Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/11/2018
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Survey Suggests Many Are Still Waiting for Spectre, Meltdown Windows Updates

Microsoft's insistence on a specific registry key setting for offering the updates on systems appears to be the issue, security vendor Barkly says.

The results of a small survey suggest that many organizations could still be waiting to receive updates for patching their Windows systems against the critical Spectre and Meltdown microprocessor vulnerabilities disclosed last week.

The vulnerabilities affect a wide set of products and give attackers a way to read sensitive data in system memory, including encryption keys and passwords.

Security vendor Barkly this week surveyed 75 IT pros responsible for managing security updates at their organizations and found more than half said they had received updates for barely 25% of their vulnerable Windows systems. A surprising 26% said that none of their Windows systems had received an update even one week after Microsoft rushed them out in an out-of-cycle patch release.

The reason for the delay appears to be Microsoft's insistence that all vendors of antivirus products set a specific registry key on customer devices after they have verified their products to be compatible in order to avoid potential patch compatibility issues, Barkly said.

According to Microsoft, when AV products make unsupported calls to Windows kernel memory, the updates could cause computers to crash as a result, so it will not offer updates on computers without the required registry key. Systems that have not received the security updates are likely running incompatible AV products, and users should consult with their vendors directly on addressing the problem in such instances, Microsoft has said.

The compatibility issues add to concerns that fixes for Spectre and Meltdown could severely degrade system performance — in some cases by up to 30%.

"During tests, Microsoft discovered that their new [update] was creating instability with other low-level system management and protection products, notably some antivirus technologies," says Barkly co-founder and CTO Jack Danahy.

To address this, Microsoft has made delivery of the Windows security updates contingent on the presence of a special registry key. "It has recommended that AV vendors add this key to customer devices only after they've confirmed their products are compatible," Danahy says.

The problem is that AV vendors have taken different approaches to addressing Microsoft's requirement. Some have taken it upon themselves to set the required key — even if their AV software itself is compatible. Others have recommended that users add the registry key themselves manually. Twenty-five percent of the respondents in the Barkly survey, for instance, said their AV vendor had made the change, while 20% said their vendor recommended they do it themselves manually.

Compounding the situation is the fact that many organizations do not appear to be aware of Microsoft's stipulation. Forty-six of the respondents in the survey did not know about the need for a specific registry key, making it unlikely they would contact their AV vendor about it. And many AV vendors themselves do not appear to have been very proactive in informing customers of what's going on. Only 42% of respondents in the Barkly survey said their AV vendor had notified them regarding their product's compatibility with the patch.

"There is an added risk here that organizations running multiple AV products, or running varying versions of AV products, may find themselves adding the key universally and causing these stability problems to surface on mismatched versions," Danahy says.

Issues with patch updates are certainly not new. Even with critical vulnerabilities such as Meltdown and Spectre, enterprises often adopt a make-haste-slowly approach to deploying patches for fear of disrupting their systems. If patches are not tested properly, they can often break systems and cause more problems for organizations than if the patches had not been deployed at all.

Even so, concerns about attackers exploiting unpatched vulnerabilities have pushed enterprises to patch more quickly these days. A new survey by Tripwire and Dimensional Research released this week shows that a majority of organizations — 78% — patch all detected vulnerabilities on their network within 30 days of discovery. About four in 10 do it in less than 15 days, while 46% said they'd probably not wait more than seven days in order to start patching vulnerabilities.

"Some organizations are very prompt, automatically acquiring and applying patches as soon as they are available," while others lag, Danahy says. With the updates for Spectre and Meltdown, organizations appear to be more inclined to patch quickly, he notes.

"I think that we are seeing a much more responsive community to this particular patch," he says. "But it is an 80/20 proposition, where 80% are being even more prompt that they ordinarily would be, but the other 20% is probably going to lag behind by an even longer testing interval."

Related content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16974
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.