Meltdown-Spectre: A reminder to the IT industry that security is a mirage
If you're an IT pro and you haven't been sleeping soundly since the New Year, blame Meltdown and Spectre. These serious security flaws, more formally known as "speculative execution side-channel attacks," are present in all modern CPUs and represent the sort of problem that can keep any network admin up at night.
The biggest challenge is keeping track of all the pieces that need to be patched. To fully protect your Windows PCs from the inevitable attacks aimed at these vulnerabilities, you'll need to apply multiple software patches and update the BIOS or firmware on the underlying hardware.
(For more details, see "Meltdown-Spectre:Four things every Windows admin needs to do now.")
If your organization has standardized on third-party antivirus software, you'll also have to assess whether that software is compatible with those software and firmware patches. (You might also need to edit the registry on affected PCs to unblock security updates for those devices.)
Oh, and if you installed one of the early, defective firmware patches, which were the cause of "higher than expected reboots and other unpredictable system behavior," you might have still one more item to add to your checklist: Undo the January 2018 update (KB4078130) that temporarily disabled the software mitigations.
But don't do that until the PC maker pushes out a new firmware update to replace the defective one.
If you're responsible for a single PC, that checkup is easy to do manually. In a small office with a half-dozen PCs, it's a tedious but manageable task.
On a network with hundreds or thousands of Windows PCs, however, inspecting and patching every device by hand is impractical.
To address that acute problem, Microsoft announced today that it's releasing a new set of tools to help Windows admins assess what they need to do to protect their enterprise PCs from Meltdown and Spectre.
These capabilities are available through the free Windows Analytics service, which collects data from an organization's registered devices using the built-in Windows telemetry service and displays the aggregated protection status on a single dashboard like the one shown here.
The Windows Analytics capabilities are available on Pro, Enterprise, and Education editions of all supported desktop versions of Windows: Windows 7 with Service Pack 1, Windows 8.1, and Windows 10. Setting up the service requires an Azure Active Directory account, which is also free. (If your organization has a business or enterprise Office 365 subscription, you already have the Azure AD infrastructure in place.)
As the screenshot above illustrates, the dashboard displays three crucial pieces of information, called status insights:
- Antivirus software status: Most third-party antivirus software has been updated to be compatible with the Windows security updates for Spectre and Meltdown. This status insight should identify any devices that still require updates.
- Windows security update status: This panel shows which security updates have been installed on a device that's being monitored and also indicates whether any of those updates have been disabled. This status insight includes information for all original January 2018 updates as well as the updates released as part of the February 2018 Patch Tuesday release. (For a complete list of software updates by edition, see "Protect your Windows devices against Spectre and Meltdown" [KB4073757].)
- Firmware security update status: In an interview ahead of today's announcement, Klaus Diaconu, Partner Group Program Manager at Microsoft, acknowledged that this piece of the puzzle is "still evolving." Intel pulled its original microcode updates, and some of the PC makers who were burned with the initial batch of defective updates are being more cautious with the latest round of updates.
From that dashboard, an IT pro can drill down into groups and even to specific devices to determine what actions are still required.
Most large organizations already have update management tools in place to deliver Windows security patches and antivirus updates as needed. Firmware updates are potentially the most problematic, as they don't always allow for automated updates from a centralized server.
This is not a problem for Microsoft's Surface devices, which deliver firmware and other system software updates through Windows Update. For other PC OEMs, the update workflow might be more challenging, and it might be weeks or months before the required updates are available.
In the short run, this service solves a serious problem for harried IT pros. In the long run, it also represents an opportunity for Microsoft to introduce its relatively new Windows Analytics service to a generation of admins who haven't tried it yet. Because, sadly, the Meltdown-Spectre cleanup is going to be a long process, with more updates to come.
Previous and Related Coverage:
And offers patching tips from US CERT, which it failed to brief on the bugs.
New Windows 10 build includes fixes for unbootable AMD CPUs for those who didn't patch them manually.
Malware makers are experimenting with malware that exploits the Spectre and Meltdown CPU bugs