Cloud

1/23/2018
04:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Fallout from Rushed Patching for Meltdown, Spectre

Not all systems require full patching for the flaws right now, anyway, experts say.

Intel's unusual advisory yesterday urging its customers and partners to refrain from applying some of its firmware patches for the so-called Meltdown and Spectre flaws in its microprocessors illustrated just how pressured patching can backfire.

Navin Shenoy, executive vice president and general manager of Intel's Data Center, in a post called for customers and OEMs to halt installation of patches for its Broadwell and Haswell microprocessors after widespread reports of spontaneous rebooting of systems affixed with the new patches. Intel now plans to issue a fix for the Meltdown-Spectre fix, according to the company.

It's the latest in a string of missteps in the wake of the major disclosure earlier this month of critical flaws in most modern microprocessors: a common method used for performance optimization could allow an attacker to read sensitive system memory, which could contain passwords, encryption keys, and emails, for example. The vulnerabilities affect CPUs from Intel, AMD, and ARM.

Microsoft also has experienced problems with its operating system patches that provide workarounds for the microprocessor vulnerabilities, specifically its updates for Windows 10 on AMD microprocessor platforms. The vendor yesterday came out with new updates that resolve booting issues the original patches had caused. That came after compatibility problems with antivirus programs running on Windows that hadn't been updated for the Meltdown and Spectre workarounds.

The recently discovered Meltdown and Spectre hardware vulnerabilities allow for so-called side-channel attacks. With Meltdown, sensitive information in the kernel memory is at risk of being accessed nefariously; with Spectre, a user application could read the kernel memory as well as that of another application. The end result: an attacker could read sensitive system memory containing passwords, encryption keys, and emails — and use that information to help craft a local attack.

Both Intel's and Microsoft's patching problems underscore the downside of applying patches under pressure. "We've been telling our clients 'don't panic patch,'" says Neil MacDonald, vice president and distinguished analyst at Gartner.

Organizations such as cloud providers and large server farm environments were among the first to install the Intel and other vendor patches because they were at higher risk. Cloud providers, for example, had obvious concerns about customers suffering attacks via their servers, MacDonald notes. But some early adopters "got burned" with Microsoft's antivirus incompatibilities and locked AMD machines with the Windows patches, and unexpected reboots from the new Intel patches, he says.

Most enterprises can afford to hold off on fully patching for Meltdown and Spectre for now until the patches are fully vetted, however. The good news is there are no known attacks in the wild, which allows for a more risk-based rollout of patches, he notes.

"People who rushed to patch are getting penalized," MacDonald says.

Gartner is advising its clients to prioritize the systems they patch. If performance penalties with the updates are one of the side effects, then in some cases it's best not to patch at all, or to just apply operating system and browser patches. For some endpoints, for example, it makes more sense to patch the OS now and then the firmware later. "You'll get at least partial protection," MacDonald says.

Servers should be locked down, too, to mitigate the attacks. "They should not [be able] to execute arbitrary code, or do email … so servers should go to whitelisting," which would provide "significant" protection from a Spectre or Meltdown attack, he says.

Some systems may not merit patching at all, such as I/O-heavy network appliances, storage appliances, and security appliances, where the Meltdown/Spectre code update's performance hit would be detrimental. "In some cases, the appropriate risk-based decision is not to apply the patch because of performance implications," MacDonald says.

The performance hit with the patches is especially painful for the industrial environment, which is both a juicy target for attack as well as highly disruption-averse. "In the world of critical infrastructure, where safety and availability are paramount, updates that carry this kind of baggage are simply not applied immediately," says Eddie Habibi, founder and CEO of PAS Global. "The first option for facilities right now is to validate existing security controls and consider adding new ones only where risk is perceived as outsized."

Intel, Microsoft, Linux, and browser vendors' security updates and patches for Meltdown and Spectre are mainly workarounds and mitigations. A real fix requires a brand-new generation of microprocessors, a development that realistically is a year or two away at best, Gartner's MacDonald says. "There is no easy fix. These [patches] are all workarounds until new hardware is released."

Intel's patch glitches are due to its rushing them out without fully testing them for a cloud provider's environment of millions of servers, for example, he notes.

Meantime, Linux creator Linus Torvalds isn't happy with Intel's approach to working around the design flaw. In a post on the Linux Kernel Mailing List this week, he unleashed his frustration with Intel's workaround, calling it "garbage."

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/2/2018 | 1:18:29 PM
Re: Who has offered the best overall strategy for dealing with M/S?
The scary part to all this is the existence of over 130 known strains of M/S malware. Note that the operative word is "known". Don't even think that the bad guys don't have "unknown" malware already.
BrianN060
0%
100%
BrianN060,
User Rank: Ninja
1/23/2018 | 8:01:32 PM
Who has offered the best overall strategy for dealing with M/S?
Lots of rain around here today; but nothing like the downpour of un-dos, re-dos and don't-do-anything statements coming from vendors and security firms. 

At this point in the M/S mess, has anybody provided high quality, actionable, strategic advice for organizations or individuals, which has helped dodge this bullet (or barrage, might be more appropriate)? 

In general, we've been trained to act quickly (if we hadn't acted proactively).  The M/S situation has turned that on its ear.  Even those with detection/mitigation protocols and plans in place weren't ready for a situation where there was nothing to detect, and nothing to fear but fear itself.  Many that moved quickly found they stepped into a minefield. 

Anybody want to give credit to those that have lead them through unscathed (so far)? 
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Symantec Intros USB Scanning Tool for ICS Operators
Jai Vijayan, Freelance writer,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3988
PUBLISHED: 2018-12-10
Signal Messenger for Android 4.24.8 may expose private information when using "disappearing messages." If a user uses the photo feature available in the "attach file" menu, then Signal will leave the picture in its own cache directory, which is available to any application on the...
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.