Meltdown and Spectre: What Windows users need to know

[German]At the beginning of the year, a design flaw (Meltdown) in Intel’s processors went public. Later on a 2nd attack, called Spectre, affecting nearly all processor have become public. OS vendors begun to rollout patches, to mitigate these security issues. In this blog post, I summarize information that is relevant and important for Windows users.


Advertising

Some background information

Security researcher from Google Project Zero described (based on earlier documents from several university researchers) a design flaw in CPUs, allowing “speculative execution side-channel attacks”. Google’ Jann Horn, from Project Zero, was able to write an exploit to attack systems using two methods called Meltdown and Spectre. All internal details may be found within the Google document linked above. The vulnerabilities are described within the following CVEs:

These methods are using theoretical basics, which has been published in various research documents (e. g. from the University of Graz) under the following names.

  • Spectre (Variant 1 and 2): This breaks the isolation between different applications. It allows an attacker to read data from the memory, used by other programs. 
  • Meltdown (Variant 3): This breaks through the basic isolation between user applications and the operating system. This attack enables a program to access the kernel memory and the data of other programs and the operating system.

More details may be found at meltdownattack.com.

Meltdown/Spectre

Which CPUs are affected?

First, it was said that only Intel processors were affected (by Meltdown). Meanwhile, it has become clear that ARM CPUs and AMD processors are also vulnerable to Spectre design flaw. This means that other operating systems such as Android, Chrome, iOS, MacOS, Linux etc. are affected as well as Windows. Basically, it affects all processors that have been on the market since 1995 (see also).


Advertising

Browser are also affected!

Microsoft addresses ‘speculative execution side-channel’ attacks in Microsoft Edge and Internet Explorer within this document. Both browsers has been patched by update KB4056890 to mitigate this vulnerabilities.  The ability to successfully read memory using side channel attacks has been mitigated.

Users who use other browsers on Windows need to use updated version to mitigate the vulnerability. Mozilla developers, for example, have confirmed that an attack is even possible using JavaScript in the browser.

How risky are these vulnerabilities?

Microsoft wrote within this security advisory, that no attacks against these vulnerabilities have been reported so far. Such attacks, if they happen, leave no trace and cannot be detected by security software such as virus scanners. I have received contradictory information about the practical usability.

Microsoft has issued security recommendations for its users for client and server operating systems.

All documents addresses professional users and administrators. For consumers in short: Microsoft recommends updating the operating systems and browsers. The manufacturer has released appropriate updates for this purpose.

Which Updates are available from Microsoft?

Microsoft has released a couple of updates since Januar 3, 2018 sowohl Sicherheitsupdates für seine Browser Edge und Internet Explorer, als auch für die unterstützten Betriebssysteme freigegeben. Ich habe die Details in folgenden Blog-Beiträgen dokumentiert.

Critical Updates for Windows and Browser (01/03/2018)
Critical Security Updates for Windows 7/8.1/Server (01/03/2018)
Windows 10: Critical Updates (01/03/2018)
Windows 7/8.1: Updates KB4056894, KB4056895 released

These updates are distributed through Windows Update (or in companies via WSUS or SCCM).

I didn’t get updates, why?

The security updates for Windows as well as for the browsers Edge and Internet Explorer are distributed in waves via Windows Update (my guess). I haven’t received the updates from January 3, 2018 on my Windows 7 and Windows 10 machines. Microsoft monitors which hardware configuration creates major problems with the updates, allowing Microsoft to fix them.

There is another reason why Microsoft is holding back the update: If a third-party Internet Security Suite or virus scanner is installed and its manufacturer has not yet released the update for compatibility reasons. I noticed this and the mandatory registry entry in the Windows update articles listed above. In addition, Microsoft has published some information on the topic here.

Shall I install these updates manually?

Currently, there are numerous internet pages offering direct download links for the update packages. Updates can also be downloaded from the Microsoft Update Catalog. Installing such updates manually bears the risk, that the machine won’t boot anymore and stalls with blue screens. So I also recommend not to set the mandatory registry entry described within Microsoft’s KB articles. Only, if you are sure, that the machine is capable for this update and not anti virus software is able to set the registry entry, do it manually.

Does the update decrease performance?

Yes, but the value for performance decrease depend from the environment and the hardware. In many cases, user should not detect some degradation, because the value is between 1-5%. On data base application, the system may lost up to 30 or 50 % performance. Microsoft’s Windows VP, Terry Myserson, has published a blog post Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems with more details.

How to test, if my machine is vulnerable?

Microsoft has provided a PowerShell cmdlet for Windows that allows you to check whether actions need to be taken.

Speculation-Control-Settings in PowerShell abfragen

Here the commands I’ve used in Windows 10:

Set-ExecutionPolicy Bypass  Install-Module SpeculationControl
Get-SpeculationControlSettings

Microsoft has realeased a document, discussing this approach. PowerShell need to be executed with administrative credentials (Run as administrator). On my Windows 7 machines the commands failes. I guess, it’s necessary to update PowerShell and other components to the most recent version. Some details may be found at Bleeping Computer.

There are also two other tests, you may use, without PowerShell knowledge. Read my two blog posts:

Tool tip: Ashampo Spectre Meltdown CPU-Checker
Test: Is my browser vulnerable for Spectre attacks?

Similar articles
Microsoft releases Windows 10 Patch to fix Intel Bug
Critical Updates for Windows and Browser (01/03/2018)
Critical Security Updates for Windows 7/8.1/Server (01/03/2018)
Windows 10: Critical Updates (01/03/2018)
Windows 7/8.1: Updates KB4056894, KB4056895 released
Tool tip: Ashampo Spectre Meltdown CPU-Checker
Microsoft Patchday: Office, Flash, Windows (January 9, 2018)
How to mitigate Spectre in Google Chrome


Advertising
This entry was posted in Security, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *