icetray - Fotolia
Meltdown and Spectre vulnerabilities dominate January Patch Tuesday
Complications surrounding the fix for the Meltdown and Spectre microprocessor architecture flaws will make the patching process more difficult for administrators.
Administrators have their work cut out for them on multiple fronts after a serious security flaw surfaced that affects most operating systems and devices.
The Meltdown and Spectre vulnerabilities encompass most modern CPUs -- from Intel-based server systems to ARM processors in mobile phones -- that could allow an attacker to pull sensitive data from memory. Microsoft mitigated the flaws with several out-of-band patches last week, which have been folded into the January Patch Tuesday cumulative updates. Full protection from the exploits will require a more concerted effort from administrators, however.
Researchers only recently discovered the flaws that have existed for approximately 20 years. The Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) exploits target the CPU's pre-fetch functionality that anticipates the feature or code the user might use, which puts relevant data and instructions into memory. A CPU exploit written in JavaScript from a malicious website could pull sensitive information from the memory of an unpatched system.
"You could leak cookies, session keys, credentials -- information like that," said Jimmy Graham, director of product management for Qualys Inc., based in Redwood City, Calif.
In other January Patch Tuesday releases, Microsoft updated the Edge and Internet Explorer browsers to reduce the threat from the Meltdown and Spectre vulnerabilities. Aside from these CPU-related fixes, Microsoft issued patches for 56 other vulnerabilities, with 16 rated as critical, including a zero-day exploit in Microsoft Office (CVE-2018-0802).
Microsoft's attempt to address the CPU exploits had an adverse effect on some AMD systems, which could not boot after IT applied the patches. This issue prompted the company to pull those fixes until it can produce a more reliable update.
Most major cloud providers claimed they have closed this security gap, but administrators of on-premises systems will have to complete several deployment stages to fully protect their systems.
"This is a nasty one," said Harjit Dhaliwal, a senior systems administrator in the higher-education sector who handles patching for his environment. "This is not one of your normal vulnerabilities where you just have a patch and you're done. Fixing this involves a Microsoft patch, registry entries and firmware updates."
Microsoft released a security advisory labeled ADV180002 that provided in-depth information on how IT can address the threats. Administrators must ensure they have updated their antivirus product so it has the proper registry setting. Otherwise, they cannot apply the Meltdown and Spectre patches. Windows Server systems require a separate registry change to enable the protections from Microsoft's Meltdown and Spectre patches. The IT staff must identify the devices under their purview and collect that information to gather any firmware updates from the vendor. Firmware updates will correct two exploits related to Spectre. Microsoft plugged the Meltdown vulnerability with code changes to the kernel.
Dhaliwal manages approximately 5,000 Windows systems, ranging from laptops to Windows Server systems, with some models several years old. He is exploring a way to automate the firmware collection and deployment process, but certain security restrictions make this task even more challenging. His organization requires BitLocker on all systems, which must be disabled to apply a firmware update; otherwise, he could run into encryption key problems.
"This is not going to be an overnight process," Dhaliwal said.
How expansive are Meltdown and Spectre?
The Meltdown and Spectre vulnerabilities exploit a bug with how many CPUs execute address space layout randomization. The difference between the two vulnerabilities is the kind of memory that is presented to the attacker. Exploits that use the flaws can expose data that resides in the system's memory, such as login information from a password manager.
Microsoft noted Meltdown and Spectre exist in many processors -- Intel, AMD and ARM -- and other operating systems, including Google Android and Chrome, and Apple iOS and macOS. Apple reportedly has closed the vulnerabilities in its mobile phones, while the status of Android patching varies depending on the OEM. Meltdown only affects Intel processors, and the Spectre exploit works with processors from Intel, AMD and ARM, according to researchers.
Virtualized workloads may require fine-tuning
Some administrators have confirmed early reports that the Meltdown and Spectre patches from Microsoft affect system performance.
Dave Kawula, principal consultant at TriCon Elite Consulting, applied the updates to his Windows Server 2016 setup and ran the VM Fleet utility, which runs a stress test with virtualized workloads on Hyper-V and the Storage Spaces Direct pooled storage feature. The results were troubling, with preliminary tests showing a performance loss of about 35%, Kawula said.
"As it stands, this is going to be a huge issue," he said. "Administrators better rethink all their virtualization farms, because Meltdown and Spectre are throwing a wrench into all of our designs."
Intel has been updating its BIOS code since the exploits were made public, and the company will likely refine its firmware to reduce the impact from the fix, Graham said.
For more information about the remaining security bulletins for January Patch Tuesday, visit Microsoft's Security Update Guide.
Tom Walat is the site editor for SearchWindowsServer. Write to him at [email protected] or follow him @TomWalatTT on Twitter.