Over the past few days information on new critical security vulnerabilities affecting processors in most computers/servers/mobile devices (including Windows, Linux, MacOS, iOS, and Android) has been released.
These critical vulnerabilities have been named Meltdown and Spectre and allow malicious programs to access protected data (such as passwords) stored in memory by other running programs, breaking the isolation between user applications and the operating system and the isolation between user applications to other user applications.
As of 4 January 2018 Microsoft reported that they have not received any information to indicate that these vulnerabilities had been used to attack customers.
Microsoft are in the process of releasing Windows Updates for the following Windows Operating Systems:
> Windows 7 Service Pack 1
> Windows 8.1
> Windows 10
> Windows Server 2008 R2
> Windows Server 2012 R2
> Windows Server 2016
Currently Microsoft have not released updates for Windows Server 2008, Windows SBS 2008 and Windows Server 2012.
Why aren't Windows Server 2008 and Windows Server 2012 platforms getting an update? When can customers expect the fix?
Addressing a hardware vulnerability with a software update presents significant challenges, and mitigations for older operating systems require extensive architectural changes. Microsoft continues to work with affected chip manufacturers and investigate the best way to provide mitigations.”
It is unlikely that Microsoft will release public updates for Windows XP, Windows Vista, Windows 8 (not 8.1), and Windows Server 2003, as these Operating Systems are no longer under support.
Microsoft have noted some potential performance impacts - “In testing Microsoft has seen some performance impact with these mitigations. For most consumer devices, the impact may not be noticeable, however, the specific impact varies by hardware generation and implementation by the chip manufacturer. Microsoft values the security of its software and services and has made the decision to implement certain mitigation strategies in an effort to better secure our products. We continue to work with hardware vendors to improve performance while maintaining a high level of security.”
The installation of these Windows Updates requires an update to your antivirus software. Symantec Endpoint will be updated automatically through its Live Update service. Trend Micro products currently require a registry key to be manually changed, a patch will be released at a later date.
OIA will contact our Managed Services and Break/Fix customers as these become available and start the planning process for installation of the Antivirus and Windows Updates. For customers running Windows Server 2008 and 2012 (not the R2 releases), OIA will need to wait for additional guidance from Microsoft to be released.
Firmware updates will need to be installed for most computers and laptops. OIA will contact our Managed Services and Break/Fix customers as more information becomes available.
Updates will need to be installed, OIA will contact our Managed Services and Break/Fix customers when the update becomes available.
VMWare have released updates for the following platforms:
> ESXi 6.5
> ESXi 6.0
> ESXi 5.5
> Workstation 12.x
> Fusion 8.x
OIA will contact our affected Managed Services and Break/Fix customers.
VMWare have reported that Workstation 14.x and Fusion 10.x are not affected.
Android Updates (Google, Samsung, LG, Sony mobile phones and tablets)
Google have released an update for the Android Operating System to mitigate exploits. Updates to mobile devices will be dependent on your mobile device manufacturer and mobile phone carrier releasing the update. Future updates will include additional mitigations.
Apple (iOS and macOS Updates)
Apple have released mitigations in the iOS 11.2 and macOS 10.13.2 updates. Further mitigations will be released in the coming days.
Information and Q&A