This month’s Patch Tuesday is one of the most interesting in a while. Not just because the patches Microsoft was preparing for release today came a week early, but also because of the potential issues these patches might cause.
Patch Tuesday came early this month on January 3rd because details of several serious processor vulnerabilities were leaked. Cumulative updates were released for Windows 10, Windows Server 2016, Internet Explorer, Edge, and SQL Server. Security-only patches were released for Windows 7, Windows 8.1, Windows Server 2008 R2, and Windows Server 2012 R2. The Windows 10 updates include fixes for 35 CVEs, three of which are for 2017 CVEs relating to the speculative execution side-channel processor vulnerabilities.
CVE-2017-5753 – Spectre Bounds check bypass
CVE-2017-5715 – Spectre Branch target injection
CVE-2017-5754 – Meltdown Rogue data cache load
For more details on the vulnerabilities, see Intel Misled Industry on Security Vulnerabilities on Thurrott.com.
Here is a complete list of the updates released on January 3rd that address the three speculative execution side-channel vulnerabilities. Full information about each patch and the fixes included are contained in the link for each KB article.
Windows 10 Knowledge Base Articles
Windows 10 version 1709 KB4056892 (Cumulative)
Windows 10 version 1703 KB4056891 (Cumulative)
Windows 10 version 1607 and Server 2016 KB4056890 (Cumulative but only one fix)
Windows 10 version 1511 LTSC KB4056888 (Cumulative but only one fix)
Windows 10 version 1507 LTSB KB4056893 (Cumulative with an extra fix for a Smart Card memory spike issue)
Other Supported Operating Systems
Windows 8.1 and Windows Server 2012 R2 KB4056898 (Security only CPU fix, manual download)
Windows Server 2008 R2 Service Pack 1, Windows Server 2012 R2, and Windows Server 2016 are patched against all three speculative execution side-channel vulnerabilities. Windows Server 2008 and 2012 have not been patched but Microsoft has said that patches should be made available soon. For more information on when Windows Server 2008 SP2 and Windows Server 2012 will be patched, check Microsoft’s website here. The patch for CVE-2017-5754 is only supported on 64-bit systems at this time.
CVE-2017-5715 requires new firmware with updated microcode for the processor. You should contact your device manufacturer to see if an update has been issued. Browsers also need to be hardened, so if you are not using Internet Explorer or Microsoft Edge, make sure you check that your browser is up-to-date. At the time of writing, Google is yet to patch Chrome.
PowerShell Speculation Control Module
If you want to check whether your systems are fully patched against CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754, including a microcode update for the processor, you can the SpeculationControl PowerShell module on Windows 10 as shown below:
$SaveExecutionPolicy = Get-ExecutionPolicy
Set-ExecutionPolicy RemoteSigned -Scope Currentuser
Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser
For earlier versions of Windows and the Windows Management Framework (WMF), you can download the SpeculationControl module from Microsoft’s website here. Unzip the downloaded file to the working directory before and then use Import-Module to import the module.
AV Software Compatibility
Not all antivirus software is compatible with the patch and Microsoft suggests that you check that your AV software vendor has set ALLOW REG in the registry. The QualityCompat registry key should be set by the AV vendor as shown in the screenshot below. If not, Windows will not install the patch.
Kevin Beaumor is keeping a list of AV software that’s been updated for compatibility with the patch here.
On the back reports that users with some AMD processors cannot boot Windows after applying the patch, Microsoft pulled the updates released January 4th for AMD processors. Users experienced blue screen errors 0x000000C4 and 0x800F0845 and couldn’t restore their devices via the usual methods. Microsoft has blamed AMD for not conforming ‘to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.’
There were initial worries that some workloads could see a slowdown of up to 30 percent but initial performance testing was carried out on Linux. Microsoft has since provided more information on the potential performance impact and as you might expect, the patches affect performance more on older processors. For more information on the potential performance impact, see Microsoft Outlines Performance Impacts of Meltdown and Spectre Patching on Petri.
Windows Server 2008 and Windows Server 2012
Despite the missing patches for the three speculative execution side-channel vulnerabilities, Microsoft did release security updates for these operating systems on January 3rd. Windows Server 2012 gets a monthly rollup – KB4056899 and Windows Server 2008 six individual patches: KB4056613, KB4056615, KB4056759, KB4056941, KB4056942, and KB4056944.
Other Fixes for Windows 10
The cumulative updates for Windows 10 version 1703 and 1709 include fixes for the following products:
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- SQL Server
- .NET Framework
- .NET Core
- ASP.NET Core
- Adobe Flash
Actual Patch Tuesday
Finally, I get to what Microsoft released recently. As expected, Microsoft issued patches for .NET Framework and .NET Core. These patches were already part of the cumulative updates made available for Windows 10 on January 3rd but are now available for all supported versions of Windows. These updates resolve a vulnerability where .NET Framework and .NET Core fail to validate certificates. Before applying the update, make sure certificates are set up correctly with EKU OID attributes. For more information, see KB4055269.
Updates for Microsoft Office 2007, 2010, 2013, and 2016 are also available. The updates resolve 4 CVEs: CVE-2018-0793, CVE-2018-0794, CVE-2018-0797, and CVE-2018-0798, which include three remote code vulnerabilities and two memory corruption vulnerabilities.