Fixing the Meltdown and Spectre vulnerabilities

Fixing the Meltdown and Spectre vulnerabilities

Two days ago, Graz University of Technology published a paper describing a pair of attacks on common microprocessors.

The underlying vulnerability affects Intel, AMD, and ARM processors. All contemporary microprocessors pre-execute instructions.

In other words, the vulnerability bypasses address space isolation. Address space isolation has been a foundation for processor integrity since the 1980s.

Microsoft yesterday released an emergency patch for Windows 10 to address this prior to Patch Tuesday, which incorporates KAISER in KB4056892. Other versions will receive the update on January 9 as scheduled.

Why do these vulnerabilities matter to me?

These vulnerabilities take advantage of a basic process used by all modern CPUs to help speed up requests. They take advantage of the timing of various instructions so they can see the information – whether that’s proprietary corporate data or sensitive personal information.

I’m trying to patch and can’t see the update??

Don’t worry, it’s not just you.

Microsoft has implemented a new requirement for a Registry Key that must be installed to enable automated Windows updates. The idea is to ensure installed endpoint security software is compatible with the patches.

This is not a Trend Micro bug and we are not “fixing” our product. We are providing instructions and tools to enable that compatibility check in a product update.

For users to install the key, Trend Micro recommends a few options:

  • IT/system administrators can manually create and deploy the registry key (ALLOW REGKEY) to unblock the delivery of patches
  • Trend Micro customers and users can download the update packages directly from the Windows Update Catalog if they are unavailable via Windows Update
  • Apply an update for the Trend Micro security product that will enable the ALLOW REGKEY needed through Windows Update

What to expect when installing the patch

There’s been a lot of talk about the hit to performance when the ability to read information early is taken away. Don’t fret, most PCs and VMs will not see much degradation. Here’s what you need to know based on your environment:

  • Cloud-based systems: Likely will see some slight elongation in response time. While processors will run more slowly, they (and the local memory and disk) are on the other side of the Internet.
  • Local processing for compute-intensive workloads: You may see a more significant impact. Heavy processes and big data analytics benefit most from this processing feature. Without it, running these processes will take more time.
  • Home users: Most consumers will not notice the change. If you’re gaming a lot or use heavy graphics component, then the same rules apply as for organizations.

This is not just a Microsoft problem, however. All other operating system vendors will be issuing patches that install as usual.

For everyone – whether you’re a system administrator for a very large enterprise, or you have a single home computer – install this patch as soon as it’s available from your vendor. For consumers, enabling auto update ensures that patches install as soon as they’re available to your computer.

Trend Micro customers can learn more specifics about what we’re doing to make this Microsoft requirement as smooth as possible here for businesses and here for consumers.