The security world is spinning over the disclosure of two critical CPU vulnerabilities called Meltdown and Spectre.

The two vulnerabilities named Meltdown and Spectre are hardware bugs that can allow attackers to steal information from the memory of other programs.

This means that the malicious program can steal passwords, account information, encryption keys, or theoretically anything stored in the memory of a process.

Attention was originally focused on Intel chips, but ARM and AMD processors are also affected to some extent.

Meltdown is a CPU vulnerability that allows a user mode program to access privileged kernel-mode memory. It affects all out-of-order Intel processors released since 1995 with the exception of Itanium and pre-2013 Atoms. No AMD processors are affected by Meltdown.

Spectre isn't so much a specific vulnerability as it's a new class of attack. It's enabled by the unintended side effects of speculative execution (something processors do to speed things up by predicting what instructions they're about to recieve and executing them ahead of time).

There are two flavors of Spectre — variant 1 (bounds check bypass, CVE-2017-5753) and variant 2 (branch target injection, CVE-2017-5715). Both can potentially allow attackers to extract information from other running processes (ex: stealing login cookies from browsers).

Intel, ARM, and AMD processors are all reportedly affected by Spectre to some degree, and it poses significant patching problems. While operating system and browser updates have helped mitigate the risk of Spectre to some degree, experts agree the only true fix is a hardware update. As such, Spectre is likely to remain an issue for years to come.  

Microsoft's releasing Windows updates addressing Meltdown and Spectre vulnerabilities.

Spectre variant 2, branch target injection (CVE-2017-5715) needs have a firmware updates to required to fully address Spectre variant 2.

Vendors have started to release information on how customers can protect themselves from Spectre or Meltdown and the status of their services.

Microsoft will only distribute the emergency update to users if a particular registry key has been made by an installed antivirus vendor ( more details here).

As with the other operating systems, patches addressing Meltdown and Spectre are expected to take a non-insignificant toll. The impact of these fixes can vary depending on the version of Windows running and the age of the machine:

Understanding the on Windows Systems performance impact of Spectre and Meltdown mitigations.


Microsoft has also advised Windows Server customers that they need to take the additional step of adding the following registry keys in order to enable patch protections.


Code:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f


If this is a Hyper-V host and the firmware updates have been applied: fully shutdown all Virtual Machines (to enable the firmware related mitigation for VMs you have to have the firmware update applied on the host before the VM starts).

Restart the server for changes to take effect.


Microsoft also notes that for Hyper-V hosts, live migration between patched and unpatched hosts may fail. The company also points to an alternative protection mechanism you can use on hosts that don't have updated firmware yet.


To help confirm whether updates have been implemented correctly Microsoft has provided a PowerShell script that system administrators can run to test Meltdown and Spectre mitigations.


Intel started pulling its Spectre v2 microcode patches last week because it was causing “higher than expected reboots and other unpredictable system behavior” on users’ machines.

Microsoft pushed an unscheduled update to its Windows customers that will disable the patch that was supposed to mitigate the Spectre variant 2 (CVE 2017-5715 Branch Target Injection) CPU flaw. In Microsoft’s testing, this new update should fix the reboot issues for users, but for moment it also means that these users will remain vulnerable to Spectre v2.

The company added that so far there have been no reports of attacks exploiting the Spectre v2 CPU flaw, but it recommends its customers to re-enable the mitigation when Intel reports that the rebooting issues have been solved for your particular devices.