Month: January 2018

An Easy Guide For How To Mitigate Spectre And Meltdown

An Easy Guide For How To Mitigate Spectre And Meltdown

Are you stuck trying to understand how to protect your devices or company against Spectre and Meltdown? Well you are unfortunately not alone. This article should help clear it up though.

Ever since the two vulnerabilities nicknamed Spectre and Meltdown effecting multiple CPU’s dating back to 1995 got leaked a few weeks back vendors have been rushing to release patches and updates to mitigate the issue.

This initial flood of patches has not been smooth and there has been a lot of incompatibility issues and general finger pointing and frustration. To help clear up some misconceptions, I’ve put the following guide together that walks through various major updates to operating systems and browsers, explaining how they address Meltdown and/or Spectre, what they specifically don’t address, and any known compatibility or performance issues that have been reported.

Meltdown and Spectre – What are they?

Before we dive in, here’s a quick explanation of what Meltdown and Spectre are all about.

Meltdown (CVE-2017-5754)

Meltdown is a vulnerability effecting CPU’s that allows a user program to access privileged kernel-mode memory. It affects all out-of-order execution Intel processors released since 1995 with Itanium and pre-2013 Atoms being the only exceptions. A list of vulnerable ARM processors and mitigations is listed here. No AMD processors are affected by Meltdown.

Out of the two vulnerabilities, Meltdown is the easier one to fix, and can most commonly be addressed by applying an Operating System update.

Spectre (CVE-2017-5753, CVE-2017-5715)

Spectre is observed to be much more of a whole new attack vector rather than just a standard vulnerability. It’s enabled by the unintended side effects of speculative execution (this is what processors do to achieve higher speeds as they will make assumptions over what they will be asked and the possible results so that when they are asked they will hopefully already have the answer available or at least already working on a solution).

There are two different variants of Spectre — the first variant (bounds check bypass, CVE-2017-5753) and the second (branch target injection, CVE-2017-5715). Both variants can potentially allow attackers to obtain and extract information from other running processes (e.g. stealing login cookies from Internet Browsers).

AMD, ARM and Intel processors have all been reportable vulnerable to Spectre by various degrees, and this poses significant patching problems. While operating system and browser updates have helped mitigate the risk of Spectre to some degree, many experts agree the only true fix is a hardware update. As such, Spectre is likely to remain an issue for many years to come.

Source: SANS / Rendition Infosec. See the full presentation here

It’s important to note that both vulnerabilities are for information disclosure. Neither vulnerability allows remote execution – in other words, they don’t allow attackers to run malware.


Operating System updates

Windows updates

Microsoft’s processes for their Security Update to address Meltdown and Spectre has a bit of a roller-coaster, tainted by incompatibility issues with Anti-Virus software and AMD processors. For some scenarios, the deployment of the 2018-01 Security update has had to be put on hold or restricted altogether.

More details and direct download links to the updates below:

  • Windows 10
  • Windows 8 and Windows Server 2012
  • Windows 7 and Windows Server 2008

What the Microsoft Patches address:

  • Spectre variant 1, bounds check bypass (CVE-2017-5753)
  • Meltdown, rogue data cache load (CVE-2017-5754) –

The original Security update did not provide the mitigation for 32bit OS’s (x86 based OS). 
Microsoft Advisory Regarding 32bit: The 32 bit update packages listed in this advisory fully addressed CVE-2017-5753 and CVE-2017-5715, but did not provide protections for CVE-2017-5754 at this time. Microsoft continued to work with the affected chip manufacturers and have now released an additional Security update to address/mitigate (CVE-2017-5754) for 32bit OS’s : KB4073291

What they don’t address:

  • Currently the second variant of Spectre, branch target injection (CVE-2017-5715) – at present firmware updates are required to fully address Spectre variant 2.

Known issues:

Key=”HKEY_LOCAL_MACHINE” Subkey=”SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat” Value=”cadca5fe-87d3-4b96-b7fb-a231484277cc” Type=”REG_DWORD”Data=”0x00000000”

This resulted in a lot of initial confusion from the sector, with all the anit-virus companies providing different updates or some just went silent this did not help, some were setting the registry key for their customers and others requested that users set it themselves. The situation only gets more complicated considering many organisations have more than one Anti-Virus solution to maintain.

