Note that Windows systems without antivirus do not appear to receive the ADV180002 update automatically. In order to receive the update through Windows Update, run the following command: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG_DWORD /d 0 /f If a third-party antivirus product does not explicitly indicate compatibility with to the protections provided by ADV180002 using the above registry value, the system will not automatically receive the ADV180002 update or any other update from Microsoft via Windows Update as well. Once a system has the ADV180002 update installed, it must be manually activated using the following commands to make the appropriate registry changes: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f Also note that in addition to the above changes, ADV180002 requires CPU microcode updates to achieve full protection. In some cases, Windows Update may not automatically install the ADV180002 update. An unofficial spreadsheet of antivirus vendor compatibility with this update is maintained here: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true On systems that have not received the ADV180002 update automatically, you may have to install the update manually. Please see https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution for more details. To verify that your Windows system has protections against Meltdown and Spectre variant 2, in a PowerShell session running with Administrator privileges, run: Install-Module SpeculationControl
If this fails, you may need to install PackageManagement PowerShell Modules
If this fails, you may need to change your PowerShell ExecutionPolicy setting: Set-ExecutionPolicy RemoteSigned
Once you are satisfied with the PowerShell output, you can revert the ExecutionPolicy setting back to the default Restricted setting by running: Set-ExecutionPolicy Restricted The output of this PowerShell command will indicate the status of whether the CPU has the required microcode update, whether Windows has the required software update installed, and whether the mitigations are enabled. Any setting that indicates "False" is an indicator of incomplete protection from Meltdown and/or Spectre. For example, a system that has the ADV180002 update properly installed and enabled, but is missing the CPU microcode update to fully enable the protections will show output like this: Once the CPU microcode is updated on such a system (e.g. by way of a BIOS update) , the output will look like this, which indicates that the protections that Microsoft have released are fully enabled: If the above PowerShell command indicates "Windows OS support for PCID optimization is enabled: False", this is a symptom of using a processor that doesn't support process context identifiers (PCID). Such processors cannot take advantage of the performance optimization that avoids a TLB flush. If the above PowerShell command indicates "Hardware requires kernel VA shadowing: False", this is a symptom of using a processor that doesn't require mitigations for CVE-2017-5754 (Meltdown). Also note that Microsoft has not yet provided protection for CVE-2017-5754 (Meltdown) on affected 32-bit platforms.
Both Spectre and Meltdown attacks presupposed “open platforms”, where
additional code can be added by a non-privileged user. The Technicolor products
are not open platforms. Even where 3rd party application can run in containers
and can be managed via Life Cycle Management, these applications are validated
and signed before they can be installed on the platform. Technicolor is
currently working with its vendors to identify if additional layers of
protection are needed. Yet, as the current platforms are closed and have secure
bootloading mechanism in place, there is no risk and no privilege acquired by
an attacker in exploiting such an attack on Technicolor's devices.
We are not aware of further vendor information regarding this vulnerability.