Cloud

1/23/2018
04:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Fallout from Rushed Patching for Meltdown, Spectre

Not all systems require full patching for the flaws right now, anyway, experts say.

Intel's unusual advisory yesterday urging its customers and partners to refrain from applying some of its firmware patches for the so-called Meltdown and Spectre flaws in its microprocessors illustrated just how pressured patching can backfire.

Navin Shenoy, executive vice president and general manager of Intel's Data Center, in a post called for customers and OEMs to halt installation of patches for its Broadwell and Haswell microprocessors after widespread reports of spontaneous rebooting of systems affixed with the new patches. Intel now plans to issue a fix for the Meltdown-Spectre fix, according to the company.

It's the latest in a string of missteps in the wake of the major disclosure earlier this month of critical flaws in most modern microprocessors: a common method used for performance optimization could allow an attacker to read sensitive system memory, which could contain passwords, encryption keys, and emails, for example. The vulnerabilities affect CPUs from Intel, AMD, and ARM.

Microsoft also has experienced problems with its operating system patches that provide workarounds for the microprocessor vulnerabilities, specifically its updates for Windows 10 on AMD microprocessor platforms. The vendor yesterday came out with new updates that resolve booting issues the original patches had caused. That came after compatibility problems with antivirus programs running on Windows that hadn't been updated for the Meltdown and Spectre workarounds.

The recently discovered Meltdown and Spectre hardware vulnerabilities allow for so-called side-channel attacks. With Meltdown, sensitive information in the kernel memory is at risk of being accessed nefariously; with Spectre, a user application could read the kernel memory as well as that of another application. The end result: an attacker could read sensitive system memory containing passwords, encryption keys, and emails — and use that information to help craft a local attack.

Both Intel's and Microsoft's patching problems underscore the downside of applying patches under pressure. "We've been telling our clients 'don't panic patch,'" says Neil MacDonald, vice president and distinguished analyst at Gartner.

Organizations such as cloud providers and large server farm environments were among the first to install the Intel and other vendor patches because they were at higher risk. Cloud providers, for example, had obvious concerns about customers suffering attacks via their servers, MacDonald notes. But some early adopters "got burned" with Microsoft's antivirus incompatibilities and locked AMD machines with the Windows patches, and unexpected reboots from the new Intel patches, he says.

Most enterprises can afford to hold off on fully patching for Meltdown and Spectre for now until the patches are fully vetted, however. The good news is there are no known attacks in the wild, which allows for a more risk-based rollout of patches, he notes.

"People who rushed to patch are getting penalized," MacDonald says.

Gartner is advising its clients to prioritize the systems they patch. If performance penalties with the updates are one of the side effects, then in some cases it's best not to patch at all, or to just apply operating system and browser patches. For some endpoints, for example, it makes more sense to patch the OS now and then the firmware later. "You'll get at least partial protection," MacDonald says.

Servers should be locked down, too, to mitigate the attacks. "They should not [be able] to execute arbitrary code, or do email … so servers should go to whitelisting," which would provide "significant" protection from a Spectre or Meltdown attack, he says.

Some systems may not merit patching at all, such as I/O-heavy network appliances, storage appliances, and security appliances, where the Meltdown/Spectre code update's performance hit would be detrimental. "In some cases, the appropriate risk-based decision is not to apply the patch because of performance implications," MacDonald says.

The performance hit with the patches is especially painful for the industrial environment, which is both a juicy target for attack as well as highly disruption-averse. "In the world of critical infrastructure, where safety and availability are paramount, updates that carry this kind of baggage are simply not applied immediately," says Eddie Habibi, founder and CEO of PAS Global. "The first option for facilities right now is to validate existing security controls and consider adding new ones only where risk is perceived as outsized."

Intel, Microsoft, Linux, and browser vendors' security updates and patches for Meltdown and Spectre are mainly workarounds and mitigations. A real fix requires a brand-new generation of microprocessors, a development that realistically is a year or two away at best, Gartner's MacDonald says. "There is no easy fix. These [patches] are all workarounds until new hardware is released."

Intel's patch glitches are due to its rushing them out without fully testing them for a cloud provider's environment of millions of servers, for example, he notes.

Meantime, Linux creator Linus Torvalds isn't happy with Intel's approach to working around the design flaw. In a post on the Linux Kernel Mailing List this week, he unleashed his frustration with Intel's workaround, calling it "garbage."

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/2/2018 | 1:18:29 PM
Re: Who has offered the best overall strategy for dealing with M/S?
The scary part to all this is the existence of over 130 known strains of M/S malware. Note that the operative word is "known". Don't even think that the bad guys don't have "unknown" malware already.
BrianN060
0%
100%
BrianN060,
User Rank: Ninja
1/23/2018 | 8:01:32 PM
Who has offered the best overall strategy for dealing with M/S?
Lots of rain around here today; but nothing like the downpour of un-dos, re-dos and don't-do-anything statements coming from vendors and security firms. 

At this point in the M/S mess, has anybody provided high quality, actionable, strategic advice for organizations or individuals, which has helped dodge this bullet (or barrage, might be more appropriate)? 

In general, we've been trained to act quickly (if we hadn't acted proactively).  The M/S situation has turned that on its ear.  Even those with detection/mitigation protocols and plans in place weren't ready for a situation where there was nothing to detect, and nothing to fear but fear itself.  Many that moved quickly found they stepped into a minefield. 

Anybody want to give credit to those that have lead them through unscathed (so far)? 
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-2607
PUBLISHED: 2018-05-21
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users...
CVE-2018-1108
PUBLISHED: 2018-05-21
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
CVE-2018-11330
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
CVE-2018-11331
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
CVE-2018-7687
PUBLISHED: 2018-05-21
The Micro Focus Client for OES before version 2 SP4 IR8a has a vulnerability that could allow a local attacker to elevate privileges via a buffer overflow in ncfsd.sys.