Should you use one of Microsoft’s own solutions; Microsoft clarified that Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are all compatible with the update and that they do set the registry key.

This means that if you have one of those built-in Microsoft protections enabled the registry key should be set automatically — no further, manual action should be necessary.  However, if you use a third-party antivirus then two things can happen, if Microsoft officially recognises the Anti-Virus software then Windows Defender and Microsoft Security Essentials should automatically be turned off so your third party Anti-Virus will require the update. Should Microsoft not officially recognise your Anti-Virus then Windows Defender or Microsoft Security Essentials will update the registry key when your third party Ant-Virus may not be support the update which could mean blue screen issues.

Kevin Beaumont has created a spreadsheet to keep track of the antivirus vendors and whether they make this key: //


To manually add the registry key and obtain the update now you can enter the following into a command prompt window (as admin) and then run Windows Update ( does not accept any liability for any issues that could arise as a result and would recommend you contact Microsoft and your AV provider prior to doing this): 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v "cadca5fe-87d3-4b96-b7fb-a231484277cc" /t REG_DWORD /d "0x00000000" /f
  • AMD compatibility issues:  Initially reported at the Verge, Microsoft had received numerous reports of PCs running AMD processors getting into a boot loop after installing the latest Windows security update. After some investigation, the company confirmed that there were issues, and temporarily stopped delivering the update to AMD devices. If you are effected by the AMD incompatability with the Windows Update then you will need to visit Microsoft’s support site for details on getting your machine(s) back up and running. Microsoft announced on the 18th January that it will resume rolling out patches for AMD devices running Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2, and the latest version of Windows 10… 1709. Updates for four older versions of Windows 10 – 1511, 1607, and 1703 – are still on-hold. As are updates for Windows Server 2016 and Windows 10 Enterprise.
  • Group or MDM policy configurations may be disabling updates: According to Microsoft, if you have Group or MDM policy settings configured to disable preview builds, your machines may not be receiving updates (see what those settings are here). To fix that, Microsoft recommends temporarily changing Group/MDM policy settings to “Not Configured” and changing them back once the updates have been installed.
  • Performance implications: Just as with the other operating systems, patches addressing Meltdown and Spectre are expected to take varied but non major change in performance. In a blog post, Microsoft Executive VP Terry Myerson explained the implications of the fixes can vary depending on factors such as; the version of Windows running and the age of the machine:
    • Windows 10 on circa-2016 PCs with Skylake, Kabylake, or newer CPU: Single-digit slowdowns, which most users shouldn’t notice.
    • Windows 10 on circa-2015 PCs with Haswell or older CPU: Slowdown can be more noticable. Some users may notice a decrease in performance.
    • Windows 8 or Windows 7 on circa-2015 PCs with Haswell or older CPU: Most users will likely notice a decrease in  performance.
    • Windows Server (any CPU): Mitigation’s to isolate code within a Windows Server instance results in a more significant performance impact but as with the above it will very much depend on the workload and age of the hardware. According to Myerson, “This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance trade-off for your environment.”

Enabling protections for Windows Server

Microsoft has also advised Windows Server customers that they need to take the additional step of adding the following registry keys in order to enable patch protections.

To enable the fix:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f 

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f


If this is a Microsoft Hyper-V host and the firmware updates have been applied you will need to fully shutdown all Virtual Machines, the mitigation will not take effect until the VM’s next boot up. When you restart the host make sure to shutdown all Virtual Machines then restart the host, do not “Save” or “Pause” a VM for the reboot since the VM has to boot from scratch for the mitigation to take effect.

To disable this fix:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f


Again you will need to fully restart the Hyper-V host and Virtual Machines for this change to take effect. (Note there is not any requirement to change MinVmVersionForCpuBasedMitigations to disable the mitigations.)

Microsoft also notes that for Hyper-V hosts, live migration between patched and un-patched hosts may fail. The company also points to an alternative protection mechanism you can use on hosts that don’t have updated firmware yet.

