A good website for a description of Meltdown and Spectre CPU attacks is here:
What does this mean for home computer users?
In short, check your manufacturer’s website for updates. You’ll likely have driver and bios updates available. This is something you should be doing anyway. Make sure your antivirus program is UP TO DATE. Your antivirus software needs to set a new registry key. Not having up-to-date antivirus software will prevent you from getting windows updates. The registry key is:
Apple users, you’re not immune from this one. You will have updates as well. You don’t have to worry about registry keys.
How to check if your Antivirus vendor will set the update flag in the registry:
Cybersecurity Vulnerability Manager Kevin Beaumont has created a spreadsheet that tracks antivirus vendors and their key status. It’s available here:
What does this mean for servers?
The same as for desktops, plus some additional fun with the registry. For desktop operating systems, downloaded updates will be enabled automatically. For windows server operating systems, you will need to set two registry keys, and if your server is a hyper-V host, you’ll need to set an additional key. You can set all three keys an all servers, the extra key won’t hurt anything. Your antivirus must set the same key as desktops above. Create a GPO with all the keys if you’re on a domain so you don’t have to set it on each computer individually.
The keys are:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f
If this is a Hyper-V host and the firmware updates have been applied: fully shutdown all Virtual Machines (to enable the firmware related mitigation for VMs you have to have the firmware update applied on the host before the VM starts).
Restart the server for changes to take effect.
How do you check the status of your server?
Microsoft has released a powershell add-on you that can use to check if your server installed the updates correctly. If you’re running an older version of powershell you’ll need to download an add-on first.
Then run powershell as administrator and type:
(You’ll need to hit “Y” twice)
Now, you know can run a second Powershell command that actually checks your system:
If your drivers, bios, and updates are all installed, you should be seeing all green and “true”. If not, you’ll have some red, and some investigating to do to see what’s missing. Note that for older servers the hardware fixes may not be released yet.
More information from Microsoft is available here.