Vulnerabilities / Threats

1/11/2018
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Survey Suggests Many Are Still Waiting for Spectre, Meltdown Windows Updates

Microsoft's insistence on a specific registry key setting for offering the updates on systems appears to be the issue, security vendor Barkly says.

The results of a small survey suggest that many organizations could still be waiting to receive updates for patching their Windows systems against the critical Spectre and Meltdown microprocessor vulnerabilities disclosed last week.

The vulnerabilities affect a wide set of products and give attackers a way to read sensitive data in system memory, including encryption keys and passwords.

Security vendor Barkly this week surveyed 75 IT pros responsible for managing security updates at their organizations and found more than half said they had received updates for barely 25% of their vulnerable Windows systems. A surprising 26% said that none of their Windows systems had received an update even one week after Microsoft rushed them out in an out-of-cycle patch release.

The reason for the delay appears to be Microsoft's insistence that all vendors of antivirus products set a specific registry key on customer devices after they have verified their products to be compatible in order to avoid potential patch compatibility issues, Barkly said.

According to Microsoft, when AV products make unsupported calls to Windows kernel memory, the updates could cause computers to crash as a result, so it will not offer updates on computers without the required registry key. Systems that have not received the security updates are likely running incompatible AV products, and users should consult with their vendors directly on addressing the problem in such instances, Microsoft has said.

The compatibility issues add to concerns that fixes for Spectre and Meltdown could severely degrade system performance — in some cases by up to 30%.

"During tests, Microsoft discovered that their new [update] was creating instability with other low-level system management and protection products, notably some antivirus technologies," says Barkly co-founder and CTO Jack Danahy.

To address this, Microsoft has made delivery of the Windows security updates contingent on the presence of a special registry key. "It has recommended that AV vendors add this key to customer devices only after they've confirmed their products are compatible," Danahy says.

The problem is that AV vendors have taken different approaches to addressing Microsoft's requirement. Some have taken it upon themselves to set the required key — even if their AV software itself is compatible. Others have recommended that users add the registry key themselves manually. Twenty-five percent of the respondents in the Barkly survey, for instance, said their AV vendor had made the change, while 20% said their vendor recommended they do it themselves manually.

Compounding the situation is the fact that many organizations do not appear to be aware of Microsoft's stipulation. Forty-six of the respondents in the survey did not know about the need for a specific registry key, making it unlikely they would contact their AV vendor about it. And many AV vendors themselves do not appear to have been very proactive in informing customers of what's going on. Only 42% of respondents in the Barkly survey said their AV vendor had notified them regarding their product's compatibility with the patch.

"There is an added risk here that organizations running multiple AV products, or running varying versions of AV products, may find themselves adding the key universally and causing these stability problems to surface on mismatched versions," Danahy says.

Issues with patch updates are certainly not new. Even with critical vulnerabilities such as Meltdown and Spectre, enterprises often adopt a make-haste-slowly approach to deploying patches for fear of disrupting their systems. If patches are not tested properly, they can often break systems and cause more problems for organizations than if the patches had not been deployed at all.

Even so, concerns about attackers exploiting unpatched vulnerabilities have pushed enterprises to patch more quickly these days. A new survey by Tripwire and Dimensional Research released this week shows that a majority of organizations — 78% — patch all detected vulnerabilities on their network within 30 days of discovery. About four in 10 do it in less than 15 days, while 46% said they'd probably not wait more than seven days in order to start patching vulnerabilities.

"Some organizations are very prompt, automatically acquiring and applying patches as soon as they are available," while others lag, Danahy says. With the updates for Spectre and Meltdown, organizations appear to be more inclined to patch quickly, he notes.

"I think that we are seeing a much more responsive community to this particular patch," he says. "But it is an 80/20 proposition, where 80% are being even more prompt that they ordinarily would be, but the other 20% is probably going to lag behind by an even longer testing interval."

Related content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.