Windows Spectre/Meltdown Vulnerability Mitigation

 November 12, 2019 

WHAT YOU NEED TO KNOW 

In May 2019, eVMS scans began discovering Windows computers that are vulnerable to newer variations of Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities. These vulnerabilities have been updated and require additional remediation steps to resolve.

• Install the latest OS Security Updates:  The ePatching baselines can be used to ensure necessary patches are installed each month.  
• Intel MicroCode Update Patches: The Intel MicroCode update patches, which are not classified as security updates, were successfully deployed to fast ring test systems in the October ePatching cycle and will be deployed to remaining systems during the November ePatching cycle. 
• Enable protections using Registry updates:  
  • Evaluate Risk: Evaluate the risk to environments based on the information that is provided on Microsoft Security Advisories: ADV180002, ADV180012, ADV190013 and information provided in Knowledge Base articles KB4073119 and KB4072698.   
    Note: Microsoft states that these changes can impact performance, especially for systems running on Hyper-V. 
  • Microsoft KB4073119 and KB4072698 Registry fixes: The Intel MicroCode Update Patches should be applied before registry fixes are applied.  Both require the application of a patch, and a corresponding registry fix. 
• Apply available vendor Firmware/BIOS Update: Best practice is to assure systems are at the latest supported BIOS version 

WHAT YOU NEED TO DO 

Local IT should do the following for all systems in their environment:

• Intel MicroCode Updates – Local IT that wish to apply this ahead of the November ePatching cycle should apply patches to their systems using one of the two methods below. 
  • BigFix Fixlets:
    • 4494174: Intel microcode updates – Windows 10 Version 1809 – KB4494174 (x64) (V2.0)
    • 4494174: Intel microcode updates – Windows 10 Version 1809 – KB4494174 (V2.0)
    • 4494453: Intel microcode updates – Windows 10 Version 1703 – KB4494453 (x64) (V3.0)
    • 4494452: Intel microcode updates – Windows 10 Version 1709 – KB4494452 (x64) (V3.0)
    • 4494451: Intel microcode updates – Windows 10 Version 1803 – KB4494451 (x64) (V2.0)
    • 4494175: Intel microcode updates – Windows Server 2016 – KB4494175 (x64) (V3.0)
    • 4494175: Intel microcode updates – Windows 10 Version 1607 – KB4494175 (x64) (V3.0)
    • 4494174: Intel microcode updates – Windows Server 2019 – KB4494174 (x64) (V2.0)
    • 4494451: Intel microcode updates – Windows 10 Version 1803 – KB4494451 (x64)
  • MECM update group: GS-ENT-2019-10-Intel MicroCode Updates 
• Microsoft KB4073119 and KB4072698 Registry fixes 
  • Ensure Intel MicroCode Updates are installed before applying registry changes.  The ePatching team is advocating the use of BigFix Fixlets to deploy the  relevant registry fixes AFTER the Intel Microcode has been installed on the machine, as a GPO may not be the most optimal solution. Sites should test these changes before deploying to large numbers of systems. 
    • Windows Server 2008-2016 should use: 
      • 4072698: Enable mitigations to help protect against CVE 2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), CVE-2017-5754 (Meltdown),(CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130)  – Windows Server 2008 / Windows Ser
      • 
    • Windows 7/8/10 should use: 
      • 4073119: Enable mitigations to help protect against CVE 2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown),(CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130)  – Windows 7 / Windows 8.1 / Win
    • Alternatively, registry changes can be applied manually, if desired.
• Apply available vendor Firmware/BIOS Update: Local IT should apply latest vendor supported BIOS version

Send questions to gs_epatching@usgs.gov.