Microsoft Patch Release - Wednesday, January 3, 2018


  • Anonymous
  • 0 replies
On Wednesday, January 3, Microsoft released a patch to address a number of issues, including a reported CPU vulnerability issue.  Webroot has tested current shipping versions of Webroot SecureAnywhere 9.0.18.xx and has confirmed compatibility with this patch. 
 
You can learn more about the patch at the  Microsoft support page, and download the patch from the Microsoft catalog. 
 
To deploy it immediately, please follow the instructions for setting the REGKEY as described in the Microsoft support page article.  Microsoft has also published additional information about why they require setting a registry key here.
 
Within the next week we will begin releasing a new Webroot SecureAnywhere version 9.0.19.xx that, along with a number of planned enhancements, will also set the REGKEY automatically.  But until that version is available, please set the REGKEY manually as described by Microsoft.
 
We have posted an article in the Webroot Knowledge Base with detailed instructions on how to manually set the required registry key so that your device will ready for the patch the next time it checks for updates, or when you download it from the Microsoft catalog.  We will provide an automated utility shortly.

10 replies

Userlevel 5
Badge +19
Thanks for the update. Would it be possible to provide a small, downloadable app that checks the system environment and WR version, and, if appropriate, sets the REGKEY? This so we can use the Agent Commands > Download and run a file option?
 
Or the full syntax to use in  Agent Commands / Advanced / Run a registry command ?
 
Cheers,
 
Edwin
Badge +3
I second Edwin's motion.
Sure seems like the registry command syntax would be something that Webroot could determine and test quickly, and would allow Community users to get their systems patched sooner rather than later.
Userlevel 7
Badge +31
There's numerous ways to get this done, manually or automated, and everyone has their own preference. 
 
Our suggested methods are given in the KB article here which is being updated as new information comes to light.  We're starting with those methods that require least QA / testing so that our customers are able to immediately start deploying the reg key, as mandated by Microsoft, in order that they can then get the Microsoft patch. 
 
If you have a RMM tool set or a configuration management tool, that would be my first choice to set the reg key. 
 
Jonathan
 
On Wednesday, January 3, 2018 Microsoft released a patch to address a number of issues, including a reported CPU vulnerability issue. Webroot has tested the current released versions of Webroot SecureAnywhere 9.0.18.xx and has confirmed compatibility with this patch. There is no issue with Webroot or our products.
 
Please note that Webroot’s compatibility with the patch does not mean that Webroot is addressing the hardware vulnerability caused by a design flaw in processor chips.
 
You can learn more about the patch at the Microsoft support page, and download the patch from the Microsoft catalog. 
 
If you choose to deploy it immediately, Microsoft requires that a registry key is set before you do so. Additional information from Microsoft on this requirement can be found here. To set the REGKEY, please follow the instructions for setting as described in the Microsoft support page article.
Webroot will release a file that contains the necessary Registry Key settings which will make the process simpler to execute.  When this file is available, we will update the Webroot Knowledge Base article to include how-to steps and further information.
 
Within the next week we will release a new Webroot SecureAnywhere version, 9.0.19.xx that, along with a number of planned enhancements, will set the REGKEY automatically. 
 
If you have questions or concerns, please open a Support ticket so that we can assist you.
 
 
UPDATE: Webroot released an registry export containing the required setting to make the process simpler to execute. The file, and step-by-step instructions are on the Webroot Knowledge Base article.
For anyone wondering, you can push the registry command by using the Webroot management console. This worked successfully for me to push out to all of my endpoints using the "Run a registry command" function:
  1. Go to Group Management and select all endpoints you would like to push the regkey to
  2. Select Agent Commands > Advanced > Run a registry command
  3. Put in the following command: reg ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionQualityCompat /f /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG_DWORD /d 0
  4. Your endpoints will not update until they check in with the console (dependant upon your config. Mine are set to 15 minutes) so check shortly after and the regkey should be there.
 
This registry key is for the Spectre/Meltdown patching specifically.
 
EDIT: I have had a couple of weird goof ups with the registry command option. I have confirmed that using the "run a DOS command" also works with this method, and seems to be more reliable. 
In case it might help others I providing the other reg keys required to fully protect your system from meltdown/spectre.  These are taken from here are are only necessary on Hyper-V hosts, RDSH servers, and servers runing untrusted code.
 
To enable the fix
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
 
To disable this fix
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
 
Verifying that protections are enabled
PowerShell verification

Install the PowerShell module
PS > Install-Module SpeculationControl
Run the PowerShell module to validate protections are enabled
PS > Get-SpeculationControlSettings
Userlevel 1
Does anyone have any information on patching Windows 8/2012?
 
I see that it is not addressed by the script.
 
Thanks.
Userlevel 1
This should be what you're looking for - Windows Server Guidance
 
Another issue here regarding future patching from Microsoft is that they will continue to do this with security updates moving forward so it does not clash with the AV installed on the systems.  I hope Webroot is aware of this because this registry update situation is definately NOT ideal when other providers HAD the registry updated through automation before the Microsoft patch was deplayed.  
 
See link:  http://www.zdnet.com/article/microsoft-no-more-windows-patches-at-all-if-your-av-clashes-with-our-meltdown-fix/

Reply