According to a Microsoft security advisories [1, 2], these are the Windows security updates that address the Meltdown and Spectre flaws for various Windows distributions. Operating System Version. The big picture: Spectre and Meltdown had a lot of security researchers’ jaws dropping and had the tech community in a bit of a frenzy. But there’s little need to panic over these new attacks. 'Researchers simply followed the thread left by Spectre and Meltdown — this isn't a completely new class of vulnerabilities,' says Matthew Chiodi, vice president of cloud security at RedLock.
Today is the second Tuesday of the month, which means that it’s Patch Tuesday, which happens to be the first for 2019. Microsoft releases cumulative updates for all supported versions of Windows on Patch Tuesday. That includes Windows 7 and Windows 8.1, along with corresponding Windows server versions of those operating systems. As for Windows 10, all version but for version 1511 will receive the update, as support for that version ended in April 2018.
The monthly rollup that is heading out to users on Windows 7 SP1 and Windows Server 2008 R2 SP1 is KB4480970, and can be downloaded from here. Here is the changelog for the update:
- Provides protections against an additional subclass of speculative execution side-channel vulnerability known as Speculative Store Bypass (CVE-2018-3639) for AMD-based computers. These protections aren't enabled by default. For Windows client (IT pro) guidance, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698. Use these guidance documents to enable mitigations for Speculative Store Bypass (CVE-2018-3639). Additionally, use the mitigations that have already been released for Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754).
- Addresses a security vulnerability in session isolation that affects PowerShell remote endpoints. By default, PowerShell remoting only works with administrator accounts, but can be configured to work with non-administrator accounts. Starting with this release, you cannot configure PowerShell remote endpoints to work with non-administrator accounts. When attempting to use a non-administrator account, the following error will appear:
“New-PSSession: [computerName] Connecting to remote server localhost failed with the following error message: The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. For more information, see the about_Remote_Troubleshooting Help topic.”
- Security updates to Windows Kernel, Windows Storage and Filesystems, Windows Wireless Networking, and the Microsoft JET Database Engine.
However, there is one known issue that you might have to be aware of:
| Symptom | Workaround |
|---|---|
| After you apply this update, the network interface controller may stop working on some client software configurations. This occurs because of an issue related to a missing file, oem | 1. To locate the network device, launch devmgmt.msc. It may appear under Other Devices. 2. To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.
|
The security-only update for these operating systems is KB4480960 and can be downloaded manually from here.
For Windows 8.1 and Windows Server 2012 R2, the monthly rollup that you will get is KB4480964 and can be downloaded manually from here. It is to be noted that the changelog for this update is almost exactly the same as that for Windows 7 and Windows Server 2008, but for the last list item.
In addition to the first two fixes, here is what’s fixed according to the changelog:
- Security updates to Windows App Platform and Frameworks, Windows MSXML, Windows Kernel, Windows Storage and Filesystems, Windows Wireless Networking, and the Microsoft JET Database Engine.
For this version as well, Microsoft has listed one known issue that you need to be aware of before installing this update:
| Symptom | Workaround |
|---|---|
| After installing this update, third-party applications may have difficulty authenticating hotspots. | Microsoft is working on a resolution and estimates a solution will be available mid-January. |
The security-only update is KB4480964 and can be downloaded manually from here.
Lastly, Windows Server 2012 is receiving the KB4480975 monthly rollup. You can download the update manually from here. Here is the changelog:
- Provides protections against an additional subclass of speculative execution side-channel vulnerability known as Speculative Store Bypass (CVE-2018-3639) for AMD-based computers. These protections aren't enabled by default. For Windows Server guidance, follow the instructions in KB4072698. Use this guidance document to enable mitigations for Speculative Store Bypass (CVE-2018-3639). Additionally, use the mitigations that have already been released for Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754).
- Addresses a security vulnerability in session isolation that affects PowerShell remote endpoints. By default, PowerShell remoting only works with administrator accounts, but can be configured to work with non-administrator accounts. Starting with this release, you cannot configure PowerShell remote endpoints to work with non-administrator accounts. When attempting to use a non-administrator account, the following error will appear:
Microsoft Spectre Patch
“New-PSSession: [computerName] Connecting to remote server localhost failed with the following error message: The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. For more information, see the about_Remote_Troubleshooting Help topic.”
- Security updates to Windows App Platform and Frameworks, Windows MSXML, Windows Kernel, Windows Storage and Filesystems, Windows Wireless Networking, and the Microsoft JET Database Engine.
The changelog is very similar to that of the Windows 8.1 and Server 2012 R2 but for the first line item and contains the same known issue that you need to be aware of before you go ahead and install this update.
Windows 7 Spectre Patch
The security-only update for this version is KB4480972 and can be downloaded from here.