If Spectre and Meltdown OS patches are not applied on a Windows system, can other new Microsoft patches be applied?

Question

In this Information Security QA, we thoughtfully discuss whether or not patching for Spectre and Meltdown are necessary on Windows boxes.

Some will undoubtedly decide they want to patch certain Windows boxes, while others will decide they don't want to patch some Windows boxes.

For Windows 7 boxes for which the patches are not desired (due to known issues, including a negative performance impact), is there any way to not install those specific patches, yet continue to install other OS patches released by Microsoft?

Or is that if Spectre and Meltdown OS-level patches are not desired on a system, that no more Microsoft Windows 7 patches can be applied to that specific system?

Answer 1

If performance penalty is your main objection, then you don't appear to need to prevent those updates from being installed: that part of Meltdown/Spectre protection measures that is believed to cause most of the penalty could later be turned off (or back on) with a registry key, ensuring you won't get a performance penalty if you're not affected:

To enable the fix

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

To disable the fix

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

(There is no need to change MinVmVersionForCpuBasedMitigations.)

• Note setting of 3 is accurate for both enable/disable settings due to masking.

Not only that, but as most of the penalty is caused by user-kernel transitions which now cost more due to the mitigations, it's worse for Linux and other operating systems based on monolithic kernels than for Windows. In certain Windows configurations performance impact is negligible, so if yours match those, you don't need to worry about that much.

That said, please note also that the performance impact is not the only issue with the Meltdown/Spectre patches for Windows. A few antivirus products are known to cause further problems, including Blue Screen errors and inability to boot.

Though skipping security updates is the ultimate measure (and you should only do that if you are hundred per cent sure you know what you're doing and are ready to face the consequences), it's best to first check with the official advisory of your antivirus vendor (and, probably, vendors of any other system-related software, should there be any on your installation) if it's already fine to use Spectre/Meltdown updates together with their products.

Note that at the end of the day it doesn't look like you'll be able to install any of the security updates in future without those Meltdown/Spectre patches being installed. This way, it's better not to skip but to manage.

Answer 2

For Windows 7 boxes for which the patches are not desired (due to known issues, including a negative performance impact), is there any way to not install those specific patches, yet continue to install other OS patches released by Microsoft?

This will not be possible. The current (cumulative and security) monthly patch released for Windows 7, Windows 8.x, and Windows 10 contain the security fixes for CVE-2017-5753 and CVE-2017-5754. This means when the next monthly (cumulative and security) patch is released next month, it will also include the previous patches if your system does not have this month's cumulative patch installed.

It is worth pointing out that is my understanding that the vulerability mitigation that comes with a performance hit is to CVE-2017-5715. The only changes within Windows with regard to this vulerability mitigation, are the changes to the kernel, which call the CPU instruction used to mitigate the variant 2 of the Spectre vulerability. In order to be protected from this vulerability, your processor's microcode must also be updated (otherwise your system will remain vulnerable to variant 2).

Or is that if Spectre and Meltdown OS-level patches are not desired on a system, that no more Microsoft Windows 7 patches can be applied to that specific system?

Windows 7 and Windows 8.1 went to a (cumulative and security) monthly patch release over a year and a half ago (mid-2016). Previous security patches, provided in a given month, are included in the next month's cumulative and security patch.

In general, our experience is that Variant 1 and Variant 3 mitigations have minimal performance impact, while Variant 2 remediation, including OS and microcode, has a performance impact.

Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems