Meltdown & Spectre: Microsoft releases emergency patches, US-CERT says to replace CPU

If you didn't receive the emergency Windows Meltdown patch, then your antivirus is incompatible.

Meltdown & Spectre: Microsoft releases emergency patches
OpenClipArt-Vectors (CC0)

Researchers at Google’s Project Zero set the tech world on its ear by revealing two major vulnerabilities, dubbed Spectre and Meltdown, in processors that could be exploited to steal sensitive information such as passwords, encryption keys, even photos. A malicious program could also exploit the flaws to read data from other programs, such as business documents, email, chat programs and more.

The researchers discovered the vulnerabilities in 2017, but they publicly disclosed them yesterday. The flaws are related to “speculative execution”— a technique used by all modern CPUs. Nearly every processor made since 1995 is vulnerable to Meltdown, and almost every modern system is vulnerable to Spectre. In theory, there have been no known attacks exploiting the vulnerabilities, but it’s not like an agency such as the NSA would tweet: dang, attacks foiled now!

With the details now in the public domain, bad actors are likely busy working on attacks. There have been a flurry of security advisories issued by Intel, AMD, Android, the Linux Foundation, Microsoft: 1 (servers), 2 (client), 3 (Azure), ARM, Google, Amazon, the Chromium Project, Mozilla, Nvidia, Redhat and Xen. There’s been no official word from Apple yet, but Macs are reportedly affected.

What’s affected by Meltdown and Spectre?

In a nutshell, most modern systems.

Here’s the description of what is affected by Meltdown (pdf):

Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

Here's the description of what is affected by Spectre (pdf):

Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.

US-CERT: Replace CPU

So, what are you supposed to do? The solution, according to US-CERT, is to replace the CPU hardware. It says: “The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware.”

Applying software updates was also recommended, as doing so will “mitigate the underlying hardware vulnerability.”

If you didn’t receive the emergency Windows patch, then your antivirus is incompatible

Since replacing the hardware is unlikely on a worldwide scale, the next best option is to patch. If you have Windows, then you should have received the Windows security update yesterday.

If you didn’t receive the out-of-band update released yesterday, then Microsoft blamed it on your antivirus, saying it isn’t compatible with the patch:

“During our testing process, we uncovered that some third-party applications have been making unsupported calls into Windows kernel memory that cause stop errors (also known as bluescreen errors) to occur.”

These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.

Microsoft did not mention which antivirus is or is not compatible, but it did suggest taking advantage of its own Windows Defender or Microsoft Security Essentials. The company warned, “If you have not been offered the security update, you may be running incompatible anti-virus software, and you should follow up with your software vendor.”

Patching will reportedly protect you, but expect a hit to performance.

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.