After weeks of ups and downs, what is the current status of Meltdown and Spectre patches — and what have we learned from the process, overall?
On Tuesday, February 20, seven weeks after initial details regarding Meltdown and Spectre were leaked to the general public, Intel announced it was officially rolling out revised microcode updates designed to help mitigate the flaws.
Of course, this is the second time Intel has issued microcode updates. The company's first attempt was cut short and reversed following reports of the updates causing reboots and "unpredicatable system behavior." Intel was forced to recommend customers halt deployment of the patch. Microsoft even issued an emergency Windows update that effectively disabled it.
Considering all that drama, it's maybe no surprise Intel's latest announcement was met with headlines like these:
Suffice it to say a healthy amount of skepticism and frustration has built up, not just around these specific updates, but around Meltdown and Spectre, in general. Considering how deeply these flaws are embedded (the underlying problem resides in modern CPU architecture), and how far-reaching the impact is (nearly every operating system and device has been affected), that's certainly understandable.
Due to the nature of the vulnerabilities, mitigating them requires a patchwork of fixes. As a result, sysadmins and IT departments have suddenly found themselves responsible for testing and juggling a slew of patches — OS updates, browser updates, VM and firmware updates, oh my!
These patches have been rolled out in fits and starts, often covering only some versions of their products but not others, while addressing only certain aspects of Meltdown and Spectre but not all of them.
To top it all off, there have been compatibility issues. In addition to Intel's buggy microcode update, Microsoft revealed certain antivirus software was causing updated Windows machines to crash. In response, the company made delivery of Windows security updates contingent on the presence of a special registry key, which it instructed all AV vendors to add to customer devices only after they confirmed their products were compatible.
In short, it's been a bumpy ride.
So where do things currently stand with patching? And how worried about or protected from Meltdown and Spectre do organizations truly feel? To find out, we conducted a survey of IT and security pros responsible for managing security updates at their organizations. This survey serves as an interesting follow-up to an initial study we conducted one week after the vulnerabilities were disclosed.
Here's what we found.
One day after the disclosure of Meltdown and Spectre, Microsoft released an out-of-band security update designed to provide mitigation for Meltdown (CVE-2017-5754) and Spectre variant 1 (CVE-2017-5753). When we conducted our survey one week later, however, more than half the respondants said less than 25% of their organization's machines had received the update. One in four organizations said none of their machines had received the update.
As noted above, the delay can largely be attributed to Microsoft's decision to withhold the update from devices running third-party antivirus (AV) software until AV vendors could confirm they had tested/updated their software and there would be no incompatibility issues. The way they were instructed to confirm that was by setting a special registry key on customer machines. Only then would those devices receive the Windows update.
Note: Due to incompatibility issues, Microsoft also initially restricted delivery of the update to devices with AMD processors, as well.
Unfortunately, not all admins were immediately made aware of these issues and requirements, and in those cases the lack of the update was cause for confusion.
One week following the release of Microsoft's emergency January Windows update, one third of organizations were not aware antivirus solutions were causing incompatibility issues.
Just over half of the organizations we surveyed at that time said they were aware Microsoft was requiring AV vendors to set a special registry key before their machines could receive the update.
A week-and-a-half later, the percentage of companies that were aware of the registry key requirement had increased to 80 percent.
Adding to the initial confusion was the fact that response from AV vendors varied, with some setting the registry key for their customers and others recommending users set it, themselves, manually. The situation only got more complicated considering many organizations had more than one AV installed.
Once information and instructions finally began circulating more widely, the percentage of devices receiving and implementing the update grew.
One month following the release of the January Windows update, however, 33% of organizations still report 25% or fewer of their devices have received and implemented the patch.
Things are moving even more slowly on the firmware front, with Intel releasing an initial wave of microcode updates on January 12, only to discover they were causing instability issues. The company eventually urged OEMs not to install the updates, and has only began issuing revised updates earlier this week.
One week following Intel's initial release of microcode updates, 68 percent of the organizations we surveyed said roughly 25 percent or fewer of their devices had been patched. Nearly 30 percent said none of their machines had been patched.
Two weeks later, following the news of incompatibility issues, 33 percent reported none of their machines were patched. On the other side of the spectrum, however, 28 percent reported that, by that time, the faulty firmware updates had already been deployed to 75 percent or more of their machines.
Only 15 percent reported having to roll back faulty firmware updates, but it's clear frustration has been mounting.
Two thirds of our survey respondents expressed concern that the lack of stable firmware updates was leaving their organization vulnerable to Spectre variant 2 (CVE-2017-5715). But they were equally concerned the next patch designed to mitigate it will cause performance or stability issues.
Because the only truly fool-proof fix for Spectre variant 2 is replacing CPU hardware, experts have been warning it's a flaw that will be haunting the tech industry for years to come.
But another equally damaging part of its legacy might be a lingering hesitancy on the part of organizations to deploy patches in a timely manner.
The majority of the IT pros we surveyed (56 percent) said they have purposefully held off on applying updates and plan to do so only after testing for compatibility and performance issues (wisely so).
23% say they may not apply patches at all in cases where they anticipate significant hit to performance.
If Meltdown and Spectre have taught us anything, it's how problematic and painful patching can sometimes be. There's no guarantee patching will go quickly or smoothly, even under the best circumstances. Companies need to have a Plan B in place that involves securing vulnerable machines or taking them off the network if patching isn't immediately in the cards.
Unfortunately, half the organizations we surveyed don't currently have such a plan in place.
Of those organizations that do have a strategy, 69% have concerns in its reliability and effectiveness.
While taking vulnerable machines off the network is often the safest option, it's not always the most practical. That leaves securing machines against any attempt to exploit vulnerabilities, which can be accomplished in part with Barkly's patented endpoint protection. Thanks to its use of a hypervisor, Barkly has deeper visibility than any other endpoint protection available. It can see when attackers attempt to bypass system barriers, even at the kernel level, and it blocks a wide variety of exploit techniques in realtime.
Windows users: To help confirm whether updates have been implemented correctly and determine which variants machines are still vulnerable to, Microsoft has provided a PowerShell script that system administrators can run to test Meltdown and Spectre mitigations.
Instructions for conducting the test and reviewing the results can be found here.
In addition, Microsoft has added capabilities to its free Windows Analytics service to help IT pros better track and manage their Meltdown and Spectre patching process. The new features include a dashboard that highlights the status of antivirus compatibility, Windows security updates, and firmware updates — all in one place for every Windows device you manage.
Linux users: A simple script has been developed to help determine whether Linux kernel installations are still vulnerable to Meltdown and Spectre after applying patches. You can find it along with installation instructions here.
Keep up with all the latest Meltdown and Spectre updates with our Clear Guide to Meltdown and Spectre Patches (updated frequently).
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.