January 2018 Security Updates (Meltdown and Spectre)

Follow

Daniel Swinford

• January 04, 2018 17:00

Will you be adding the patches required to address the Intel (Meltdown and Spectre) vulnerability?

 

 

 

 

0

• 

  Wendy Fordham

  • January 04, 2018 18:46

  I came here to look for this specific question...

  0

  Comment actions Permalink
• 

  Jamie Voto

  • January 04, 2018 19:56

  A custom Windows Update collection library like what was done with the WannaCrypt patch last year would be helpful as well.

  0

  Comment actions Permalink
• 

  Stephen Valdinger

  • January 04, 2018 20:02

  They addressed this in the webcast today. There is a LOT of speculation floating around the internet right now, and Microsoft is working on patches. Once they are available they will be released to the package library from what I understand. 

  This will likely have a Collection in Inventory as well if I know them. If not I'm sure one can be created and the XML posted here, but I will wait for an official response.

  0

  Comment actions Permalink
• 

  Daniel Swinford

  • January 04, 2018 20:04

  Microsoft released a patch yesterday which is why I was asking

  0

  Comment actions Permalink
• 

  Colby Bouma

  • January 04, 2018 20:07

  We are working on it right now. All packages go through a thorough QA process, so it takes some time.

  0

  Comment actions Permalink
• 

  Jamie Voto

  • January 04, 2018 20:10

  Patches were released yesterday.  Good to hear that at least they are working on a package.  What about a custom group collection library? 

  0

  Comment actions Permalink
• 

  Daniel Swinford

  • January 04, 2018 20:54

  Thanks for the reply Colby. I appreciate it!

  0

  Comment actions Permalink
• 

  Nathan Lin

  • January 05, 2018 17:06

  Any status on the packages?

  0

  Comment actions Permalink
• 

  Heath Grim

  • January 07, 2018 03:04

  I just wanted to let everyone know that I am running ESET Endpoint Antivirus in our environment and they were one of the first companies to be compatible with the Microsoft patches released on 1/3.  So I deployed the Windows 10 and Windows 7 cumulative patches from PDQ and 98% of my devices updated without an issue.  However, the last 2% gave me a nice BSOD during the required reboot.  After doing some research, I found that PCs with older AMD Athlon processors are having issues with this patch.  So if you have old AMD devices in your environment, be careful deploying this patch or hold off altogether.  Luckily, I was able to use System Restore to get the PCs up and running but it was still a headache!  What bothers me even more is that these old devices are being replaced in about a month.  Talk about bad timing!

  https://answers.microsoft.com/en-us/windows/forum/windows_7-update/stop-0x000000c4-after-installing-kb4056894-2018-01/f09a8be3-5313-40bb-9cef-727fcdd4cd56?auth=1

  0

  Comment actions Permalink
• 

  Greg Mills

  • January 17, 2018 10:50

  Does anyone have any update on this? I'd like to be able to use PDQ Inventory to audit my estate and report those devices that have not been patched against Spectre and Meltdown. I can appreciate the patches themselves may not yet be available, but an audit would tell us how big the problem is and we could then manually patch critical systems.

  Thanks

  0

  Comment actions Permalink
• 

  Heath Grim

  • January 17, 2018 13:28

  Before I deployed the Microsoft patches, I first created a new registry scan profile that searched for the following key and value name.  If it existed, then I knew our anti-virus was compatible with the patches.  I then created two collections; one for devices that did not contain this value and one that contained the value.  Once I scanned all of my devices with the new registry scan profile, I was able to see which devices were compatible and which ones were not.  This worked for me except for the few older AMD devices that gave me the BSOD.

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\QualityCompat\cadca5fe-87d3-4b96-b7fb-a231484277cc

  0

  Comment actions Permalink
• 

  Daimon Oberholtzer

  • January 17, 2018 13:58

  If you are just looking for a simple way to check for the related Windows Updates I created a simple Collection to check for the presence of the Hotfixes (KB4056894 and KB4056897):

  

  You can of course add additional values to look for but this could be a good start.

  0

  Comment actions Permalink
• 

  Greg Mills

  • January 17, 2018 14:36

  Hi Daimon, that is exactly what I'm looking for, thanks. Although I was hoping PDQ would push something out via an update or whatever. Given the importance of this vulnerability I'd have thought the providers of all patch management solutions would have been falling over themselves to advertise that they have things in hand.

  Cheers

  1

  Comment actions Permalink
• 

  Ericc Diaz

  • January 17, 2018 18:01

  Has anyone figured out how to deploy the Microsoft script via PowerShell to see if the patches and firmware are up to date?

  0

  Comment actions Permalink
• 

  Daimon Oberholtzer

  • January 17, 2018 18:39

  As an example, I created a dynamic collection for each type of System we have and also checked the BIOS to see if it is at the needed version:

  

  0

  Comment actions Permalink
• 

  Ericc Diaz

  • January 17, 2018 19:18

  That's a lot of individual collections. Any way to consolidate?

  0

  Comment actions Permalink
• 

  Daimon Oberholtzer

  • January 17, 2018 19:26

  I had originally created a collection of the system versions we had that were on our vendor's list of updatable BIOS versions and let PDQ pull in the targets:

  

  0

  Comment actions Permalink

Please sign in to leave a comment.