|Technical Rating: |
|Published Date : 04 Jan 2018
Last Updated : 18 Apr 2019
Content Ref: TEC6034048
On 03/01/2018, the details emerged of a number of vulnerabilities known as speculative execution side-channel attacks, or more commonly Meltdown or Spectre, which affect most modern processors and operating systems.
- Details of the Microsoft® Security Advisory are available here.
- A more detailed explanation from Google Project Zero is available here.
- RM Unify, Microsoft Office 365™ and Google G Suite are unaffected by this issue.
- An RM blog with some additional background information can be found here.
Note: Most of the TEC articles referenced below will require you to have a Network Support Contract to access them. We will also update this article as soon as new information becomes available, so check back regularly.
Microsoft are also providing regular updates in the following comprehensive article - https://support.microsoft.com/en-gb/help/4073757/protect-your-windows-devices-against-spectre-meltdown.
|What do I need to do about Meltdown and Spectre?|
The following checklist is a general guideline to patching your computers:
- Ensure that your anti-virus is up to date - the anti-virus solution will add a registry key to Windows clients that will then allow them to download and apply the operating system patch from Microsoft. For more information, refer to the 'RM Supported anti-virus' section below.
- If you have a CC4 network then the February 2018 Microsoft patches (and beyond) should automatically approve for your network. If you do use RMVP (Symantec Endpoint Protection) then please refer to this Blog for additional information.
- Windows Servers need to have additional registry keys added to activate the patch. For CC4 customers, we have released CC4UPD211. (Note: Microsoft have advised in their articles that installing this patch will result in a performance hit on all clients - details of our findings are in DWN6046461 which is the release article for CC4UPD211).
- Check which of your devices need a firmware (BIOS/ UEFI) update to protect against the Spectre vulnerability. For more information, refer to the 'Firmware updates' section below.
- Check your hypervisor solutions and other devices to ensure that your complete network has been understood and patched. Advice for hypervisors, Apple, Google, etc. can be found below.
Note: Non-CC4 servers will need to have the activation registry keys added manually. Please refer to this article for more details on this (or use the batch files attached to this article - download the 'enablemeltdownpatch.bat' file to your server, then double-click to run. Do not use the 'Run as administrator' option here. Now reboot the server). Again note that Microsoft advises that enabling these mitigations may affect performance.
RM recommend Trend Micro as our current anti-virus offering.
For information regarding Trend Micro on-premise, please refer to TEC6041686.
Trend Micro - Cloud has already been updated by Trend Micro. Clients where the Security Agent version is 6.2.1220 or above will have the relevant registry key in place to allow the Microsoft Updates to install. There was a further major upgrade to Trend Micro - Cloud, to version 6.3 on the 27/01/2018, please refer to TEC6060342.
RMVP 6.8 is now available with the patches from Symantec for some issues reported as the Meltdown patches became available - please see the following section for details.
We have also published a blog here with additional information.
We have now moved back to our normal approval process for WSUS and CC4 customers should find that the February 2018 updates and beyond start to apply. RMVP customers should have acted upon the actions below (see RM Anti-Virus Advice in the More Information section below) to ensure that the Symantec AV product continues to function.
|Checking your computers via a PowerShell script|
|We have published a PowerShell script to help you to check your network and validate if a computer is vulnerable or not. This is a modification of a Microsoft script - we have added the ability for the script to run remotely. For more information, please refer to TEC6090000. |
For RM Recommends and RM Hardware computers and servers, firmware patching advice can be found in TEC6039891 in the Other Useful Articles section below. This contains links to each of the relevant firmware (BIOS / UEFI) updates that have been made available.
Note: Given the number of issues being reported with firmware releases we advise you wait two weeks once an update has been released before applying, but ensure that you have a plan ready for the upgrade immediately should the urgency change.
General advice / BitLocker
Always ensure that you follow all of the system suppliers' recommendations when updating a BIOS / UEFI.
It is recommended that if BitLocker is enabled on your system you suspend it prior to running the BIOS / UEFI update. Once the system has rebooted after the update please enable BitLocker.
VMware have released patches for this issue, please follow TEC2637069.
For advice on patching the hosts follow TEC5697304.
General hypervisor / VM patching instructions
For any hypervisor, we recommend that the following steps are followed:
- Apply the firmware (BIOS / UEFI) update for the host hardware (although at present we are recommending that you omit this step).
- If your hypervisor is Hyper-V, then you should check that the anti-virus solution running on it is compatible.
- Patch the hypervisor itself (see the details above for Hyper-V and VMware).
Note: For Hyper-V you will also need to add the registry keys to enable the OS patch on the server.
- Patch each VM running on the hypervisor. Again if a server operating system then you will need to check the anti-virus solution and add the registry keys to enable the operating system patch on the server.
|Be aware that cybercriminals are already taking advantage of the news generated by these vulnerabilities and fake patches that deliver malware are surfacing. Ensure that you are using the trusted, vendor websites when downloading firmware patches (and getting the Microsoft patches via WSUS). |
Details of the Apple response are available here.
Details of the Google recommendation for Chrome users are available here.
An RM article with additional advice can be found in TEC6046757 (Protecting Chromebooks / Android devices from Spectre / Meltdown vulnerabilities).
|As usual (for routers, switches, firewalls, etc.), please check with the manufacturer. |
If you are not using an RM supported anti-virus solution, you should contact your vendor to confirm the compatibility status of the anti-virus product.
It is possible to force these updates to install regardless of your anti-virus's compatibly status by creating a specific registry key. We do not recommend manually creating this key unless your vendor has confirmed their product is compatible. Enabling the installation of these updates on an incompatible system could cause instability.
CC4 customers should ensure that they have updates CC4UPD203, CC4UPD204 and CC4UPD205 so that their local WSUS instance is pulling the list of the latest set of approved updates from us. Also note that the changes in CC4UPD204 require a new URL to be allowed through any firewall.
Microsoft do advise that by applying these changes to your computers, that there may be a performance hit.
|At the time of writing there are no known active exploits for these vulnerabilities but this may change. Any exploit is likely to require some sort of user interaction such as opening a malicious email attachment or web link and as such the best defence is educating users not to open suspicious attachments or links. |
If this article has not helped provide a solution then it is also possible to
log a call...
Document Keywords: Meltdown, Spectre, CPU flaw,