This document serves to be a reference to demonstrate the following:
Overview of the Meltdown and Spectre vulnerabilities
For a further overview of both the Meltdown and Spectre vulnerabilities please see the following Ivanti Blog Post:
Meltdown - CVE Notice # CVE-2017-5754 More information from the National Vulnerability Database: NVD - CVE-2017-5754
Spectre Variant 1 - CVE Notice # CVE-2017-5753 More information from the National Vulnerability Database: NVD - CVE-2017-5753
Spectre Variant 1 - CVE Notice # CVE-2017-5715 More information from the National Vulnerability Database: NVD - CVE-2017-5715
These CVE and NVD entries contain lists of advisories, solutions, and tools regarding these vulnerabilities. CVE is a reference method for publicly known IT vulnerabilities and exposures.
Meltdown and Spectre are vulnerabilities that affect various computer processors including Intel x86 processors and some ARM-based processors. Due to this, we will cover how to mitigate this through the features of Ivanti EPM. Meltdown affects a very large range of computers, cell phones, tablets, etc. Thus this touches some of the systems that you manage with Ivanti EPM. (Examples are servers, desktops, cell phones and other mobile devices) In January of 2018, it was disclosed along with another exploit called "Spectre" with which it shares some but not all characteristics. Meltdown patches may introduce some amount of performance loss, however, it is not as high as initially reported. On January 18th, 2018 unwanted reboots and other stability issues were reported due to patches applied for the mitigation of these vulnerabilities. Due to this newer updates have been released. All updates will be addressed later in the document underneath the OS Updates section.
OS Updates
Windows Updates
This section describes available Patch and Compliance definitions that can be delivered through the EPM Patch and Compliance tool.
New 01/29/2018 Important update for all operating systems
Microsoft has released an emergency out of band update that disables the mitigation for Spectre variant 2. This was due to the fact that Intel's new microcode can cause higher than expected reboots that can result in data loss or corruption.
Microsoft news about this patch release: https://support.microsoft.com/en-us/help/4078130/update-to-disable-mitigation-against-spectre-variant-2
This update adds two registry settings that “manually disable mitigation against Spectre Variant 2”:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 1 /f
The installation of this latest patch is optional, however, caution should be taken. If the prior Spectre mitigation patches caused instability, you will want to install this patch (within definition MSNS18-01-4078130_INTL) in order to return to better system stability.
Note: If you choose to install the following patch for KB4078130, the previously fixed patches will again detect as being installed. You need to choose one or the other to put in your scan group. Meaning MSNS18-01-4078130_INTL or the patches further below
| Ivanti Patch and Compliance Manager ID | Microsoft KB # | Ivanti Publish Date | Other Notes |
|---|---|---|---|
| MSNS18-01-4078130_INTL | KB4078130 | 01/29/2018 |
Windows 10
| Ivanti Patch and Compliance Manager ID | Microsoft KB # | Ivanti Publish Date | Other Notes |
|---|---|---|---|
| MS18-01-W10_INTL | Version 1507 - KB4056893 | 01/03/2018 | Cumulative Update and Delta Update |
| " | Version 1511 - KB4056888 | 01/03/2018 | Cumulative Update and Delta Update |
| " | Version 1607 - KB4056890 | 01/03/2018 | Cumulative Update and Delta Update |
| " | Version 1703 - KB4056891 | 01/03/2018 | Cumulative Update and Delta Update |
| " | Version 1709 - KB4056892 | 01/03/2018 | Cumulative Update and Delta Update |
Windows 8.1 and Server 2012
| Ivanti Patch and Compliance Manager ID | Microsoft KB # | Ivanti Publish Date | Other Notes |
|---|---|---|---|
| MS18-01-SO81_INTL (Windows 8.1) | KB4056898 | 01/04/2018 | Security Only |
| MS18-01-SO9_INTL (Server 2012) | KB4056899 | 01/04/2018 | Security Only |
| MS18-01-MR7_INTL | KB4056894 | 01/04/2018 | Monthly Rollup |
Windows 7 and Server 2008
| Ivanti Patch and Compliance Manager ID | Microsoft KB # | Ivanti Publish Date | Other Notes |
|---|---|---|---|
| MS18-01-S07_INTL | KB4056897 | 01/04/2018 | Security Only |
| MS18-01-MR7-INTL | KB4056894 | 01/04/2018 | Monthly Rollup |
Note: As of 01/17/2018 for all OS Versions all Windows patches for 32-bit systems do not provide Meltdown mitigations. This is a Windows Patch issue, not an Ivanti Patch issue.
macOS and iOS updates
Apple included mitigations for macOS 10.13.2 and iOS 11.2 released in December. It has since followed up with additional mitigations with the just-released Apple macOS Supplemental Update: About speculative execution vulnerabilities in ARM-based and Intel CPUs - Apple Support
Browser Vulnerabilities
| Edge | Internet Explorer | Google Chrome | Firefox | Opera | |
|---|---|---|---|---|---|
| Earliest Recommended Version | Varies per build number | Varies per OS | 64.0.3282.134 | 57.0.4 | 50.0.2762.67 |
| Ivanti Patch Definition ID | MS18-01-W10_INTL | MS18-01-IE_INTL | Pending | FF18-001_INTL or newer | OPERA-154_INTL |
BIOS, firmware and driver updates
Ivanti EPM Patch and Compliance provides content for several vendor's BIOS and driver updates. It is recommended to follow the advice of the vendor and to update your systems accordingly.
As a convenience we offer some links to vendor websites relating to this issue:
Dell: Meltdown and Spectre Vulnerabilities | Dell US
HP: HPSBHF03573 rev. 7 - Side-Channel Analysis Method | HP® Customer Support
Lenovo: Reading Privileged Memory with a Side Channel
These vendor links are provided for convenience. They may quickly become outdated and there may be better links provided by the vendor.
Antivirus software and possible compatibility issues with OS patches
See the following article for information specific regarding antivirus compatibility including Ivanti Antivirus: About Antivirus products and the Meltdown and Spectre security vulnerabilities