Latest

Here’s the Status of Meltdown and Spectre Mitigations in Windows

Yesterday’s Patch Tuesday release included fixes for the latest Spectre vulnerability, known as Spectre variant 4, or SpectreNG. These patches are currently not available for all Windows versions, though, and all mitigations are disabled by default. Only Windows 10, Windows Server 2016, Windows 7, and Windows Server 2008 R2 have received SpectreNG patches. Meltdown and […]


Meltdown and Spectre logos

Yesterday’s Patch Tuesday release included fixes for the latest Spectre vulnerability, known as Spectre variant 4, or SpectreNG.

These patches are currently not available for all Windows versions, though, and all mitigations are disabled by default.

Only Windows 10, Windows Server 2016, Windows 7, and Windows Server 2008 R2 have received SpectreNG patches.

Meltdown and Spectre patching is a mess

Furthermore, because of a constant stream of Meltdown and Spectre patching that has been going on for the last six months, it’s been getting harder and harder for users to keep track of what patches they’ve received, what patch needs manual intervention, and which ones cause issues.

To help system administrators with these confusing issues, Microsoft has published a table yesterday that contains the status of each of the Meltdown and Spectre patches it released since January 3, this year.

Readers are advised that the table assumes they are running a Windows version with all the security patches installed and up to date, including yesterday’s June 2018 Patch Tuesday updates train.

If you’re running an OS version where patches are disabled by default, the user must visit the linked KB article for additional information on how to enable the associated mitigation, if the user deems it necessary and in his threat model.

Operating System CVE-2017-5715 (Spectre variant 2) CVE-2017-5754 (Meltdown) CVE-2018-3639 (Spectre variant 4 aka SpectreNG)
Windows 10 Enabled by default Enabled by default Disabled by default – see ADV180012
Windows Server 2016 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Disabled by default – see ADV180012
Windows 8.1 Enabled by default Enabled by default Not applicable
Windows Server 2012 R2 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Disabled by default – see ADV180012
Windows RT 8.1 Enabled by default Enabled by default Not applicable
Windows 7 Enabled by default Enabled by default Disabled by default – see ADV180012
Windows Server 2008 R2 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Disabled by default – see ADV180012
Windows Server 2008 Enabled by default Enabled by default Not applicable

Besides the above table, Microsoft has also admitted that some Meltdown and Spectre patches are still causing issues. Below is a list of known issues, which the company is currently working to address:

Knowledgebase article Issue
KB4284880 Reliability issues have been observed during the creation of shielded VMs and the required artifacts for their deployment. There are also reliability issues for the Shielding File Wizard with or without the SCVMM interface.
KB4284819 1) Some non-English platforms may display the following string in English instead of the localized language: ”Reading scheduled jobs from file is not supported in this language mode.” This error appears when you try to read the scheduled jobs you’ve created and Device Guard is enabled.
2) When Device Guard is enabled, some non-English platforms may display the following strings in English instead of the localized language:

  • “Cannot use ‘&’ or ‘.’ operators to invoke a module scope command across language boundaries.”
  • “‘Script’ resource from ‘PSDesiredStateConfiguration’ module is not supported when Device Guard is enabled. Please use ‘Script’ resource published by PSDscResources module from PowerShell Gallery.”
KB4284835 Some users running Windows 10 version 1803 may receive an error “An invalid argument was supplied” when accessing files or running programs from a shared folder using the SMBv1 protocol.
KB4284826 1) A stop error occurs on computers that don’t support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).
2) There is an issue with Windows and third-party software that is related to a missing file (oem< number >.inf). Because of this issue, after you apply this update, the network interface controller will stop working.
KB4284867 Same as above.
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top