Meltdown and Spectre: Current Status 01/12/2018

[vc_row][vc_column][vc_column_text]

Meltdown and Spectre: Current Status 01/12/2018

By Robert Meyers and Sean Andrews
The vulnerabilities known as Meltdown or Spectre are new vulnerabilities announced last week to the world at large.  They are based on a process called speculative execution which is a technique that became popular in the mid-nineties to improve processor performance. 
In most cases, these vulnerabilities don’t allow an external unauthorized party to gain access to a system, although it could allow a party that has access to the system to access unauthorized data.  However, this is the current state.  These vulnerabilities are typically weaponized into malicious websites and malware.  At that point these vulnerabilities will become significantly more dangerous.  These at that point we can expect these exploits to be used to recover all information in memory (including passwords and tokens) as well as inject commands into the computers processor. 
As your technology partner we are working on building a strategy to aid in defending our clients.  Currently that is mainly still in testing, the same as ever other provider.  We wanted to update you with current findings. 

Windows Workstations 

On average current machines will see around six percent performance degradation on average from the Microsoft patches.  However, there is a complication around anti-virus and anti-malware platforms which is currently be worked on.  This complication causes boot issues and crashing.  Additionally, the patches currently have a similar impact when deployed to AMD based machines, there are similar issues.  As it is common to have more than one anti-virus Microsoft and the anti-virus and anti-malware providers are working on a solution.  Additionally, a new patch attempt by Intel is causing random reboots and is simply not recommended for production.  Please note that older systems will have increasing impact from the patching.  Our current recommendation and practice is to test and monitor.  These solutions are not yet ready for wide spread production without a level of predictable instability and should be limited to administrative systems on demand.  

Mac Workstations 

Currently only High Sierra from Apple is being updated.  There are no currently reported errors from our or our partners testing that we have seen. As such, we are agreeing with the Apple recommendation on deploying the upgrade to any Macs to High Sierra (10.13.2 supplemental update) and patch.  There is a performance impact, however in testing it has appeared stable and between 1% and 6% performance degradation. 

Applications 

We are currently waiting on updates from most software vendors, however Chrome should be updated on Jan 23 (as currently advised), however they have a recommendation to help mitigate part of Spectre.  IBM will start rolling out some fixes in February, although there is limited information so far released.  Microsoft currently has a series of patches for Internet Explorer, Edge and SQL.  Due to the instability being seen, our current strategy is to only deploy these to administrative systems. 

Anti-Virus / Anti-Malware 

We have confirmed that one of our partner’s Webroot SecureAnywhere 9.0.18.xx is compatible with the Microsoft patches, however it does require that a registry key is set before being deployed.  There is a version being developed that will place and manage this registry key (a part of a Windows Computer’s DNA) automatically, and we recommend waiting for this.   
Microsoft currently deploys Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials that are compatible with the January 2018 security updates and have set the required registry key.   
Currently there are versions of Avast, Avira, AVG, ESET, F-Secure, BitDefender, Kaspersky, Sophos, Malwarebytes, and Symantec that are declaring as compatible and deploying the required registry key as per Microsoft’s guidelines.  However, please note that Microsoft has published that future updates will require the registry key is set.  As always, our recommendation is to maintain a system under protection.  However, version changes will need to be managed. 

Servers 

Performance on servers can be critical, and the Microsoft and Linux patches that have been released are showing very large performance degradation.  Often averaging 30% degradation once patched.  As such a strategy is being reviewed for server protection although please note that as long as there is no browsing or general use of a server, there are less attach vectors.  Patches are being refined and alternative strategies are being reviewed including isolation.  We are working with partners and monitoring the industry recommendations. 

Cloud Providers 

Azure, AWS and Google have been deploying mitigation.  At this time other SaaS and IaaS providers are working on independent strategies.  We are monitoring this situation. 

Firmware Updates 

Most systems will need to install both operating system and hardware/firmware updates for all available protections.  Intel has committed to releasing updates to more than 90% of processor products by 1/15.  AMD is making firmware updates available for Ryzen and EPYC owners this week, and the company is planning to update older processors “over the coming weeks.”  These updates are given to the hardware manufacturers who then have to make the bios updates for each system.  Expect newer and higher volume systems to have firmware updates available first.  See Additional resources of this Microsoft Article for links to OEM Device Manufacturers.  Please note that we are waiting for more feedback from testing and community results for future planning before making full recommendations for firmware. 

SCCM and WSUS 

The community has identified issues with some of the patches deployed by WSUS, and SCCM which utilizes WSUS, are not showing up as available to install on some systems.  The patches will show up as Installed / Not Applicable.  These systems have the Anti-Virus registry key in place.  Even bypassing WSUS and scanning directly from Microsoft will not show the patches as needed.  This TechNet forums post documents the issues the community is having.  If the issue really is the requirement of older parent patches being installed then we expect the patches will be re-released to address this.  Our strategy and recommendation at this point is to delay patching and wait for more information at this time. 
Microsoft  https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown 

Google  https://support.google.com/faqs/answer/7622138#chromeos 
Apple  https://support.apple.com/en-us/HT208394 
   
Ubuntu  https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown 
Red Hat  https://access.redhat.com/security/vulnerabilities/speculativeexecution 
Linux Mint  https://blog.linuxmint.com/?p=3496 
Oracle   
   
IBM  https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/ 
   
nVidia  https://nvidia.custhelp.com/app/answers/detail/a_id/4611 
Intel  https://security-center.intel.com/advisories.aspx  
Arm  https://developer.arm.com/support/security-update
https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/ 
AMD  https://www.amd.com/en/corporate/speculative-execution 
   
Mobile News  https://9to5google.com/2018/01/10/meltdown-spectre-android-updates/ 

 

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text][vc_message]

Managed Solution customers that do not have a managed service agreement could contact their account executive to discuss further details.

