Skip to main content

Meltdown and Spectre Resources

This page is intended to provide the Northwestern IT community with information and quick links to manufacturer resources surrounding the Meltdown and Spectre vulnerabilities.

Please check back often as this page will be updated as more information becomes available.

Operating Systems

Windows

Current Windows End Point and Server Related KBs on the Spectre Meltdown vulnerability.

Windows 10
Windows 8 and Windows Server 2012
Windows 7 and Windows Server 2008

As of 1/18/2018: Microsoft has announced it will resume rolling out patches for AMD devices running Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2, and Windows 10, version 1709. Updates for four versions of Windows 10 — 1511, 1607, and 1703 — are still paused. As are updates for Windows Server 2016 and Windows 10 Enterprise.

As of 1/29/18: Microsoft has issued an emergency out of band update (KB4078130) that disables the mitigation for Spectre variant 2 (branch target injection) that was included in Intel's buggy microcode updates. Microsoft justified the move by pointing to reports that Intel's new microcode can cause higher than expected reboots.

Known Issues
  • Windows patches for 32-bit systems (x86-based systems) do not provide Meltdown mitigations. This is per Microsoft as of 1/17/2018.
  • Spectre variant 2, branch target injection (CVE-2017-5715) — firmware updates are required to fully address Spectre variant 2
Patching and Anti-Virus Relates Issues with Windows

If you are running a 3rd Party anti-virus software that is officially recognized by Microsoft, you will have to wait until that company has a product update that can push out a registry key update to your system.  

See a complete list of Microsoft officially recognized AV.

macOS and iOS

Apple included mitigations to address Meltdown in its macOS 10.13.2 and iOS 11.2 updates released in December. It has since followed up with additional mitigations addressing Spectre with the just-issued macOS High Sierra 10.13.2 Supplemental Update and iOS 11.2.2 update

See the Apple Support Article

Known Issues

No reported issues with these updates to date.

Linux

The latest update of the stable Linux kernel (4.14.13) includes patches designed to mitigate Meltdown. More comprehensive patches (including fixes for ARM64 processors) will be available in 4.15, scheduled for release in two weeks. 

Patches have been added to the 4.4 and 4.9 stable Kernel trees as well.  Canoical has released a second update for Ubuntu 16.04 LTS Xenial users.   See the patch with the new Kernel image 4.4.0-109.

What has the Linux Community addressed?
  • Meltdown (CVE-2017-5754)
  • Spectre variant 1 (bounds check bypass — CVE-2017-5753) to some degree
  • Spectre variant 2, (branch target injection — CVE-2017-5715) to some degree
What is not yet addressed?
  • Spectre (CVE-2017-5753 and CVE-2017-5715)
    No patches are available for Spectre yet, but work is underway to implement Retpoline, a technique introduced by Google for dealing with the speculative execution issue Spectre relies on. Testing is currently being conducted to assess potential performance impact.  
  • Meltdown for 32bit (x86) machines
  • Work is underway to implement Retpoline, a workaround introduced by Google specifically for dealing with Spectre variant 2.
    • Retpoline does not work on Intel Skylake processors
    • Is not a complete substitution for applying microcode updates – yet.
 Known Issues
  • Patches haven't been released for machines running ARM64 processors: They are expected to be supported with the release of 4.15 in a couple of weeks.
  • Patches bricking Ubuntu 16.04 computers: Boot issues have been reported by Ubuntu users running the Xenial 16.04 series after updating to kernel image 4.4.0-108. New updates with kernel image 4.4.0-109 have since been released which address the issue. 
  • Performance impact: Based on initial testing, performance penalties for the patches are expected to range from single to double digits, depending primarily on how much interaction applications/workloads have with the kernel. You can find more details in benchmark studies conducted by Phoronix and Red Hat.
  • 32-Bit Support: No Meltdown fix is currently available for 32bit (x86) systems. Currently, the only recommendation is to move to a 64-bit kernel.
  • Spectre version 2 mitigations rely on firmware updates:As Intel and AMD continue to work through update difficulties mitigation remains incomplete.

Browser Update

Google, Mozilla, Apple, and Microsoft have all either issued or schedule new updates for their browsers to reduce that risk.

Chrome

Google has announced it will be including mitigations for Spectre starting with Chrome 64, which will be released on or around January 23. In the meantime, Chrome users are advised to turn on site isolation, which can help prevent a site from stealing data from another site.

  • UPDATE (1/25/18):Google has officially released Chrome 64 for Windows, Mac, and Linux. The update does include a patch to address Spectre, although Google did not provide technical details, stating simply "this release contains additional mitigations against speculative side-channel attack techniques."

Firefox

Mozilla has already issued Firefox version 57.0.4, which helps address Spectre. Firefox users can take additional precaution by enabling site isolation, as well.

Safari

Apple has released Safari 11.0.2 to specifically mitigate the effects of Spectre.

IE and Edge

Microsoft has made changes to both Internet Explorer 11 and Microsoft Edge to mitigate Spectre.

Firmware Updates

Intel

Has continued to release firmware updates by specific processor and updates can be downloaded directly from Intel.

Known issues
  •  Older Broadwell and Haswell CPUs experiencing sudden reboots: Intel is already confirming the company has received reports of glitches resulting from the firmware update on systems running Intel Broadwell and Haswell CPUs.
  •  As of 01/18/2018: Machines with newer CPUs also experiencing sudden reboots: Intel has since confirmed the firmware update is causing machines with Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake processors to suffer unwanted reboots, too.
  •  Performance impact: Statements regarding the potential performance impact of those updates have been inconsistent, but the company has most recently said the patches are slowing processors down by six percent in certain situations. Update (1/18/18): Intel has shared more details on performance impact based on specific workloads in a chart you can find here.
  • As of (1/22/18): Intel now recommending customers NOT apply firmware update! See notice from Intel here https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/
  • As of (1/24/18): HP and Dell have removed latest BIOS updates until Intel issues new stable firmware.
  • As of 1/29/18: Microsoft has issued an emergency out of band update (KB4078130) that disables the mitigation for Spectre variant 2 (branch target injection) that was included in Intel's buggy microcode updates.

AMD

As of 1/12/2018  AMD has officially acknowledged that its processors are vulnerable to both variants of Spectre, but not Meltdown. While the company says OS patches are enough to mitigate Spectre variant 1, it will be rolling out optional microcode updates this week, starting with fixes for Ryzen and EPYC processors. See the ADM website for details at https://www.amd.com/en/corporate/speculative-execution

Known Issues
  • Windows OS update compatibility issues: Microsoft has received numerous reports of PCs running AMD processors not booting after installing the latest Windows security update. After investigating, the company confirmed there are issues — specifically with AMD Opteron, Athlon, and AMD Turion X2 Ultra families — and temporarily stopped delivering the update to AMD devices. AMD says it is working with Microsoft to resolve the issue.
  •  Instructions for getting your machines back up and running if you experienced problems after an update are available on the Microsoft Support site 

IBM

Firmware patches for POWER7+, POWER8, and POWER9 platforms are all currently available at https://www-945.ibm.com/support/fixcentral/

IMB States that Power7 Patches will be available in February along with their operating system patches and AIX patches will be available starting January 26, 2018.

Last Updated: 1 February 2018

Get Help Back to top