General Background

You may have read or heard reports in the news regarding important security vulnerabilities, specifically relating to ‘computer chips’ or CPUs. Security flaws have been found in several CPUs which could allow malicious people to steal data from your device’s memory, or steal passwords and data from running programs while you use them. Almost all devices are affected worldwide: desktops, laptops, phones, tablets, that are running Microsoft Windows, MacOS, iOS, Android, Chrome and Linux. Security patches have already been released for some operating systems, but not yet for others.  More technical information is available below which could be important for your IT staff. If you need any assistance with anything discussed in this article whatsoever, please don’t hesitate to contact Wave 9 for assistance or advice.

Technical Background

These particular vulnerabilities are being referred to by codenames ‘Spectre’ and ‘Meltdown’, where the ‘Spectre’ vulnerability affects Intel, Arm and AMD chipsets, and ‘Meltdown’ affects only Intel chipsets. Between these two vulnerabilities, almost all desktop PCs, laptops, Macs, phones and tablet devices, running Operating Systems including Windows, Linux, iOS, MacOS, Android and Chrome will be affected in some way. As of yet, there have been no reports that anyone has been affected by either of the issues caused by these two security vulnerabilities, anywhere in the world.  It is therefore extremely unlikely that this issue will directly affect you today, but it is very important to inform yourself of what’s required in order to ensure that you have the correct security measures in place in order to protect your devices in the coming days/weeks.

All software vendors (Microsoft, Google, Apple…) have been aware of this issue for a while, and they have been busily working on software patches to resolve the issue via the usual software update channels.  However, as this news has broken a little prematurely (03/01 instead of 08/01), some patches are still to be released.  You should, therefore, keep yourself informed on your particular Operating System updates during the coming days, to ensure that you are fully up to date on anything which may affect you. Unfortunately, it should be noted that, due to the way that the vulnerability needs to be addressed, these security patches may come with a decrease in performance for your devices.  Early reports suggest that this performance decrease may be between 3% – 30% on some devices – specifically affecting older devices more as they have slower chipset architecture.  Dedicated database applications may also be directly affected, due to the way in which the security updates change the way in which code is executed.

It is therefore extremely important that you test your security patches where you can, on all different types of hardware and dedicated software platforms, before performing any kind of rollout.

The specific vulnerabilities that you should be aware of are as follows:

CVE-2017-5715 (branch target injection)

CVE-2017-5753 (bounds check bypass)

CVE-2017-5754 (rogue data cache load)

In addition to security patches provided by your software manufacturer, you may need to update hardware firmware on your clients, servers & devices with an updated version that includes any fixes for this vulnerability.  Please see your hardware manufacturer’s website for your specific hardware firmware update(s), when they become available and follow your existing security compliance procedures for your devices to ensure they meet your standards.

Regarding servers, please note that the software patches in KB articles may not address the fault entirely.  You may also need to include specific registry entries in order to prevent speculative execution side-channel vulnerabilities on your server hardware.  These registry entries are detailed on Microsoft’s announcement page (see links in this article, or here), under the title “Enabling protections on server”. Once applied, you will need to test any adverse performance issues and address them accordingly.

Microsoft has released a PowerShell script to display your status once your patches are applied and registry entries are included.  Please see the same article, under the section “Verifying protections are enabled”.

If you use any third party anti-virus software, please check with your vendor before applying any patches as they may affect your environment.

Apple

As of yet, there has been no announcement by Apple.  However, reports are that High Sierra apparently contains fixes for this particular issue, and other patches are yet to be announced.

Please see your Apple news channels for updates.

Linux

Some distros have released patches (Red Hat), others have not yet (Ubuntu).

Please see your specific vendor for security update news.

Google/Android

Google have released the following statement:

https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

Affected Google products and their suggested remediation(s):

https://support.google.com/faqs/answer/7622138

Microsoft

Microsoft have released the following statement:

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution-s

They have also released a statement on Azure:

https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

 

Specific Microsoft Operating System patches

Windows 7 SP1 and Windows Server 2008 R2:

4056897 January 3, 2018—KB4056897 (Security-only update)

2018-01 Security Only Quality Update for Windows Server 2008 R2 (KB4056897)

https://support.microsoft.com/?id=4056897

 

Windows 8.1 and Windows Server 2012 R2:

January 3, 2018—KB4056898 (Security-only update)

2018-01 Security Only Quality Update for Windows Server 2012 R2 (KB4056898)

https://support.microsoft.com/?id=4056898

 

Windows 10 1709 and Windows Server 1709:

4056892 January 3, 2018—KB4056892 (OS Build 16299.192)

2018-01 Update for Windows 10 Version 1709 (KB4058702)

https://support.microsoft.com/?id=4056892

 

Windows 10 1703 and Windows Server 1703

4056891 January 3, 2018—KB4056891 (OS Build 15063.850)

https://support.microsoft.com/?id=4056891

 

Windows 10 version 1607 and Windows Server 2016:

4056890 January 3, 2018—KB4056890 (OS Build 14393.2007)

https://support.microsoft.com/?id=4056890

 

Windows 10 version 1511:

4056888 January 3, 2018—KB4056888 (OS Build 10586.1356)

2018-01 Cumulative Update for Windows 10 Version 1511 (KB4056888)

https://support.microsoft.com/?id=4056888

 

Windows 10 version 1507:

4056893 January 3, 2018—KB4056893 (OS Build 10240.17738)

2018-01 Cumulative Update for Windows 10 Version 1507 (KB4056893)

https://support.microsoft.com/?id=4056893

 

Remember, until AV vendors push out software updates to set a registry key, the MS updates will not install.

https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

https://community.sophos.com/kb/en-us/128053

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

The Microsoft article advises you contact your Anti-Virus vendor to confirm that their software is compatible with the patch and also sets a specific registry key.

Sophos is currently testing this patch and registry key, with initial results showing no compatibility issues. Customers wishing to apply the patch can set the registry key manually, however, due to our ongoing testing there is currently no guarantee the Microsoft patch will not have unexpected side effects.

If you need assistance with anything mentioned in this article, please don’t hesitate to contact Wave 9 for assistance.

Best wishes,