The fallout continues from Intel’s Spectre firmware update coupled with Microsoft’s patch cycle. Microsoft just released a new patch that disables Intel’s firmware update citing random reboots as an issue with the Spectre patches.
So, where do we stand now?
- While Spectre and Meltdown are considered pretty massive security flaws, there aren’t any reported exploits utilizing these security flaws yet. They’re coming, I’m sure. But the timer is still running.
- Intel’s microcode to fix Spectre is reportedly causing random reboots. Apply this firmware with care.
- The Intel CPU firmware updates for Spectre simply allows the OS kernel to disable the Spectre security flaw. Spectre is still a problem unless the OS chooses to mitigate against it. Windows disables the Spectre firmware protections by default for servers (arguably where it is needed). This is something Linus Torvalds had some “choice words” to describe.
- The jury is still out on the impact of the new Spectre updates on workstations. Initial results indicated that workstations wouldn’t see any impact but we’ve heard some reports of machines becoming slow after applying the Spectre firmware update. Unfortunately, reports are mixed across the board so do some review before updating firmware on client machines.
- Microsoft has created a bunch of registry keys that allow you to enable to disable the Spectre mitigation after applying the latest Windows patches and the updated CPU firmware.
We have included scripts for Kaseya that enable or disable the Spectre patch on servers and workstations.
So What Do You Want To Do?
If you want to protect servers from Spectre:
- You need to update to the latest CPU firmware released from your PC manufacturer. Assuming it was released in the last month then it probably contains the microcode to make the processor capable to mitigate Spectre.
- You will need to execute our script (or update the registry key manually) to enable the Spectre mitigation. Script can be downloaded here.
- Your server and all virtual machines (if it is a VM host) will need to be fully rebooted to enable the Spectre mitigation.
- If you’re working with Hyper-V then this article from Microsoft talks about applying Spectre protections to host and virtual machines in this article here.
If you want to disable Spectre mitigation on servers:
- Regardless of if you have updated your CPU firmware, no further steps are needed unless you have previously enabled Spectre mitigations. Microsoft is disabling Spectre mitigations by default even with all the latest patches installed.
- If you enabled Spectre mitigations and wish to revert back to a pre-firmware updated state, then install the out-of-band KB from Microsoft. You can use our script to deploy it here. This KB is ONLY useful on Firmware patched Intel CPUs that have had Spectre mitigations enabled on that machine.
- Alternatively you can also Disable Spectre Mitigations via registry key with the following script.
If you want to enable Spectre mitigation on Workstations:
- Microsoft will enable Spectre mitigation by default on Workstations that have the latest Microsoft updates applied.
- Install updated CPU firmware from your PC vendor.
- Fully reboot the workstation for the update to apply.
If you wish to disable Spectre mitigation on Workstations:
- The easiest way to side-step this issue is to simply not update to the latest Intel firmware for the time being. This will ensure Spectre mitigation is disabled.
- If you updated firmware then use our script to disable the registry keys for Spectre firmware or download and run the out-of-band KB patch on the workstations you wish to have disabled.
What if I have AMD machines?
Less information is being published about AMD. They have released applicable firmware in January and currently we recommend installing the firmware. Microsoft has not released anything special for AMD processors. Using the scripts we have for Intel CPUs will also enable or disable Spectre mitigations on AMD CPUs.
What if I just want to wait this whole thing out?
- Disable Spectre / Meltdown patching across the board.
- Enable Spectre / Meltdown patching across the board.
So What Is The Recommendation?
Honestly, it is still up in the air as to what direction to take. Servers operating as Virtual Hosts are the most likely to be targeted in a Meltdown / Spectre attack since they are the most likely to divulge something of interest. Ironically, they are also the machines hit the hardest performance-wise when the security patches are applied.
All we can say here at Virtual Administrator is to keep your ears to the ground and test test test.
We are recommending creating internal projects in your organization and reviewing on a client by client basis to see if the new Spectre firmware is impacting performance as much as people are worried about online. Keep your sample size small and move in chunks so you can enable and disable the Spectre mitigations in a controlled manner. If there are no significant adverse effects then you’re good to go and can move on with your life for the time being. But if you run into the reported random reboots or significant slow-downs then use the scripts above to back off so you can consider other options or wait for a solution to become available.
