Check if you are at risk: a summary of information on security updates to protect against Spectre and Meltdown attacks

We have been closely monitoring information on vulnerabilities for three days Specter and Meltdown . In this article, we will try to summarize information about security updates that have been made available by operating system vendors and the most sensitive applications, in particular browsers.

Mess with anti-viruses

Let's start with the most important thing, from the security software, which should be updated first. Why? It is not known from whose fault, but Microsoft claims that during the tests detected several antivirus programs, which after installing a software-level patch on the Spectre and Meltdown vulnerabilities caused the blue screens of death.

See this link for a detailed document showing the progress of antivirus manufacturers on prepared Microsoft update. Some of them have already implemented improvements to their solutions, some will do so in the next few days, and some will not do it for technical reasons.

During the writing of this article, the last update of the document containing the table of Microsoft's partners was made on January 5, 2018 at 13.00 GMT, which is at 14.00 GMT (+1 hour).

We recommend that you manually force the update of signature databases and antivirus files before installing the update from Windows Update.

Microsoft has recommended to all manufacturers that in the next update of their products they create a special key in the registry, which will protect against installing updates for Windows, which can cause a blue screen of death. If such a key is not in the system and the antivirus program will be installed and not updated, the patch with Windows Update will not be installed. It is not known, however, how long this state will be maintained.

The key can be added manually:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat enter the name of the new key cadca5fe-87d3-4b96-b7fb-a231484277cc and type REG_DWORD enter the value 0x00000000.

We do not recommend adding a key to non-technical users. It is better to wait for the official steps of the manufacturer or contact technical support in advance and request information on this matter. If your AV provider does not plan such an update, you can do it simply by downloading and running this finished registry file.

Microsoft Windows, Internet Explorer and EDGE

Microsoft has prepared the patch KB4056892 (Windows 10 and Windows Server 2016), which systematically reaches the users' computers. Not yet at all - you have to be patient.

We check the installed updates in Windows 10 in Windows Update & gt; View the history of installed updates.

Bulk updates for Windows 7 SP1 & nbsp; and 8.1 and Windows Server from 2008 RC2 and newer ones we can already download and install manually or wait until the second Tuesday of the month (Patch Tuesday) and install using Windows Update. We look for information about the update in the Control Panel & gt; Programs & gt; View installed updates.

Internet Explorer 11 and EDGE have received the KB4056890 patch in Windows 10.

Firefox 57.0.4

The Firefox browser version 57.0.4 is partially immune to attack. Mozilla plans to add security in subsequent versions, which will completely protect users from malicious scripts that steal data from cache memory. Luke Wagner from Mozilla claims that in Firefox It is not possible to use similar techniques using internet content to read private information. The whole range of similar attacks is analyzed, and relevant updates are created in collaboration with researchers and other browser providers.

Not as devil scary as they paint it. That any theft of confidential information from a computer would occur through drive-by download attacks, i.e., where the user, after visiting a malicious page (called "landing page" in case of drive-by downoload attacks), is automatically infected, then a browser sandbox it must be violated so that the attacker can read, for example, saved passwords from the address space of another browser process.

The attack can also be carried out using a binary file - an exploit that must be run by the user, i.e. like any other malware.

How exactly drive-by download attacks work we have demonstrated in the test of protection against these techniques, which are used by cybercriminals. Users of reputable security products should not take too much care of them, as most antivirus manufacturers handle them well. Details of course in a PDF report .

Google Chrome

Google did not wait until January 23 (this is the release date of the new version of Chrome 64) published a brief instruction to turn off the memory of each open card. If you do not want to wait for the new version, you can paste this link now: chrome://flags/#enable-site-per-process and activate this function.

Linux, Apple, Android and rest of

Vulnerabilities CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 have already been received by some Linux systems with kernels 4.14, 4.9, 4.4, 3.16, 3.18 and 3.12 LTS, as well as Android and iOS 11.2, macOS 10.13.2, tvOS 11.2.

The VMware hypervisors, Citrix XenServer, Red Hat Enterprise Virtualization, QEMU and XEN have already been updated.

For more technical details, including chip providers and cloud services, please visit here .

How to protect yourself?

In the case of both vulnerabilities, appropriate updates for modules that protect against intruders (IPS, and Intrusive Prevention System) will go to or have already hit the software that protects the company's computers and home computers. In order for malicious code to be executed at all, it is necessary to run it. So we have to deal with malicious software that someone has to write and someone else to run. For this reason, security updates and, above all, security software are still the best protection.

More light on the "security" aspect in the context of Specter and Meltdown are cast by Check Point experts, who have many successes in the fight against cybercrime and ATP attacks:

In their opinion, the vulnerability that was revealed in the Intel chipset clearly shows that every part of our information systems can be at risk, even at the chip level. This is particularly worrying because more and more data is being transferred, processed and stored in the cloud, which may result in private data crossing the virtual machine boundary. As a result, the data of one client may become visible to another.

Within a few hours of becoming acquainted with this vulnerability, Check Point announced a mitigation of the problem of risk prevention at the CPU level, thus protecting users of their cyber security solutions against this type of attack. To date, Check Point has not seen the successful use of this vulnerability.

In some reports, it is estimated that in order to repair the gap, there will be a 30% decrease in CPU performance. Check Point believes that these estimates are overstated, and the actual operating cost will not exceed 2% of performance. The company also informs that the vulnerability did not affect any of Check Point security gates. And as it turns out, Check Point may be a lot right, because the first performance tests clearly show that the performance drop announced by the vulnerability researchers could be somewhat overstated, and the execution of malicious code on the user's computer is not so easy - which is not means it is not impossible.

How to check if the system is secured?

Unofficially, using the SpecuCheck application, which is on GitHub (requires compilation). However, Microsoft officially recommends use few simple commands in PowerShell running a program with administrator privileges:

We download the module with the command:

Import-Module PowerShellGet

We install the module:

Install-Module SpeculationControl

The script will notify you about installing the module from an unsigned repository. Confirm by pressing the "Y" key. We now issue the correct command:

Get-SpeculationControlSettings

In response, we get:

Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: False
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID optimization is enabled: True

The ideal situation occurs with all values on TRUE . If the value for "Hardware ..." is on FALSE , nothing is lost yet. After the implementation of the update, the values for "Windows OS ..." should change to TRUE .



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.