icetray - Fotolia
Intel microcode updates complicate admin patching duties
March Patch Tuesday adds several more mitigations for the Spectre and Meltdown exploits, this time for 32-bit server and client operating systems.
As Intel microcode updates continue to trickle out to close CPU exploits, Microsoft chipped in with mitigations for Spectre and Meltdown in its March Patch Tuesday security updates.
Microsoft released fixes for more than 70 unique common vulnerabilities and exposures (CVEs), adding Spectre and Meltdown mitigations for its supported 32-bit operating systems on the client side (Windows 7 and Windows 8.1) and for servers (Windows Server 2008 and Windows Server 2012). Administrators should remain vigilant about the CPU bugs that affect every workstation and server system, but there still are no active attacks against Meltdown or Spectre, said Jimmy Graham, director of product management at Qualys Inc., based in Redwood City, Calif.
Jimmy Grahamdirector of product management, Qualys
The most likely method of attack to exploit the bugs is through browsers, but all major browser vendors patched their products to lower the risks associated with the Spectre vulnerability. That means there's not as much pressure on IT departments to deploy patches without first undergoing thorough testing.
"Systems are not fully remediated, but mitigated enough to where an attack is not really feasible," Graham said.
Issues around Intel microcode updates stagger admins
Some administrators who pushed out the initial Intel microcode updates to correct the vulnerabilities and Microsoft's fix for the Meltdown exploit in January without testing the patches ran into trouble -- forcing many IT departments to undo the corrections. Microcode is the abstraction layer that consists of hardware-level instructions that tell the CPU how to operate.
Security updates come like clockwork every Patch Tuesday, but a tool that helps IT manage the stream of driver and firmware updates associated with the Spectre and Meltdown bugs blindsided the industry, said Chris Goettl, director of product management at Ivanti, based in South Jordan, Utah.
Intel and Microsoft made corrections to their damaged releases, but many administrators are in unfamiliar territory without a viable tool that can track and apply firmware updates. Up until this rash of CPU bugs emerged, hardware vendors issued firmware updates on an infrequent basis.
Even organizations that can afford Microsoft System Center need additional tools and discussions with their hardware vendors to apply the correct Intel microcode updates for the right operating system, Goettl said.
"Management at the firmware level is kind of a gaping hole in most people's security programs," he said. "It's a complicated issue."
March Patch Tuesday addresses Exchange Server exploit
On the server side, administrators should concentrate on patching Exchange Server systems affected by an elevation of privilege vulnerability (CVE-2018-0940) rated as important.
On an unpatched system, Outlook Web Access does not clean malicious URLs in emails, which could allow an attacker to construct a false logon page to trick users into sharing their login information. The attacker could target a specific organization to collect credentials with the intent of doing more harm. The March Patch Tuesday security update fixes the way Exchange rewrites links in an email.
"Attackers could phish some of a company's users to try to get onto their systems internally and keep poking around until they get the level of access they need to keep moving around the environment," Goettl said.
The March Patch Tuesday security updates also addressed a remote code execution vulnerability (CVE-2018-0886) in the Credential Security Service Provider (CredSSP) authentication protocol. The exploit affects all supported client and server versions of Windows. Remote Desktop Protocol (RDP) servers and clients need Group Policy settings enabled to close the CredSSP vulnerability. Microsoft plans to close all aspects related to this bug with additional updates in April and May, according to the company's bulletin for CVE-2018-0886.
"It makes sense to do this kind of rollout that gives organizations the chance to make sure that both [RDP servers and clients] are updated," Graham said.
The only critical exploits addressed by March Patch Tuesday centered on web browsers or technologies related to browsers. Administrators who handle patching for Windows clients should prioritize applying the updates for systems that employees use to browse the internet.
For more information about the remaining security bulletins for March Patch Tuesday, visit Microsoft's Security Update Guide.
Tom Walat is the site editor for SearchWindowsServer. Write to him at [email protected] or follow him @TomWalatTT on Twitter.