Additional guidance from Microsoft:

Verifying new Windows protections are enabled:

To help confirm whether updates have been implemented correctly Microsoft has provided a PowerShell script that system administrators can run to test Meltdown and Spectre mitigations.

The following command will install the PowerShell module:

PS > Install-Module SpeculationControl

Note: There are a couple of requirements for running this command. First, you’ll need to be running PowerShell with admin privileges and may need to adjust execution policy. Also, the Install-Module command was introduced to PowerShell in version 5.0. Most Windows 7 machines will not have this version, due to the upgrades being optional and unrelated to security. Any device with an older version of PowerShell can still run the “Get-SpeculationControlSettings” function, however, only as long as you obtain the contents of the script and run it ad-hoc.

Once installed, the following command will run the test to check your system:

PS > Get-SpeculationControlSettings

The output will look something like this:

Results for Spectre protections

The first group – “Speculation control settings for CVE-2017-5715 [branch target injection] – refer to the protections in place for the Spectre vulneralbility. If the value for “Windows OS support for branch target injection mitigation is present” is “True” then the Windows Security update has been successfully installed.

The other red text in that section confirm that more complete mitigation for Spectre requires firmware updates, of which Intel has said it’s in the process of rolling these out. According to the company, updates for more than 90 percent of its processor products should be introduced by the end of next week.

Results for Meltdown protections

The second group – “Speculation control settings for CVE-2017-5754 [rogue data cache load] – refers to the protections in place for the Meltdown vulnerability. If you see the following results and no red lines then you’ve confirmed the Windows Security update has been successfully implemented and the machine is protected:

Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: True Windows OS support for kernel VA shadow is enabled: True Windows OS support for PCID optimization is enabled: True

Test results confirming successful mitigation of the Meltdown vulnerability

If you see any red lines in this section then that means the update has not been successfully applied. For more details on interpreting the PowerShell script output, Microsoft has a full results key here.

MacOS and iOS updates

Apple included mitigations to address Meltdown in its macOS 10.13.2 and iOS 11.2 updates released in December. They have since followed up with additional mitigations addressing the Spectre vulnerability with the recently released macOS High Sierra 10.13.2 Supplemental Update and iOS 11.2.2 update.

What they address:

  • Meltdown (CVE-2017-5754)
  • Spectre (CVE-2017-5753 and CVE-2017-5715) to some extent

What they don’t’ address:

  • Spectre (CVE-2017-5753 and CVE-2017-5715) to some extent
    Apple says its latest updates to MacOS, iOS, and Safari overall help to mitigate the risk of Spectre being exploited, however the company acknowledges it will be continuing to develop and test further mitigations.

No reported issues



Browser updates

Security researchers have been advising that the most likely use case/exploitation of Spectre is most likely to be web-based attacks using JavaScript (as an example, a malicious ad) to leak information, session keys, etc. cached in the browser. Given this, Google, Mozilla, Apple, and Microsoft have all either issued or scheduled new updates for their browsers to reduce that risk.

What browser updates address:

  • Spectre (CVE-2017-5753 and CVE-2017-5715) to some extent

What browser updates dont’ address:

  • Meltdown (CVE-2017-5754)
    You will still need to apply Operating System updates to mitigate Meltdown.


Google has announced it will be including the mitigations for Spectre starting with Chrome 64, which will be released on or around January 23. For the time being, Chrome users are advised to enable site isolation, which can help prevent the possibility of one site stealing data from another site.


Mozilla has already issued Firefox version 57.0.4, which helps address Spectre by disabling or reducing Firefox’s internal timer functions and disabling the SharedArrayBuffer feature. Firefox users can take additional precaution by enabling site isolation, as well.


Apple has released Safari 11.0.2 to specifically mitigate the effects of Spectre.

IE and Edge

Microsoft has made changes to both Internet Explorer 11 and Microsoft Edge to mitigate Spectre. In addition to removing support for SharedArrayBuffer from Edge, it has made changes to reduce the precision of several time sources to make successful attacks more difficult.


