You know how sometimes you look at the weekend forecast on Thursday morning and you see that it will be sunny until early next week and then you look out the window to see it is pitch black and hailing?
My forecast was going to predict some OS updates that included the fixes for the OS side of the CPU vulnerabilities that were identified late last year. Then I saw the swarm of emails, posts, and alerts from internal and external sources telling me that Microsoft had released security updates late last night. My prediction was a little off. Some of it came in early.
Meltdown and Spectre
Microsoft released regular patches for Windows 10, Server 2016, IE, Edge, SQL Server and security-only patches for Windows 7, Win 8.1, Server 2008 and Server 2012. The updates resolve 32 unique 2018 CVEs and an additional three 2017 CVEs relating to the recent CPU vulnerabilities. More details on the advisory can be found here. Keep reading as there is a pretty significant known issue with rolling out the updates!
A few things are noteworthy about the two CPU vulnerabilities: Meltdown and Spectre. Just applying the OS updates is not enough as that will only resolve the Meltdown vulnerability. Spectre is apparently going to be a more difficult issue to resolve. There should be firmware updates forthcoming that will be required to resolve the Spectre vulnerability. Similarly, there have been releases from Apple and some Linux distributions to resolve the Meltdown vulnerability, but some updates are yet to release. Apple, for instance, has updated OSX 10.13.2, but is still working on updates for earlier versions.
There are currently no actively detected exploits of these vulnerabilities in the wild, but there is plenty of Proof of Concept code that has been used to demonstrate how to exploit them.
There are reports of BSOD and other crashes and conflicts when pushing the January 3rd OS update to systems.
Reports have come in on PatchManagment.org and other sources regarding crashes and blue screens on systems. The cause is an ALLOW REGKEY change that your AV vendor needs to make or the patch will conflict with the AV installed on your systems. Some of the AV vendors have already made updates available; others are going to lag into next week. Some have not responded with a fix or a tentative date for a fix. Our recommendation: test thoroughly before pushing out to production.
Microsoft is going to block the patch if the registry key in the article is not present. Ivanti will be following a similar strategy to ensure systems are not negatively impacted. To get the update in place in a timely manner you should make sure your AV vendor (and other security software) are compatible with the fix and make sure all systems have updated definitions\fixes in place so you receive the OS update without delay.
Forecast for January 2018 Patch Tuesday
- Microsoft will release additional updates on patch Tuesday for applications like Office and .Net.
- We can likely expect an update from Adobe for Flash Player (11 of 12 Patch Tuesdays in 2017 had one).
- We have not seen an Adobe Reader update since November, so there is a possibility for one either this month or next.
- Oracle will have their quarterly CPU this month, but that will fall on the 16th per their release cadence. Expect updates to JDK, JRE and many other Oracle products.
- Mozilla released an update in early December, but given that they have discovered methods for web-based exploitation of Meltdown\Spectre you should be on the lookout for the next Mozilla release.
- Chrome is likely due for an update. It has been a few weeks since we have seen one from them and also with the possibility of Meltdown\Spectre exploit through the browser they may need to release some resolutions for those vulnerabilities.
- This Mozilla finding could mean an additional IE\Edge release will be needed in the future as well.