The results of a small survey suggest that many organizations could still be waiting to receive updates for patching their Windows systems against the critical Spectre and Meltdown microprocessor vulnerabilities disclosed last week.
The vulnerabilities affect a wide set of products and give attackers a way to read sensitive data in system memory, including encryption keys and passwords.
Security vendor Barkly this week surveyed 75 IT pros responsible for managing security updates at their organizations and found more than half said they had received updates for barely 25% of their vulnerable Windows systems. A surprising 26% said that none of their Windows systems had received an update even one week after Microsoft rushed them out in an out-of-cycle patch release.
The reason for the delay appears to be Microsoft's insistence that all vendors of antivirus products set a specific registry key on customer devices after they have verified their products to be compatible in order to avoid potential patch compatibility issues, Barkly said.
According to Microsoft, when AV products make unsupported calls to Windows kernel memory, the updates could cause computers to crash as a result, so it will not offer updates on computers without the required registry key. Systems that have not received the security updates are likely running incompatible AV products, and users should consult with their vendors directly on addressing the problem in such instances, Microsoft has said.
The compatibility issues add to concerns that fixes for Spectre and Meltdown could severely degrade system performance — in some cases by up to 30%.
"During tests, Microsoft discovered that their new [update] was creating instability with other low-level system management and protection products, notably some antivirus technologies," says Barkly co-founder and CTO Jack Danahy.
To address this, Microsoft has made delivery of the Windows security updates contingent on the presence of a special registry key. "It has recommended that AV vendors add this key to customer devices only after they've confirmed their products are compatible," Danahy says.
The problem is that AV vendors have taken different approaches to addressing Microsoft's requirement. Some have taken it upon themselves to set the required key — even if their AV software itself is compatible. Others have recommended that users add the registry key themselves manually. Twenty-five percent of the respondents in the Barkly survey, for instance, said their AV vendor had made the change, while 20% said their vendor recommended they do it themselves manually.
Compounding the situation is the fact that many organizations do not appear to be aware of Microsoft's stipulation. Forty-six of the respondents in the survey did not know about the need for a specific registry key, making it unlikely they would contact their AV vendor about it. And many AV vendors themselves do not appear to have been very proactive in informing customers of what's going on. Only 42% of respondents in the Barkly survey said their AV vendor had notified them regarding their product's compatibility with the patch.
"There is an added risk here that organizations running multiple AV products, or running varying versions of AV products, may find themselves adding the key universally and causing these stability problems to surface on mismatched versions," Danahy says.
Issues with patch updates are certainly not new. Even with critical vulnerabilities such as Meltdown and Spectre, enterprises often adopt a make-haste-slowly approach to deploying patches for fear of disrupting their systems. If patches are not tested properly, they can often break systems and cause more problems for organizations than if the patches had not been deployed at all.
Even so, concerns about attackers exploiting unpatched vulnerabilities have pushed enterprises to patch more quickly these days. A new survey by Tripwire and Dimensional Research released this week shows that a majority of organizations — 78% — patch all detected vulnerabilities on their network within 30 days of discovery. About four in 10 do it in less than 15 days, while 46% said they'd probably not wait more than seven days in order to start patching vulnerabilities.
"Some organizations are very prompt, automatically acquiring and applying patches as soon as they are available," while others lag, Danahy says. With the updates for Spectre and Meltdown, organizations appear to be more inclined to patch quickly, he notes.
"I think that we are seeing a much more responsive community to this particular patch," he says. "But it is an 80/20 proposition, where 80% are being even more prompt that they ordinarily would be, but the other 20% is probably going to lag behind by an even longer testing interval."