On January 3, 2018, Microsoft released an out-of-band Windows updates to address the Meltdown and Spectre flaws. It is worth noting that these patches should be tested on machines before deploying it to a full environment. There have been posts about incompatibilities found with AMD processors and some anti-malware packages.
Microsoft has four help pages of guidance for client and server:
- Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
- Windows Server guidance to protect against speculative execution side-channel vulnerabilities
- ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities (contains KB numbers for update packages)
- Important: Windows security updates released January 3, 2018, and antivirus software
"The compatibility issue arises when antivirus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors that are caused by incompatible antivirus applications, Microsoft is only offering the Windows security updates that were released on January 3, 2018, to devices that are running antivirus software that is from partners who have confirmed that their software is compatible with the January 2018 Windows operating system security update."
Meltdown and Spectre Flaws Diagnostics
To check if you have the anti-malware compatible registry key:
REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat /v cadca5fe-87d3-4b96-b7fb-a231484277ccIf you want to test the state of a computer if it has been patched or not, you can use a PowerShell module/cmdlet that Microsoft has created to test for the existence of the flaw and patch.
- Download and install a Powershell module: Install-Module SpeculationControl
- Run the following PowerShell command: Get-SpeculationControlSettings
Note: If you can't run the commands, you might need to change the PowerShell security level: Set-ExecutionPolicy RemoteSigned -Scope Currentuser