How to patch Microsoft Windows for Meltdown and Spectre
Users and administrators need to practice good security hygiene by keeping their software up-to-date and avoid suspicious links and downloads. Remember that these vulnerabilities depend on malware running locally to successfully launch an exploit. The patching administrator needs to determine if you can accept the risk and not enable these updates. Many of the patches released in May and July are not enabled for desktop systems as well. That’s why many of these updates are not enabled by default for server operating systems and you need to manually enable the mitigation. Also, be aware that many of these patches impact performance of the machine. If you do not have both pieces, you will not be fully protected. The fixes to prevent these vulnerabilities include a software patch from Microsoft and a hardware BIOS or firmware update. Below is a summary of the Common Vulnerability and Exposures (CVEs) representing side channel vulnerabilities known as this time and advice on deploying Microsoft’s patches for them. Microsoft has previously released patches for Windows to mitigate the risk of earlier Spectre and Meltdown vulnerabilities, and it has recently added patches for the new vulnerabilities. Spectre and Meltdown impact AMD, ARM, Nvidia and Intel processors and prey on technologies designed to speed up computers.Īlthough there are no known exploits of the earlier or new Spectre and Meltdown vulnerabilities, each has the potential to expose sensitive data. To recap why these vulnerabilities are dangerous, both can allow hackers to access data from a computer’s memory using side channels, circumventing protective mechanisms. Spectre and Meltdown pointed out the need to proactively patch firmware. Then on June 13, 2018, Intel released a security advisory on the Lazy FP State Restore vulnerability, CVE-2018-3665, involving side channel speculative execution.
The customer risk from both disclosures is low. On May 21, 2018, Google Project Zero (GPZ), Microsoft and Intel disclosed two new Spectre- and Meltdown-related chip vulnerabilities: Speculative Store Bypass (SSB) and Rogue System Registry Read.