Patching Windows for Spectre and Meltdown: A complete guide

With newly disclosed Spectre and Meltdown variants, it’s time to review the risk they present your Windows systems and the steps needed to patch them.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

On May 21, 2018, Google Project Zero (GPZ), Microsoft and Intel disclosed two new Spectre- and Meltdown-related chip vulnerabilities: Speculative Store Bypass (SSB) and Rogue System Registry Read. The customer risk from both disclosures is low. Then on June 13, 2018, Intel released a security advisory on the Lazy FP State Restore vulnerability, CVE-2018-3665, involving side channel speculative execution.

Spectre and Meltdown pointed out the need to proactively patch firmware. To recap why these vulnerabilities are dangerous, both can allow hackers to access data from a computer’s memory using side channels, circumventing protective mechanisms. Spectre and Meltdown impact AMD, ARM, Nvidia and Intel processors and prey on technologies designed to speed up computers.

Although there are no known exploits of the earlier or new Spectre and Meltdown vulnerabilities, each has the potential to expose sensitive data. Microsoft has previously released patches for Windows to mitigate the risk of earlier Spectre and Meltdown vulnerabilities, and it has recently added patches for the new vulnerabilities. Below is a summary of the Common Vulnerability and Exposures (CVEs) representing side channel vulnerabilities known as this time and advice on deploying Microsoft’s patches for them.

Spectre and Meltdown patch notes

The fixes to prevent these vulnerabilities include a software patch from Microsoft and a hardware BIOS or firmware update. If you do not have both pieces, you will not be fully protected. Also, be aware that many of these patches impact performance of the machine. That’s why many of these updates are not enabled by default for server operating systems and you need to manually enable the mitigation.

Many of the patches released in May and July are not enabled for desktop systems as well. The patching administrator needs to determine if you can accept the risk and not enable these updates.

Remember that these vulnerabilities depend on malware running locally to successfully launch an exploit. Users and administrators need to practice good security hygiene by keeping their software up-to-date and avoid suspicious links and downloads.

How to patch Microsoft Windows for Meltdown and Spectre

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.