• MS-DEFCON 2: Batten down the hatches, there’s a kernel patch headed your way

    UPDATE: 4:00 am ET: @teroalhonen just noted that Yammer is down. The reason given:

    After reviewing the logs, we determined that recent maintenance is causing a portion of cloud network infrastructure to be in a degraded state. We’re reconnecting users to a to a healthy portion of infrastructure to mitigate the impact while we address the cause.

    Does “recent maintenance” encompass deployment of the Meltdown patches? That does not bode well.

    UPDATE 3:00 am ET: The Meltdown fix is getting pushed out Windows Update, but many people haven’t seen it yet. I haven’t seen either the 1709 or the 1703 update coming down the chute.

    We now have patches — both Monthly Updates and Security-only Updates — for a wide array of Window versions, from Win7 onward. See the Update Catalog for details. (Thx, @Crysta). Note that the patches are listed with a “Last Updated” date of Jan. 4, not Jan. 3. The Win7 and 8.1 patches are Security Only (the kind you have to install manually). It looks like the Monthly Rollups will come out next week.

    BUT… you won’t get any patches installed unless and until your antivirus software sets a specific registry key. If you’re running third party antivirus, it has to be updated before the Meltdown patch installer will run. It looks like there are known problems with bluescreens for some AV products.

    There are also cumulative updates for Internet Explorer 11 in various versions of Win7 and 8.1 listed in the Update Catalog. The fixes for Win10, and for Edge, are inside the respective Win10 cumulative updates. Microsoft has also released fixes for SQL Server 2016 and 2017.

    Note that the Windows Server patches are NOT enabled by default. Those of you who want to turn on Meltdown protection have to change the registry. (Thx @GossiTheDog)

    Windows XP and Server 2003 don’t yet have patches.

    There’s an official Security Advisory, ADV 180002. One sobering comment:

    In addition to installing the January 2018 Windows security updates, you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates.

    Which means you, as a Windows user, aren’t fully protected until you’ve installed the Windows patch, turned it on if you’re running Windows Server, and applied the latest firmware update. According to @teroalhonen, Dell, Microsoft and HPE have yet to push firmware patches.

    Microsoft has released official installation guidance for Windows Server, for non-server versions of Windows, and also for Edge and IE. Mozilla has posted its analysis for Firefox. Chromium also has details for Chrome, which should be patched later this month.

    There’s a great deal of knowledgeable speculation that Meltdown may not be fully fixed, even with firmware updates. It may require completely new processors. Expect that debate to continue for the next decade.

    We’re likely to see exploits published in fairly short order, but as of this writing, there are NO known in-the-wild exploits that take advantage of the Meltdown holes.

    It would be a very good idea to make sure that your Windows machine has auto update turned off. Kernel changes are always, always tricky. Far better to sit and wait for a few hours, or even a day or two, than to get blindsided by a bad kernel patch.

    It’s happened before. Many times.

    UPDATE: There appears to be a working exploit, purportedly on a Mac, from Michael Schwarz. “we are publishing demo code as soon as patches are available, so I guess next week.”

    I’m moving us to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it