Update: Intel has reported that customers with certain CPUs are experiencing random reboots after applying firmware updates to patch this vulnerability. I can’t say this enough but TEST before rolling these out!
By now, you have likely heard about recently disclosed vulnerabilities called Spectre and Meltdown. If not, TechCrunch has a detailed article about them that will get you up to speed. The vulnerability affects most modern operating systems and processors. It also affects other systems such as iOS, MacOS, Android, Chrome, etc.
I have found that many IT people I talk with do not understand what needs to happen to address these vulnerabilities. I think this is (at least partly) because unlike many previous vulnerabilities, simply installing a Windows update does not fix the problem. The fix also requires registry keys to be set and firmware updates released by the hardware manufacturers to be applied.
After reviewing what needs to happen to protect enterprise systems, I have pulled together some information so you can protect yourself as well. While this is not an all-encompassing guide, it should point you to many of the resources needed to address the vulnerabilities. Rather than this blog post being extremely long and repetitive, you will find many linked items below to already created documentation that will be helpful in patching your systems.As with all updates, please test thoroughly before widely following any of these steps.
Patching Windows Operating Systems
Microsoft released an update on January 3rd that addresses the operating system portion of this vulnerability. If you have not already, you will want to deploy this update as soon as possible. If you are using automated deployment rules in Configuration Manager, the updates may already be included in your packages but don’t take my word for it, verify whether that is the case. The current KBs for these updates are listed below:
Special Considerations for SQL and A/V
Microsoft has published a separate article that applies specifically to SQL Server. The article covers specific scenarios, so check it out to see which apply to you if you are patching servers with SQL installed. NOTE: There are some exceptions not called out in this article for Configuration Manager SQL databases. Per Microsoft:
KB 4073225 outlines customer guidance for SQL Server, which is a critical part of any Configuration Manager system. Currently, we recommend following the SQL guidance for Configuration Manager site database servers, except the following suggested steps which may impact Configuration Manager functionality and performance. Do not perform the steps for these two categories at this time:
- Running SQL Server with CLR enabled (sp_configure ‘clr enabled’, 1)
- Using Linked Servers (sp_addlinkedserver)
You should also consider which antivirus vendor is being used on your machines. If you are using something like System Center Endpoint Protection there should be no extra steps required. If you are using another vendor, you may need to set an additional registry key to allow your system to see these updates.
Because there is a fairly lengthy list of known issues in the KBs listed above, as well as documented performance impacts to these updates, installing the patches alone does not enable the protections within the operating system. To enable the protections, 2 registry keys must be created. These registry keys are documented in guidance provided by Microsoft. Additionally, in the guidance, Microsoft has introduced a new PowerShell module to see the status of the vulnerability on your computer.
BIOS updates are being released for supported hardware and will need to be applied as soon as possible to patch the vulnerability. Below are links to the current status and information from some popular manufacturers . Be aware that if you are using BitLocker, you may be prompted for a BitLocker key after updating firmware. You should thoroughly test, and if necessary disable BitLocker prior to the update, then re-enable immediately after.
Finally, below are some links to additional information that goes into more detail and answers many questions you may run into.