Video: Meltdown-Spectre: A reminder to the IT industry that security is a mirage
Historically, even the most crippling security vulnerabilities can be patched in relatively straightforward fashion. After applying a security update, you’re no longer vulnerable to exploits based on that flaw.
That’s not true of the “speculative execution side-channel attacks” broadly identified as Meltdown and Spectre. Repairing these flaws requires a series of updates to hardware and software, as well as coordination with developers of security software, where incompatibilities between updates can cause crashes and possible data loss.
As a result, the process of protecting PCs from these potentially deadly attacks could take months, with a series of patches (and updates on top of updates) from multiple vendors.
In a series of announcements today, Microsoft announced a handful of new tools it recently released as part of that ongoing fight against the Spectre and Meltdown threats.
As of February 13, Windows 10 releases on 32-bit (x86) platforms now have updates to address both vulnerabilities. Previous updates had covered only 64-bit versions of Windows 10.
Details and links to the Windows 10 updates are in the “Protect your Windows devices against Spectre and Meltdown” article, KB4073757.
In addition, Microsoft announced that it’s making available Intel microcode updates for the Windows 10 Fall Creators Update, version 1709. The initial release applies only to devices powered by specific 6th Generation Intel Core and Core m processors: Skylake H/S (CPUID 506E3) and U/Y and Skylake U23e (COUID 406E3).
For now, this fix is only available through the Microsoft Update Catalog, KB4090007. Attempting to install the update on a device with an unsupported CPU results in an error message.
Although most devices will receive this class of updates via firmware provided by the device manufacturer, Microsoft says it will offer additional microcode updates from Intel through that KB article “as they become available to Microsoft.”
The company also announced that it would continue its hard line on compatibility checks for antivirus software.
The vast majority of Windows devices now have compatible AV software installed, according to Microsoft. Nonetheless, the compatibility risks are still too high to abandon those checks:
The continued focus of our work with our AV partners and customers is to manage the risk of compatibility issues, especially those that result from AV software that makes unsupported calls into Windows kernel memory. Due to this potential risk, we require that AV software is up to date and compatible. We will continue to require that an AV compatibility check is made before delivering the latest Windows security updates via Windows Update, until we have a sufficient level of AV software compatibility. We recommend users check with their AV provider on compatibility of their installed AV software products.
For additional advice, see “Meltdown-Spectre: Four things every Windows admin needs to do now.”