Meltdown and Spectre
Update (May 4, 2018)
Microsoft recently released microcode updates which can be applied to Windows 10 and Windows Server computers. If the hardware vendor is unresponsive or the computer is too old to receive the BIOS update, this patch can mitigate the Spectre 2 vulnerability.
The Microsoft-supplied microcode update:
- Must be obtained and installed manually. It is not available through Windows Update.
- Is not expected to have an adverse impact even if a BIOS update to mitigate Spectre 2 has already been applied.
- Offers a benefit in large, managed environments, because it is likely easier to distribute this update via configuration management channels than to manage a large number of BIOS updates.
- DOES NOT permanently patch the computer. This is a runtime fix. If the OS is reinstalled, this update must be reapplied, which would not be the case if a BIOS update is applied instead.
More information and relevant links can be found here:
Information security researchers have found two major security vulnerabilities, dubbed “Meltdown” and “Spectre,” that affect the processing chips in almost every computer made in the last 20 years (including mobile phones, embedded devices, cloud computers, etc.).
These vulnerabilities could allow attackers to steal data, including passwords and other information previously thought to be inaccessible, from almost all types of computers and devices. The Meltdown vulnerability affects only Intel processors, whereas the Spectre vulnerability affects Intel, AMD, and ARM processors.
What to do
This is a complex security issue as it impacts multiple layers of computing. The firmware, operating system, web browsers, and antivirus software on devices all need to be patched. In general, users will need to:
- Apply available web browser updates.
- Verify that you are running a supported anti-virus (AV) program before you install your OS or firmware updates. Please check with your AV software vendor for compatibility information. Sophos users can visit https://community.sophos.com/kb/en-us/128060 for more information.
- Apply all available OS updates.
- Apply the applicable firmware update provided by the device manufacturer.
The tables below indicate the latest information we have on patches related to the most common configurations on campus. We will post updates as they become available.
(except for AMD-based devices)
|10, 8.1, 7||yes||Patch only works with compatible antivirus software|
|Windows AMD-based devices||on hold||More info:
|Mac OS X||High Sierra||yes|
|Linux||possible||Check details for your distribution|
|Android||depends||Check with your cellular provider|
||63||yes||More info linked in References below|
|IE 11||available||Included with Windows updates|
|Edge||available||Included with Windows updates|
|Safari v 11.0.3||available||Included in v 11.0.3|
|Firefox v 57.0.4||available||Included in v 57.0.4|
|Chrome v 64||available||Included in v 64|
Check with your computer’s manufacturer for information related to the availability of firmware updates.
Meltdown and Spectre reference page published by researchers at Graz University
Chromebooks, Meltdown, and Spectre: Most Are Already Patched (blog post)
Google’s Mitigations Against CPU Speculative Execution Attack Methods
Apple OS security updates
Safari 11.0.3 update