Spectre and Meltdown vulnerabilities show haste makes waste
When the Meltdown and Spectre vulnerabilities came to light, everyone scrambled to find a fix. As a result, the patching process has been anything but smooth.
IT professionals, especially those with security responsibilities, faced an unpleasant surprise when the Spectre and Meltdown vulnerabilities came to light.
It was even more unpleasant to learn that the firmware changes they'd need to address the vulnerabilities -- especially variant 2 -- could take some time.
The patching efforts following the Spectre and Meltdown vulnerabilities have been rocky at best.
Understanding the basics
Spectre and Meltdown are two families of CPU vulnerabilities that affect Windows PCs. The source of these vulnerabilities is speculative execution, which is common in processor chip architectures.
Speculative execution is designed to speed up processing by having the chip guess what action to perform next. This could mean calculating all the functions that any branch in the program logic might need in advance, with the understanding that an action will be required.
Data from speculative execution gets stored in memory that lives on a CPU chip called the cache. In the cache, even protected data is exposed, so attackers can see where the data resides, which can provide a hint as to what the data is. This is called a side-channel attack because the hacker does not require direct access to the data.
Speculative execution has been built into most CPUs since the late 1990s. As a result, the Spectre and Meltdown vulnerabilities affect most Intel x86 PC chips in use today, as well as Advanced Micro Devices (AMD) and advanced RISC machine processors.
What has been patched?
Microsoft and some chip vendors, including Intel and AMD, have released patches for these vulnerabilities on Windows PCs. The chipmakers share their patches with system and motherboard makers, who then roll them out to the customers.
The first round of Spectre and Meltdown patches from Intel, Microsoft
and
Dell, among other vendors, rolled out in early January 2018 and caused system stability issues, including spontaneous reboots.
Most of these problems occurred because the vendors rushed out the early patches before they could thoroughly test them. The reboot issues were so bad that Intel had to issue an advisory against using its initial patches for its Haswell and Broadwell processors. Also, Microsoft had to issue an update -- KB4078130 -- to reverse the effects of its initial patches.
A second
wave of Spectre and Meltdown patches rolls in
After the first wave of patches caused so many problems, things stayed quiet as the principals -- Intel, Microsoft, AMD and others -- labored quietly in the background to address the Spectre and Meltdown vulnerabilities without compromising system stability or overly affecting performance.
After IT patches the system, it will greenlight the status of both Spectre and Meltdown.
Then, Microsoft issued the KB4090007 Intel microcode updates for PCs with Skylake desktop and mobile processors, which patched the vulnerabilities. Other options for obtaining a clean bill of health are the Ashampoo Spectre Meltdown CPU Checker and InSpectre. Update KB4090007 covers Coffee Lake and Kaby Lake processors from Intel, as well.
Recent history shows that IT pros shouldn't just roll out patches across the board.
Dell, Hewlett Packard Enterprise
and
Lenovo released patches for most Intel platforms as far back as Ivy Bridge, but those patches produced mixed results for users. Dell's early Haswell patch for the Dell Venue 11 Pro 7130 with Intel i5-4210Y CPU, for example, prevented that system from rebooting normally.
Of the major motherboard vendors, Asus, Gigabyte Technology, Micro-Star International
and
ASRock have all released basic input/output system and Unified Extensible Firmware Interface updates for processors back to Sandy Bridge on Intel.
AMD has worked with Microsoft to address Spectre through OS updates -- variant 1 -- and firmware updates combined with OS patches -- variant 2. Here, again, there are mixed results. Microsoft Surface and Dell PCs, for example, test positive for Spectre and Meltdown vulnerabilities with the aforementioned tools, even if they've received updates.
What should businesses do to address the Spectre and Meltdown vulnerabilities?
IT pros should survey the CPUs the organization uses and compile a complete list. They should then compare that list to all the available updates and apply them. There are several lists out there for IT pros to choose from.
Next, IT should test patches as they become available in pilot or limited-use circumstances. Recent history shows that IT pros shouldn't just roll out patches across the board until they know that the patches won't inflict local or organizational harm.
Over time, most organizations should be able to cover the security gaps that the Spectre and Meltdown vulnerabilities pose, but it will take a certain amount of attention, diligence
and
effort to close them. IT pros should bear in mind that it is unlikely that systems older than Ivy Bridge or Athlon II will ever be patched because they are too old.
