Spectre, Meltdown, and Your Enterprise

Update: Intel has reported that customers with certain CPUs are experiencing random reboots after applying firmware updates to patch this vulnerability. I can’t say this enough but TEST before rolling these out!

By now, you have likely heard about recently disclosed vulnerabilities called Spectre and Meltdown.  If not, TechCrunch has a detailed article about them that will get you up to speed.  The vulnerability affects most modern operating systems and processors.  It also affects other systems such as iOS, MacOS, Android, Chrome, etc.

I have found that many IT people I talk with do not understand what needs to happen to address these vulnerabilities.  I think this is (at least partly) because unlike many previous vulnerabilities, simply installing a Windows update does not fix the problem.  The fix also requires registry keys to be set and firmware updates released by the hardware manufacturers to be applied.

After reviewing what needs to happen to protect enterprise systems, I have pulled together some information so you can protect yourself as well.  While this is not an all-encompassing guide, it should point you to many of the resources needed to address the vulnerabilities.    Rather than this blog post being extremely long and repetitive, you will find many linked items below to already created documentation that will be helpful in patching your systems.As with all updates, please test thoroughly before widely following any of these steps.

Patching Windows Operating Systems

Microsoft released an update on January 3rd that addresses the operating system portion of this vulnerability.  If you have not already, you will want to deploy this update as soon as possible.  If you are using automated deployment rules in Configuration Manager, the updates may already be included in your packages but don’t take my word for it, verify whether that is the case.  The current KBs for these updates are listed below:

Windows 10 v1709 – KB4056892
Windows 10 v1703 – KB4056891
Windows Server 2016 – KB4056890
Windows 8.1/Server 2012 R2 – KB4056898
Windows 7 SP1/Server 2008 R2 – KB4056897

Special Considerations for SQL and A/V

Microsoft has published a separate article that applies specifically to SQL Server.  The article covers specific scenarios, so check it out to see which apply to you if you are patching servers with SQL installed.  NOTE: There are some exceptions not called out in this article for Configuration Manager SQL databases.  Per Microsoft:

KB 4073225 outlines customer guidance for SQL Server, which is a critical part of any Configuration Manager system. Currently, we recommend following the SQL guidance for Configuration Manager site database servers, except the following suggested steps which may impact Configuration Manager functionality and performance. Do not perform the steps for these two categories at this time:

  • Running SQL Server with CLR enabled (sp_configure ‘clr enabled’, 1)
  • Using Linked Servers (sp_addlinkedserver)

You should also consider which antivirus vendor is being used on your machines.  If you are using something like System Center Endpoint Protection there should be no extra steps required.  If you are using another vendor, you may need to set an additional registry key to allow your system to see these updates.

Enabling Protections

Because there is a fairly lengthy list of known issues in the KBs listed above, as well as documented performance impacts to these updates, installing the patches alone does not enable the protections within the operating system.  To enable the protections, 2 registry keys must be created.  These registry keys are documented in guidance provided by Microsoft.  Additionally, in the guidance, Microsoft has introduced a new PowerShell module to see the status of the vulnerability on your computer.

Updating Firmware

BIOS updates are being released for supported hardware and will need to be applied as soon as possible to patch the vulnerability.  Below are links to the current status and information from some popular manufacturers .  Be aware that if you are using BitLocker, you may be prompted for a BitLocker key after updating firmware.  You should thoroughly test, and if necessary disable BitLocker prior to the update, then re-enable immediately after.

Dell PCs
Dell Servers
Apple iOS 11.2.2 and macOS 10.13.2
IBM/Lenovo PCs and Servers
HP Servers

Additional Information

Finally, below are some links to additional information that goes into more detail and answers many questions you may run into.

Additional guidance from Microsoft
Guidance specific to Configuration Manager Customers

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s