January 2018 Security Updates (Meltdown and Spectre)
Will you be adding the patches required to address the Intel (Meltdown and Spectre) vulnerability?
0
Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.
Will you be adding the patches required to address the Intel (Meltdown and Spectre) vulnerability?
Comments
I came here to look for this specific question...
A custom Windows Update collection library like what was done with the WannaCrypt patch last year would be helpful as well.
They addressed this in the webcast today. There is a LOT of speculation floating around the internet right now, and Microsoft is working on patches. Once they are available they will be released to the package library from what I understand.
This will likely have a Collection in Inventory as well if I know them. If not I'm sure one can be created and the XML posted here, but I will wait for an official response.
Microsoft released a patch yesterday which is why I was asking
We are working on it right now. All packages go through a thorough QA process, so it takes some time.
Patches were released yesterday. Good to hear that at least they are working on a package. What about a custom group collection library?
Thanks for the reply Colby. I appreciate it!
Any status on the packages?
I just wanted to let everyone know that I am running ESET Endpoint Antivirus in our environment and they were one of the first companies to be compatible with the Microsoft patches released on 1/3. So I deployed the Windows 10 and Windows 7 cumulative patches from PDQ and 98% of my devices updated without an issue. However, the last 2% gave me a nice BSOD during the required reboot. After doing some research, I found that PCs with older AMD Athlon processors are having issues with this patch. So if you have old AMD devices in your environment, be careful deploying this patch or hold off altogether. Luckily, I was able to use System Restore to get the PCs up and running but it was still a headache! What bothers me even more is that these old devices are being replaced in about a month. Talk about bad timing!
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/stop-0x000000c4-after-installing-kb4056894-2018-01/f09a8be3-5313-40bb-9cef-727fcdd4cd56?auth=1
Does anyone have any update on this? I'd like to be able to use PDQ Inventory to audit my estate and report those devices that have not been patched against Spectre and Meltdown. I can appreciate the patches themselves may not yet be available, but an audit would tell us how big the problem is and we could then manually patch critical systems.
Thanks
Before I deployed the Microsoft patches, I first created a new registry scan profile that searched for the following key and value name. If it existed, then I knew our anti-virus was compatible with the patches. I then created two collections; one for devices that did not contain this value and one that contained the value. Once I scanned all of my devices with the new registry scan profile, I was able to see which devices were compatible and which ones were not. This worked for me except for the few older AMD devices that gave me the BSOD.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\QualityCompat\cadca5fe-87d3-4b96-b7fb-a231484277cc
If you are just looking for a simple way to check for the related Windows Updates I created a simple Collection to check for the presence of the Hotfixes (KB4056894 and KB4056897):
You can of course add additional values to look for but this could be a good start.
Hi Daimon, that is exactly what I'm looking for, thanks. Although I was hoping PDQ would push something out via an update or whatever. Given the importance of this vulnerability I'd have thought the providers of all patch management solutions would have been falling over themselves to advertise that they have things in hand.
Cheers
Has anyone figured out how to deploy the Microsoft script via PowerShell to see if the patches and firmware are up to date?
As an example, I created a dynamic collection for each type of System we have and also checked the BIOS to see if it is at the needed version:
That's a lot of individual collections. Any way to consolidate?
I had originally created a collection of the system versions we had that were on our vendor's list of updatable BIOS versions and let PDQ pull in the targets: