Spectre patches highlight January 2018 Patch Tuesday

Microsoft's January 2018 Patch Tuesday brings Meltdown and Spectre patches to users, except those on AMD chipsets or those with incompatible antivirus.

The first Patch Tuesday of 2018 was expected to be a busy one when the industry learned of the fundamental microprocessor flaws known as Meltdown and Spectre, but just as the patches for those flaws didn't go as planned, neither has this Patch Tuesday.

Microsoft's January 2018 Patch Tuesday fixes 56 vulnerabilities, including four bugs that have been publicly disclosed -- three of which were related to Meltdown and Spectre -- and one zero-day flaw found to be actively exploited in the wild.

All evidence pointed to the Meltdown and Spectre patches being planned for release to coincide with the January 2018 Patch Tuesday, but rampant speculation forced those fixes to be pushed out early. And since then, even more snags have led to Microsoft patches not being pushed out to users with certain third-party antivirus products and Microsoft pulling the Spectre patches for AMD systems.

"Microsoft has received reports of some AMD devices getting into an unbootable state after installation of recent Windows operating system security updates. After investigating, Microsoft determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown," Microsoft wrote in an advisory. "To prevent AMD customers from getting into an unbootable state, Microsoft has temporarily paused sending ... Windows operating system updates to devices that have impacted AMD processors."

Microsoft said it is working with AMD to resolve the issues with the Meltdown and Spectre patches as soon as possible.

Chris Goettl, director of product management at Ivanti, an endpoint security vendor headquartered in South Jordan, Utah, said users need to be sure they install the Meltdown and Spectre patches, if possible and "take this update seriously."

"It is a complex issue that, if left untended, will likely come back to bite you later this year. There are a number of moving parts to these vulnerabilities and a lot of complexity to fully resolve them," Goettl told SearchSecurity. "You can expect threat actors will recognize this fact and expect many environments may not be able to respond before they could possibly exploit them in the wild. There is a lot of proof of concept code out there for them to learn from."

Beyond the Meltdown and Spectre patches

Experts said that aside from the Meltdown and Spectre patches in the January 2018 Patch Tuesday, one other fix stood out as critical for organizations to install -- a zero-day vulnerability in Microsoft Office (CVE-2018-0802).

According to Microsoft, this bug has been exploited in the wild and could allow an attacker to "run arbitrary code in the context of the current user."

Dustin Childs, communications manager at Trend Micro's Zero Day Initiative, wrote in a blog post that "the attack scenario is relatively straightforward -- convince a user to open a specially crafted Office document. No details about the attacks are provided by Microsoft, but the lack of industry discussion likely means this is being used in a targeted attack."

Dig Deeper on Application and platform security