News

Windows Analytics Now Has Tools for Tracking Meltdown and Spectre Progress

• By Kurt Mackie
• 02/13/2018

Microsoft has added capabilities to its Windows Analytics tools that can help IT pros check on the status of client device Meltdown and Spectre protections, according to a Tuesday announcement.

Meltdown and Spectre are attack methods that affect most computer processors made by AMD, ARM and Intel. They tap a "speculative execution" process used by the processor that can be exploited to extract restricted information from the operating system's kernel, including passwords and encryption keys. Those attack methods were published last month, and while researchers back then hadn't detected exploits in the field, AV-Test this month found malware samples using the techniques.

Windows Analytics is a subscription-based service originally designed for public cloud management tasks. Microsoft also added client monitoring tools to it, particularly in the service's Upgrade Compliance and Upgrade Readiness components, which can be used without cost.

The new additions to those Windows Analytics dashboard-like tools include Meltdown and Spectre checks on the state of the firmware that's installed on devices. Right now, it just detects if Intel microcode updates were applied, but Microsoft plans to add checks for other chips, as well. The Windows Analytics tools also have checks for the status of security updates to the Windows operating system, as well as anti-virus compliance status. The tools also will report if a registry setting change was made to block a problematic Spectre variant 2 microcode update.

In addition to the Windows Analytics tools, which provide a graphical picture of the Meltdown and Spectre mitigation status, Microsoft earlier published PowerShell scripts to verify that such protections are enabled. The scripts are listed in Microsoft's "Windows Client Guidance" document to protect against side-channel attack methods.

The patch process to address Meltdown and Spectre has been a bumpy ride at best, and it likely will take some IT energy to track compliance. The computer industry has responded as a team by issuing patches (both for the processor and operating system), but there have been notable flubs along the way.

The microcode or firmware protections for Meltdown and Spectre get issued by AMD, ARM and Intel, but then must be tested by original equipment manufacturer partners before being released. Operating system makers, both for Linux and Windows, also are releasing OS updates to address the vulnerabilities. In addition, Microsoft has a specific requirement for anti-malware software makers to certify that their products aren't making "unsupported calls into Windows kernel memory" before it will release Windows updates to systems to address the Meltdown and Spectre attack methods.

To use the Windows Analytics tools to check anti-malware compatibility, the following client updates need to be installed, according to Microsoft's announcement:

• Win7 SP1: KB2952664
• Win8.1: KB2976978
• Win10: KB4033631

These updates apparently transmit telemetry information to Microsoft. In some cases, they are part of Microsoft's Customer Experience program.

Firmware updates from chipmakers have had problems early on. Some AMD-based machines got bricked after OS updates were installed on PCs, although Microsoft later addressed the issue. In addition, microcode updates to Intel machines caused more frequent reboots in some cases. In response to the latter problem, Microsoft published registry changes to block the Spectre variant 2 mitigation, but IT pros applying that temporary fix have to remember to edit the registry again should Intel release updated microcode.