Last night Microsoft released KB 4056894, the 2018-01 Security Monthly Quality Rollup for Windows 7. Spurred by early disclosure of the Meltdown and Spectre vulnerabilities, Microsoft has done yeoman work getting the software part of the patches pushed out the Automatic Update chute.
That said, Windows patches are only part of a very formidable picture.
Where we stand with Windows patches
As of this morning, all of the supported versions of Windows have Meltdown-related patches, except for Windows 8.1. In particular:
Win10 1709 KB 4056892 is a true cumulative update in that it includes the Meltdown patches and a dozen or so additional fixes. Build 16299.192. The Update Catalog lists the usual Delta updates.
Win10 1709 for ARM KB 4056892 is a surprise drop listed in the Update Catalog, presumably covering the same ground as the Win10 1709 cumulative update.
Win10 1703 KB 4056891 is listed as a cumulative update, but apparently it only has one new patch, the Meltdown fix. Build 15063.850. Delta updates in the Catalog.
Win10 1607 and Server 2016 KB 4056890 also appears as a cumulative update, but the only new piece (per the documentation) is the Meltdown fix. Build 14393.2007.
Win10 1511 LTSB KB 4056888 appears as a cumulative update, but only appears to have the Meltdown patch. Build 10586.1356.
Win10 1507 LTSB KB 4056893, on the other hand, has one additional fix, for a SmartCard memory spike. Build 10240.17738.
Win8.1 and Server 2012 R2 KB 4056898 is the January security-only patch, which must be manually downloaded and installed. It, too, contains only the Meltdown fix. (There was no Preview Monthly Rollup in December.) I don’t see any references to a Win8.1 Monthly Rollup — it’s likely we’ll see one sooner or later.
Win7 and Server 2008 R2, on the other hand, have the usual two patches. KB 4056897 is the security-Only (manual install) patch. KB 4056894 is the just-released January Monthly Rollup. Both of them appear to contain just the Meltdown patch. I don’t see any other fixes listed.
As always, there’s an ongoing list of security-only, manually installable patches on @PKCano’s AKB 2000003.
There’s a hitch
Several hitches, actually.
The Windows patches for Meltdown won’t install unless you’re running an antivirus program that specifically tells the patch installer that it’s ready for the Meltdown fix. You have to update your antivirus to a version that’s Meltdown-patch-friendly before the Windows installer will even try to install the patch. Kevin Beaumor (@GossiTheDog on Twitter) is maintaining a lengthy list of antivirus programs that claim to be Meltdown-patch-friendly. As of this moment, Windows Defender is on the all-clear list, as you would expect, but McAfee Endpoint, F-PROT, Trend Micro and Sophos do not. The situation is in a constant state of flux.
But that’s not all.
The Windows patches are necessary, at some point, but they’re dependent on the antivirus patches. Independently, you also have to patch your computer’s firmware (flash the BIOS or UEFI), and the browser that you use should be hardened as well.
Intel has reported that it’s working on firmware upgrades, but you usually have to get firmware fixes from your PC’s manufacturer. As best as I can tell, none of the major manufacturers have Meltdown-hardened firmware upgrades available. Not even Microsoft, in spite of its promises.
No need to panic
All of this is taking place against a backdrop where there are no known exploits for either Meltdown or Spectre in the wild. There are some demos working in testing labs, and at least one published piece of exploit code. But nobody has yet identified even one piece of wild malware that takes advantage of either Meltdown or Spectre.
There’s a reason why. Meltdown and Spectre sound scary, and they are, but they don’t deliver the kind of snooping information most malware authors want from a PC. There’s a whole lot of exposure in the cloud, but the potential on a normal, everyday PC isn’t nearly so great.
Alasdair Allan (@aallan) tweeted it well:
So if you're running a #cryptocurrency exchange you must be shaking with fear right now. Think about the implications of #meltdown and #spectre and all those wallet private keys going through memory. Target rich environment. If we see exploits, that's where it'll start.
The high-stakes Meltdown and Spectre intrusions will happen on exchange sites — possibly banking and brokerage sites, too, where the benefits are enormous. The big exposure right now isn’t on everyday PCs.
That’s why I’m continuing to recommend that you hold off on applying this month’s “Early Patch Tuesday” patches. The pieces aren’t all ready yet, and you’re not in a high-risk situation. Unless you’re running a crypto exchange site, anyway.
If you do decide to go ahead and patch, for heaven’s sake don’t install any patches manually, and don’t jimmy the registry entry to allow patching if your antivirus isn’t up to the task. There’s a reason why the patch installers balk at conflicting antivirus software.
Have a question, observation or whinge? Drop by the AskWoody Lounge.