Firmware updates

Operating System and Internet Browser updates only partially mitigate Meltdown and Spectre. UEFI firmware and BIOS updates, are also required to further mitigate against them. If and when updates will be pushed out will vary from vendor to vendor, adding yet another layer of complexity, uncertainty and frustration to patching. This could easily result in only obtaining the updates by proactively checking for updates from PC/Server Manufacturers periodically over the coming few days or weeks.


Intel has released new Linux Processor microcode data files that can be used to add Meltdown and Spectre mitigations without having to perform a BIOS update.

Intel promised firmware updates for 90 percent of the affected processors made in the past five years by the 15th January. So far, it looks as though they are on-track and it now is resting on the downstream vendors/distributors to complete testing and deployment to their respective customer bases of-which these microcode fixes apply to a specific list of processors provided here.

The microcode updates can be obtained directly from Intel, of which Bleeping Computer has provided instructions and a video example to help walk admins through the install process here. It should be noted that some issues have already been reported with the updates, specifically around unwanted reboots. While Intel initially confirmed machines with Broadwell and Haswell CPUs were experiencing that issue, however later Intel acknowledged machines running newer processors were affected as well.

Windows users need to wait until Microsoft finalizes testing the microcode and releases an additional update to add in these further mitigations.

Known issues:

  • Older Intel Broadwell and Haswell CPUs experiencing sudden reboots: Intel has confirmed they have received reports of some glitches resulting from the firmware update on systems running Intel Broadwell and Haswell CPUs.
  • Newer Intel CPUs also experiencing sudden reboots: Intel has confirmed the firmware update is causing machines with Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake processors to suffer from sudden reboots too.
  • Performance impact: Information regarding the potential performance implications as a result of these updates have been inconsistent, however Intel has most recently said the patches are slowing processors down by six percent in certain situations. Intel has shared more details on performance impact based on specific workloads in a chart you can find here.

NOTE: Intel has currently requested customers stop installing its firmware update, they are aware of the issue and are working on a resolution


AMD has officially acknowledged that its processors are vulnerable to both variants of Spectre, but denies being vulnerable to Meltdown. While AMD says that OS, patches are sufficient to mitigate the first variant for Spectre, they have also started rolling out optional microcode updates starting last week; the initial fixes are focused on the Ryzen and EPYC processors.

Known issues:

  • Windows OS update compatibility issues: As first reported at the Verge, Microsoft had received numerous reports of PCs running AMD processors getting into a boot loop after installing the latest Windows security update. After some investigation, the company confirmed that there were issues, and temporarily stopped delivering the update to AMD devices. Affected users needed to visit Microsoft’s support site for instructions on getting their machines back up and running. Microsoft announced on the 18th January that it will resume rolling out patches for AMD devices running Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2, and the latest version of Windows 10… 1709. Updates for four older versions of Windows 10 – 1511, 1607, and 1703 – are still on-hold. As are updates for Windows Server 2016 and Windows 10 Enterprise.


Right now the priority is not to stress and not to rush out and deploy all the updates you can find, instead take a step back and asses the situation and work-out how you can best mitigate these vulnerabilities. At present I would concentrate on Operating System and Internet Browser updates if your Anti-Virus is up-to date, the Firmware updates are fresh and seem to be experiencing more issues so I would hold of on them a little bit longer whilst the dust settles and you can be reassured of their stability. As always remember to test before mass scale deployment and make sure you have a proven restore-able Backup to revert to encase you encounter any issues.

Fresh information surrounding Meltdown and Spectre is coming out everyday, so there is likely much more to come. I will be following closely and providing updates as soon as possible.

CPU Flaws – Meltdown and Spectre

CPU Flaws – Meltdown and Spectre

Two vulnerabilities called Meltdown and Spectre have recently been discovered, you have probably seen these in the news over the past 24 hours since they since they effect most modern processors and allow malicious programs to steal information from the memory of other programs. This means that a malicious program could steal passwords, account information, encryption keys, or theoretically anything stored in the memory of a process.

Most vendors have started to release information surrounding how customers can protect themselves from Spectre or Meltdown and to what extents they are vulnerable. To make it easier to find this information, I will be adding some key information and links to various advisories as they are released.



CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754


CPU hardware implementations are vulnerable to side-channel attacks. These vulnerabilities are referred to as Meltdown (// and Spectre (//


An attacker able to execute code with user privileges can achieve various impacts, such as reading otherwise protected kernel memory and bypassing KASLR.

