Posted by: kurtsh | January 12, 2018

INFO: More on “Spectre/Meltdown”: Security Guidance for IT Professionals

imageThis is a PowerPoint deck that goes over the recent Spectre/Meltdown concern for Enterprise customers.  It doesn’t have any indicators that it’s NDA or anything and I think the material is pretty important to everyone so… here’s the document for download:

Here’s some additional information on specifics that IT Professionals should know:

Additional Info / Frequent Questions:

Details for the registry keys:

FeatureSettingsOverride represents a bitmap that overrides the default setting and controls which mitigations will be disabled. Bit 0 controls the mitigation corresponding to CVE-2017-5715 and Bit 1 controls the mitigation corresponding to CVE-2017-5754. The bits are set to “Zero” to enable the mitigation and to “One” to disable the mitigation.

FeatureSettingsOverrideMask represents a bitmap mask that is used in conjunction with FeatureSettingsOverride and in this case, we use the value 3 (0x11) which indicates the first two bits that correspond to the available mitigations. This registry key is set to 3 both when we want to enable the mitigations and to disable the mitigations.

MinVmVersionForCpuBasedMitigations is for Hyper-V hosts. This registry key defines the minimum VM version that will be able to use the updated firmware capabilities (CVE-2017-5715). We set this to 1.0 to cover all VM versions. Note that this registry value will be ignored (benign) on non-Hyper-V hosts. For more details, see https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms

Why is Edge and IE listed as an “affected product?”

  • Variant 1 of Spectre will exploit JaveScript, so both Edge and IE need to be harden by the update.

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

Why is SQL listed as an “affected product?”
SQL is listed as being vulnerable to “Side channel attacks.”   SQL is a bit unique when compared to most Windows applications in that it talks directly to the underlying hardware through an OS like later aptly called SQLOS. 
https://blogs.msdn.microsoft.com/sqlosteam/2010/06/23/sqlos-resources/

Will the patch handle KVAS or KPTI?
No.  According to this link, once the update is installed it is recommended to choose the listed scenario and follow recommendations on whether to enable KVAS or KPTI.
https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server

Will the patch install the needed registry key?
No.  This is why Antivirus needs to be updated first.  The Anti-Virus vendors will add the necessary registry key that is needed to protect the users once the patch is installed.  So guidance is to update the anti-virus first.
https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

Regarding AMD Based Devices
https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

Overview of Meltdown and Spectre (not a Microsoft link)
Official advisories by vendor
https://meltdownattack.com/


Categories

%d bloggers like this: