Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Spectre and Meltdown: What You Need to Know Right Now - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Spectre and Meltdown: What You Need to Know Right Now
A great article is this one from Malwarebytes, which shows what you should see when you run the Powershell verification, before and after applying the Windows patch: https://www.bleepingcomputer.com/news/microsoft/how-to-check-and-update-windows-systems-for-the-meltdown-and-spectre-cpu-flaws/
Anonymous
From what I gather is:
- on Windows CLIENTS, installing the patch AUTOMATICALLY enables the protection (tested on my PC)
- on Windows SERVERS, installing the patch DOES NOT automatically enable the protection. You have to also set the registry keys mentioned in https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution in order to enable the protection. Surely this decision was made because of the greater potential for performance impact on servers: you have to take additional steps in order to enable the protection.

In both cases (client and server), this process protects you from Meltdown. But in order to also be fully protected by Spectre, you need to also upgrade the Intel chip firmware. Those updates are slowly being released directly through PC manufacturers: https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/
Anonymous
Quoting Paul:Am I reading the MS guidance on servers correctly. Doesnt it say that even after applying patches the server is not protected unless you also "switch it on" by setting registry keys?
This is very confusing. Do I need to set the keys in the registry or not??


Yes, you need the 3 steps.

Microsoft included this note:
Important Customers who only install the Windows update will not receive the benefit of all known protections.
Anonymous
Apple is now reporting:

All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time.

https://support.apple.com/en-us/HT208394
Bill D.

1 Posts
If your AV provider hasn't released a version of their software that adds the registry key AND they have confirmed that their software is compatible with the fix, then yes, you need to add the registry key. If you want to patch immediately and know that your AV is compatible, you can add the key. Otherwise, you'll have to wait until the AV vendor releases and update that does it.
Rod

5 Posts
To summarize:
1- Make sure your Antivirus is certified for the Jan 2018 updates. Update your AV.
2- Verify the reg keys listed on the MS document are set. (seems like on server OS has to be done manually)
3- Install the MS updates.
4- Install your hardware updates (when are available)

https://answers.microsoft.com/en-us/windows/forum/windows_10-security/meltdown-and-spectre-vulnerabilities-intel-chip/ead3f25e-6c55-4359-9cd9-5be87cbe7b4f?tm=1515112854943
Anonymous
If the OS is running on a VM & the underlying hypervisor (VMware) is patched, does the OS still need to be patched?
AAInfoSec

48 Posts
Is it just *servers* that need the fix enabled with the registry keys?.... or all systems?

This article doesn't say "just servers need it"

https://www.kb.cert.org/vuls/id/AAMN-AUP5VG
K-Dee

63 Posts
None, but chip fabrication is not a fast process. The chip manufacturers are working on firmware, but its unclear to what extent that will help.
John

255 Posts
ISC Handler
Quoting AAInfoSec:If the OS is running on a VM & the underlying hypervisor (VMware) is patched, does the OS still need to be patched?


Both host and VM need patched.
John

255 Posts
ISC Handler
Assuming the performance impact associated with the patches is true, I would think there will be significant economic consequences for cloud providers.

As in: hardware upgrades.

True?
moksha53

2 Posts
Quoting K-Dee:Is it just *servers* that need the fix enabled with the registry keys?.... or all systems?

This article doesn't say "just servers need it"

https://www.kb.cert.org/vuls/id/AAMN-AUP5VG


I had the same questions, but look on MS document for Win 7, 8 and 10 (if you have Win XP you are *****):
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
See that is no registry change. Just run a PS script to verify.

Now, read the MS document for Win 2008, 2012 and 2016 (if you have Win 2003 you are *****):
https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Now, you will see the reg keys that need to be changed, plus the PS script to verify.

MS is not clear with that, but all points that you need to do that on servers because of fear of performance penalty.
Anonymous
Ubuntu update delayed until Jan 9th

If you happen to be running Ubuntu in your environment, you will have to wait a bit longer for their patches. According to them, this was supposed to be a coordinated release with all vendors on 1/9/2018, but people jumped the gun and they weren't quite ready.

Their statement is here:

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown?_ga=2.251192192.746852361.1515183124-613050837.1515183124
Derek

1 Posts

Sign Up for Free or Log In to start participating in the conversation!