CVSS Metrics (Learn More (//

Group                                   Score                     Vector

Base                                      1.5                          AV:L/AC:M/Au:S/C:P/I:N/A:N

Temporal                             1.2                          E:POC/RL:OF/RC:C

Environmental                  2.0                          CDP:ND/TD:H/CR:H/IR:ND/AR:ND



1. Update OS’s – this will mediate the issue so that the Operating system itself cannot be exploited but if the Operating System is re-installed or the update removed then the device would still be vulnerable.

2. Apply Firmware updates from OEM (CPU Microcode) when/if available – this should offer a full resolution to the vulnerabilities.

3. Replace CPU with one that isn’t vulnerable – The best option for ensuring you are not vulnerable but not the easiest or potentially quickest solution.

Windows Server and Client – antivirus


“The compatibility issue is caused when anti-virus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.”

^^ We need to test and potentially contact AV providers and check their product is compatible, and make sure they add they registry key to say so.  Otherwise we aren’t getting protected.


Antivirus support chart

Microsoft will only distribute the security update released on January 3rd 2018 to devices where a particular registry key has been added by an installed antivirus vendor. Kevin Beaumont has created a spreadsheet to keep track of the antivirus vendors and whether they make this key: //


To manually add the registry key and obtain the update now you can enter the following into a command prompt window (as admin) and then run Windows Update ( does not accept any liability for any issues that could arise as a result and would recommend you contact Microsoft and your AV provider prior to doing this): 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v "cadca5fe-87d3-4b96-b7fb-a231484277cc" /t REG_DWORD /d "0x00000000" /f



Windows Server

Microsoft guidance for Windows Server: //

Important note: the patch is disabled by default for performance reasons.

To enable the mitigations

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

MS SQL Server

SQL specific information to come out later today

Windows Client

Microsoft guidance for Windows Client: //

Mozilla Firefox

Firefox will be adding mitigations for websites trying to exploit in Firefox 57: //

Google Chrome

Chrome 64, due late January, will include protection for websites trying to exploit: //

Microsoft Edge and Internet Explorer 11

Microsoft have released an update yesterday which includes protection for websites trying to exploit: //

Amazon AWS – cloud

AWS has protected their customers: //


“The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. Many of you have received notification in recent weeks of a planned maintenance on Azure and have already rebooted your VMs to apply the fix, and no further action by you is required.”


ETA for completion of hypervisor level patching, 24-48 hours – MS will try to respect availability sets (if configured) – originally maintenance was planned for fabric to be updated over the following couple weeks but they have had to condense it so cant guarantee but will try to respect availability sets.

Reboot can take place at any time (e.g. they could reboot Azure VM’s during business hours)

AMD processors

Google Project Zero (GPZ) Research Title Details
Variant One Bounds Check Bypass Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.
Variant Two Branch Target Injection Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
Variant Three Rogue Data Cache Load Zero AMD vulnerability due to AMD architecture differences.

The full advisory can be found here: //

Tom Lendacky, a software engineer at AMD, had posted a email to the Linux Kernel Mailing List stating:

“AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against.  The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

Disable page table isolation by default on AMD processors by not setting the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI is set.”

You can read the full post here: //


The Android team has updated their January 2018 bulletin with the following note:

“CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754, a set of vulnerabilities related to speculative execution in processors, have been publicly disclosed. Android is unaware of any successful reproduction of these vulnerabilities that would allow unauthorized information disclosure on any ARM-based Android device.

To provide additional protection, the update for CVE-2017-13218 included in this bulletin reduces access to high-precision timers, which helps limits side channel attacks (such as CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754) of all known variants of ARM processors.

We encourage Android users to accept available security updates to their devices. See the Google security blog for more details.”

The full bulletin can be found here: //


Apple has announced that All Mac systems and iOS devices are affected, with the following statement.

“Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.” //

Xen hypervisors



Suggested to patch these ASAP (currently awaiting to see if their are any issues) if you use hypervisor as a security layer (e.g. a bank or cloud provider).  Advisory and patches: //