Stats & Trends
Jonathan Crowe
Jan 2018

1 in 4 Organizations Has Not Received the Windows Meltdown and Spectre Update

meltdown-spectre-updates-statistics

In the race to patch machines against Meltdown and Spectre, a surprising number of organizations are being left in the dark.

News of Meltdown and Spectre — two CPU vulnerabilities affecting nearly all operating systems and devices — has resulted in a mad race by vendors to release patches that can help mitigate the flaws. Last Wednesday, Microsoft even took the unusual step of releasing out-of-band security updates for Windows 10, Windows 8.1, and Windows 7.

But not all organizations are receiving them. 

1 in 4 organizations hasn't received the update

To get better insight into how organizations are dealing with Meltdown and Spectre, we conducted a survey of IT and security pros responsible for managing security updates at their organizations. 

We found that at half the organizations we surveyed, less than 25% of machines have received the update. 

26 percent of respondents say they don't have any machines that have received the update, a week after it was first made available. 

Microsoft has acknowledged the update has incompatibility issues with third-party antivirus (AV) software and AMD processors, and has restricted delivery of the update accordingly. 

Specifically, it has made delivery of the Windows security updates contingent on the presence of a special registry key, which it has instructed all AV vendors to add to customer devices only after they've confirmed their products are compatible and won't cause system crashes. 

This deserves reiterating — Microsoft will not deliver the Windows update unless the following registry key exists:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Data="0x00000000”

This has created a lot of confusion, especially since the response from AV vendors has varied, with some setting the registry key for their customers and others recommending users set it, themselves, manually. The situation only gets more complicated considering many organizations have more than one AV solution installed. 

Microsoft has issued an explanation on its support site.

The problem is not everyone is getting that memo. 

A third of IT pros we surveyed weren't fully aware of AV incompatibility issues 

Nearly half (46 percent) weren't fully aware that Microsoft is requiring them or their AV vendor to create a registry key. 

The onus has apparently been put on AV vendors to address the issue with their customers, but it's clear that somewhere along the way communication is breaking down. As a result, many organizations are being left in the dark (and potentially unprotected). 

Only 42 percent of respondents say their AV vendor has notified them regarding their product's compatibility with the patch. Nevertheless, 64 percent say they were able to determine their AV was compatible. 6 percent reported experiencing system crashes due to the update.

In terms of setting the registry key, 25 percent of respondents say their AV vendor added it for them, while 20 percent say their AV vendor recommended that they add it themselves, manually.

Of those respondents who were advised to add the registry key manually, roughly 50 percent say they have already done so, though 59 percent expressed at least some concern the action might cause issues. 

Lingering confusion and concern 

In addition to creating confusion, these issues have made it frustratingly difficult for organizations to confirm whether or not their machines are in fact up-to-date with the latest protection from Meltdown and Spectre. To help, Microsoft has also provided a PowerShell script that system administrators can run to verify whether the new Meltdown and Spectre mitigations are present or not.

Unfortunately, news that this tool is available also hasn't reached everyone who could benefit from it — only 41 percent of the IT pros we surveyed were aware of the PowerShell script and only 19 percent say they have run the test. Of those that have, more than a third found the results to be unclear or inconclusive. 

80 percent of respondents say the update process hasn't been entirely clear, overall, and that lack of clarity is leaving many with questions and concerns. Two thirds have expressed concern that this issue isn't fully under control. 

Help with understanding and installing Meltdown and Spectre patches

If you've been struggling to keep up and make sense of all the patches being released you're not alone. The general advice is not to panic and to take the time to properly assess, test, and carefully implement updates as they are made available. We've put together a quick guide that can help. 

It walks through the major updates to operating systems and browsers, explains what they do to address Meltdown and/or Spectre, what they don't address, and any known compatiblity or performance issues that have been reported. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

blocks-attack-grey-circle.svg

Stay informed

Get the latest on Meltdown, Spectre, and other security news by signing up to the Barkly blog.

Subscribe now

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.