windows Server patches are not enabled by default. Those of you who want to turn on Meltdown protection have to change the registry. (Thx @GossiTheDog)
Windows XP and Server 2003 don’t yet have patches. No word on whether Microsoft will release those sooner or later.
Kevin Beaumont, @GossiTheDog, is maintaining a list of antivirus products and their Meltdown-related problems. On Google Docs, of course.
Meltdown and Spectre facts
With all the news swirling, you might feel inclined to get patched up right now. I say wait. There’s a handful of facts that stand in the way of a good scare story:
- There are no active exploits for either Meltdown or Spectre, although there are some demos running in labs.
- Updating Windows (or any operating system, including macOS and ChromeOS) isn’t sufficient. You have to install firmware updates, too, and none of the major PC manufacturers have firmware updates. Not even Microsoft.
- It’s unclear at the moment which antivirus products set the magic registry key, although Windows Defender appears to be one of the compliant products.
- If the world were ending, Microsoft would’ve released Monthly Rollups for Win7 and 8.1, yes?
In addition, we have no idea how these rushed-to-market patches are going to clobber the billion or so extant Windows machines. I’m already seeing a report of conflicts with Sandboxie on AskWoody, and Yammer going offline isn’t reassuring.
It’s possible Microsoft’s kernel team has pulled off another change-the-blades-while-the-blender-is-running feat. But it’s also possible that we’ll hear loud screams of pain from many corners today or tomorrow. The anticipated performance penalty may or may not pan out.
There's an enormous amount of official Microsoft documentation:
- Security Advisory ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
- Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities (which includes the warning about firmware updates)
- Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities (which includes a PowerShell script to see if your machine is protected)
- Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer
- Important information regarding the Windows security updates released on January 3, 2018 and antivirus software
- Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities
- SQL Server Guidance to protect against speculative execution side-channel vulnerabilities
Microsoft Updates Spectre Meltdown
Just about every hardware or software manufacturer you can name has its own warnings/explanations posted. I found AMD's response (basically, Meltdown poses 'near zero risk' on AMD chips) particularly enlightening. Reddit has a megathread devoted specifically to the topic.
Grab a box of popcorn and join us on the AskWoody Lounge.
A critical flaw was found in all Intel processors launched in the past decade. The vulnerability can allow an attacker to gain access to protected kernel memory. This chip-level security flaw cannot be fixed with a CPU microcode (software) update. Instead, it requires modification of the OS kernel. Earlier today, Microsoft released security patches for Windows 10. The appropriate patches are now available for Windows 7 and Windows 8.1.
Microsoft Patch Download Vista
RECOMMENDED: Click here to fix Windows errors and optimize system performance
Here are some details.
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.
Refer to these web sites:
- https://spectreattack.com/
- https://meltdownattack.com/
Patches have already been released for Windows 10, Linux and macOS. Now, the same updates are available for Windows 7 and Windows 8.1.
Download CPU flaw fixes
- KB4056898 for Windows 8.1
- KB4056897 for Windows 7 SP1
Also, the updates can be downloaded from the Windows Update catalog.
- Windows 8.1
- Windows 7 SP1
An unfortunate consequence of this security vulnerability is that its patches are expected to slow down all devices anywhere between 5 to 30 percent depending on the processor and software being used. Even ARM and AMD CPUs may get performance degradation due to fundamental changes in how the OS kernel works with memory. According to Intel, processors with PCID / ASID (Skylake or newer) will have less performance degradation.
Meltdown Microsoft Patch
RECOMMENDED: Click here to fix Windows errors and optimize system performance