tashatuvango - Fotolia
Spectre and Meltdown vulnerabilities show haste makes waste
When the Meltdown and Spectre vulnerabilities came to light, everyone scrambled to find a fix. As a result, the patching process has been anything but smooth.
IT professionals, especially those with security responsibilities, faced an unpleasant surprise when the Spectre and Meltdown vulnerabilities came to light.
It was even more unpleasant to learn that the firmware changes they'd need to address the vulnerabilities -- especially variant 2 -- could take some time.
The patching efforts following the Spectre and Meltdown vulnerabilities have been rocky at best.
Understanding the basics
Spectre and Meltdown are two families of CPU vulnerabilities that affect Windows PCs. The source of these vulnerabilities is speculative execution, which is common in processor chip architectures.
Speculative execution is designed to speed up processing by having the chip guess what action to perform next. This could mean calculating all the functions that any branch in the program logic might need in advance, with the understanding that an action will be required.
Data from speculative execution gets stored in memory that lives on a CPU chip called the cache. In the cache, even protected data is exposed, so attackers can see where the data resides, which can provide a hint as to what the data is. This is called a side-channel attack because the hacker does not require direct access to the data.
Speculative execution has been built into most CPUs since the late 1990s. As a result, the Spectre and Meltdown vulnerabilities affect most Intel x86 PC chips in use today, as well as Advanced Micro Devices (AMD) and advanced RISC machine processors.
What has been patched?
Microsoft and some chip vendors, including Intel and AMD, have released patches for these vulnerabilities on Windows PCs. The chipmakers share their patches with system and motherboard makers, who then roll them out to the customers.
The first round of Spectre and Meltdown patches from Intel, Microsoft
Most of these problems occurred because the vendors rushed out the early patches before they could thoroughly test them. The reboot issues were so bad that Intel had to issue an advisory against using its initial patches for its Haswell and Broadwell processors. Also, Microsoft had to issue an update -- KB4078130 -- to reverse the effects of its initial patches.
wave of Spectre and Meltdown patches rolls in
After the first wave of patches caused so many problems, things stayed quiet as the principals -- Intel, Microsoft, AMD and others -- labored quietly in the background to address the Spectre and Meltdown vulnerabilities without compromising system stability or overly affecting performance.
Then, Microsoft issued the KB4090007 Intel microcode updates for PCs with Skylake desktop and mobile processors, which patched the vulnerabilities. Other options for obtaining a clean bill of health are the Ashampoo Spectre Meltdown CPU Checker and InSpectre. Update KB4090007 covers Coffee Lake and Kaby Lake processors from Intel, as well.
Dell, Hewlett Packard Enterprise
Of the major motherboard vendors, Asus, Gigabyte Technology, Micro-Star International
AMD has worked with Microsoft to address Spectre through OS updates -- variant 1 -- and firmware updates combined with OS patches -- variant 2. Here, again, there are mixed results. Microsoft Surface and Dell PCs, for example, test positive for Spectre and Meltdown vulnerabilities with the aforementioned tools, even if they've received updates.
What should businesses do to address the Spectre and Meltdown vulnerabilities?
IT pros should survey the CPUs the organization uses and compile a complete list. They should then compare that list to all the available updates and apply them. There are several lists out there for IT pros to choose from.
Next, IT should test patches as they become available in pilot or limited-use circumstances. Recent history shows that IT pros shouldn't just roll out patches across the board until they know that the patches won't inflict local or organizational harm.
Over time, most organizations should be able to cover the security gaps that the Spectre and Meltdown vulnerabilities pose, but it will take a certain amount of attention, diligence