Not a current customer? Contact us today to get started 858-429-3084

[/vc_message][/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row]

Meltdown And Spectre: What, When, Who, How.. What Is Managed Solution Doing To Support Our Clients?

[vc_row][vc_column][vc_column_text]

By Rob Meyers, Director Of Systems Architecture, MCITP, MBSP, MCSE
By now you've probably seen the news. There are exploits due to some flaws in CPU or processor design. They're called Meltdown and Spectre. The number one issue that the industry is seeing with these exploits is very simple: they are based on a fundamental design used in most microprocessors.
Please note that all the major manufacturers are rapidly working on solutions to solving this exploit, from a software perspective. This does not mean it will be 100% fixed immediately.

What is it?

A new technique was found to inject or remove data from RAM. This is done by utilizing a flaw in microprocessors. This flaw is based on the concept that a microprocessor utilizes speculation to accelerate its performance. It splits the instructions between the cache on the CPU and RAM. As time goes on it trades out pieces from RAM into the cache and then clears out the cache. This is done speculatively in order to speed things up. Yes, your CPU guesses what it needs to do next. If it is correct, the CPU moves on to the next instruction, and if not it guesses again. This is the source of the vulnerability. This export allows things to either be retrieved from the cache, injected into the cache, or read directly from memory. Oddly enough with two names, Meltdown and Spectre, there are actually three exploits.

When did this occur?

These exploits were documented in June and July 2017. They were not made public until this week.

Who is using the exploits?

When export is used for malicious intent, it is referred to as being used in the wild or found in the wild. As of yet this is not being found in the wild. However, the techniques and technology required behind it and example code has been found on public websites. The reason for this is that after six months people felt that something should be able to be done about it. However, not everything is ready to go at this point.

How does this affect me?

This is one of the most extreme vulnerabilities ever found on a computer. This affects most computers built from 1995 to today. If you have a current operating system on your computer, you should be able to be patched to protect yourself against this. However, if your system is not up-to-date, not under support, or cannot get patches, you need to upgrade and patch. As of right now, it would be normal to consider defending yourself against this patch. We do not know when this will hit the wild, or if it already has.
The impact is going to be felt on most computers made since 1995 in addition to most modern cell phones (e.g. iPhone and Android), tablets and even smart watches. Currently there is disagreement as to whether the Apple Watch is impacted, though the more technical responses seem to believe it is.

Will there really be a performance impact?

Intel, Microsoft, Google, Apple, AMD, and a huge plethora of coders throughout the world are currently working on solutions for this. The current solutions can have drastic impact on performance. For a workstation it is normal to see 2% to 3% degradation, although more has been experienced. Servers can expect to see a performance hit that is significantly higher. The average consensus seems to be about 30% impact on traditional servers, however the range has been noted between 17% and 50%.
In our testing, the impact on a computer running Windows 10 (1709) was noticeably impacted. It did not however render the computer inoperable, simply slower with a little more lag.

What should I do?

You will see some websites simply recommend throwing away your microprocessor. Obviously, this is not realistic. In general, you should consider two things. The first is patch and accept that there will be a performance impact. The second is to work on regularly changing your password (at least once a month, if not more often). When large exploits are public, it is better to usE throwaway passwords then expect to be protected when you may not be.

What is Managed Solution doing?

For all of our Managed Service clients
1. Monitor released patches (Meltdown is the current focus with Spectre more patches will be expected over a course of time)
2. Test released patches
3. Patch or work with clients to patch systems
4. Recommend that all users change their passwords at least once per month

Do you have any news links or anything in the public for this?

Do you have anything a bit more technical?

Start here:
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
https://www.kb.cert.org/vuls/id/584653

Then for Spectre:
Spectre - Variant 1: bounds check bypass (CVE-2017-5753)
Spectre - Variant 2: branch target injection (CVE-2017-5715)

https://spectreattack.com/spectre.pdf

For Meltdown:
Meltdown - Variant 3: rogue data cache load (CVE-2017-5754)
https://meltdownattack.com/meltdown.pdf

About the Author:
Robert Meyers is the Director of Systems Architecture at Managed Solution in San Diego, California. He has well over a dozen current certifications from on various products from Windows Server 2008 to Private Cloud. Robert has had a diverse career, beginning in 1991, and included owning an internet service provider and a managed services provider in the past.
Since joining Managed Solution, he has been Published as “Industry Ally”, Top Tech Exec Awards 2011 by San Diego Magazine in addition to being staff nominated twice, and was a regular at the Microsoft Management Summit. Today he is an avowed technical evangelist, blogger and systems architect.

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

Managed Solution customers that do not have a managed service agreement could contact their account executive to discuss further details.
Not a current customer? Contact us today to get started 858-429-3084

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row]