Reading Time: 5 minutes

Meltdown and Spectre are critical vulnerabilities existing in several modern CPU: these hardware bugs allow programs to steal data which is currently processed on the computer. Meltdown and Spectre can affect personal computers, mobile devices, server and several cloud services.

Actually, the only way to minimize those security risks is to patch your operating systems and the hypervisor level (if you are using virtual machines).

For Microsoft, this will apply, of course, to all operating systems and also to the Hyper-V layer and the cloud offers on Azure.

To be fully protected, updates are required at many layers of the computing stack and include software and hardware/firmware updates. Microsoft has released several updates to help mitigate these vulnerabilities. Meanwhile, since the issue affects hardware, we may also need to install firmware updates from device manufacturer for increased protection. Please check with device manufacturer for relevant updates.

For Windows client operating systems including Windows 7 Service Pack 1, Windows 8.1, and Windows 10, Microsoft suggests to:

  • Verify that you are running a supported antivirus application before you install OS or firmware updates. Contact the antivirus software vendor for compatibility information.
  • Apply all available Windows operating system updates, including the January 2018 Windows security updates.
  • Apply the applicable firmware update that is provided by the device manufacturer

You can check the status with different tools, also with PowerShell, as demonstrated in this page: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

Note that there are several Windows 10 version, each with different patches:

  • Windows 10 1709 and Windows Server 1709: 4056892 January 3, 2018—KB4056892 (OS Build 16299.192) 2018-01 Update for Windows 10 Version 1709 (KB4058702)
  • Windows 10 1703 and Windows Server 1703: 4056891 January 3, 2018—KB4056891 (OS Build 15063.850)
  • Windows 10 version 1607 and Windows Server 2016: 4056890 January 3, 2018—KB4056890 (OS Build 14393.2007)
  • Windows 10 version 1511: 4056888 January 3, 2018—KB4056888 (OS Build 10586.1356) 2018-01 Cumulative Update for Windows 10 Version 1511 (KB4056888)
  • Windows 10 version 1507: 4056893 January 3, 2018—KB4056893 (OS Build 10240.17738) 2018-01 Cumulative Update for Windows 10 Version 1507 (KB4056893)
For Windows server operating systems including Windows Server 2008 R2 Service Pack 1, Windows Server 2012 R2, and Windows Server 2016, Microsoft suggests to:
  • Apply the Windows operating system update.
  • Make necessary configuration changes to enable protection.
  • Apply an applicable firmware update from the OEM device manufacturer.

Your server is at increased risk if it is in one of the following categories:

  • Hyper-V hosts
  • Remote Desktop Services Hosts (RDSH)
  • For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for a database, untrusted web content or workloads that run code that is provided from external sources.
For Windows Server 2008, Windows Server 2012, please make the system up-to-date and pay close attention to the official article for latest updates: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Operating system version Update KB
Windows Server, version 1709 (Server Core Installation) 4056892
Windows Server 2016 4056890
Windows Server 2012 R2 4056898
Windows Server 2012 Not available
Windows Server 2008 R2 4056897
Windows Server 2008 Not available

Note that customers have to enable mitigations to help protect against speculative execution side-channel vulnerabilities.

To enable the fix

  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
  • reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f
  • If this is a Hyper-V host: fully shutdown all Virtual Machines.
  • Restart the server for changes to take effect.

Enabling these mitigations may affect performance. The actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running. Microsoft recommends that customers assess the performance impact for their environment and make necessary adjustments.

For AMD processor, note that after the patch, a small subset of older AMD processors remains blocked to avoid users getting into an unbootable state after installation of recent Windows operating system security updates. Please read carefully this Microsoft article.

Anyway you may need then specific protection for some type of workloads, for example:

For both Microsoft has released several updates to help mitigate these vulnerabilities. 

For Azure, Microsoft has already taken steps to address the security vulnerabilities at the hypervisor level to protect Windows Server VMs running in Azure, for more detailed information please check the following link: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. […]

With the public disclosure of the security vulnerability today, we are accelerating the planned maintenance timing and will begin automatically rebooting the remaining impacted VMs starting at 3:30pm PST on January 3, 2018. […]

During this update, we will maintain our SLA commitments of Availability Sets, VM Scale Sets, and Cloud Services. This reduces impact to availability and only reboots a subset of your VMs at any given time. This ensures that any solution that follows Azure’s high availability guidance remains available to your customers and users.

Anyway there are so many services and not only Azure. For example for Office 365 read this interesting blog post.

About the performance impact, see this post: Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

Share

Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-24. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-23. Nutanix NTC 2014-20. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.