Update: Tuesday, February 20
We are happy to announce that SE has begun pushing Microsoft patches to mitigate the Meltdown and Spectre vulnerabilities. If you have subscribed to our patching services under SE Essentials, SE Secure, SE Desktop Defense, or SE Monitoring, you will receive these during your next scheduled update window.
While these vulnerabilities were announced back in early January, and Microsoft has released a number of iterative updates, it is our job to evaluate each of these to determine if they are complete and stable. We do this to minimize the risk of disruption and rework that would result from simply pushing updates as soon as they become available. It should be noted that these patches do not eliminate the vulnerabilities; manufacturers are still working to develop software and firmware (microcode) updates to further mitigate these vulnerabilities.
As mentioned in an earlier update, there is still the possibility of users experiencing a degradation in their PC's performance. The older the PC hardware and Operating System versions, the greater the impact may be.
If you have questions, please email us at firstname.lastname@example.org or contact your SE Account Manager. We will continue to post updates as we learn more.
Update: Tuesday, January 23
While we continue to wait on stable vendor updates, this is a good time to set expectations around how the patch, for Meltdown in particular, may impact the performance of your desktop or laptop workstations. The simple rule of thumb is the older the workstation, the greater the reduction in performance will be. Those bought in the last two years may see no impact, while older desktops and laptops may see a 10-20% reduction in performance. This also depends on what you are using your workstation for; basic office tasks may see little impact regardless of age of the workstation while graphic design applications like Adobe InDesign or AutoCAD could experience noticeable delays.
The same applies to servers and database servers in particular. If the server is running on older hardware and is already consuming most of the available CPU cycles, end-users could experience a slowdown.
All of the above is why Systems Engineering has not rushed to simply push out patches. We will proceed as follows:
- The immediate risk does not justify a rush to patch,
- We continue to wait on stable patch releases,
- The remediation process has to take into consideration a number of factors that will vary from customer to customer.
Update: Tuesday, January 16
Our Vulnerability Response team at SE continues to explore the various vendor fixes which include software patches and firmware updates; however, we feel these have not reached a level of stability that we can deploy to clients. As mentioned in the last update, one of the challenges of Meltdown and Spectre is that all the affected vendor products must have a stable fix, validated against one another, before they can be installed in the right sequence.
The Vulnerability Response team at SE consists of key individuals from our security, infrastructure, engineering, monitoring, urgent response, software, and product teams. We will continue to research, communicate, and meet on a regular basis until there is an actionable remediation plan in place. Until that happens, we will update this blog on a weekly basis.
Update: Tuesday, January 9
We are continuing to evaluate the risk and viability of the available software patches for these vulnerabilities. We have discovered that patches from various software vendors have their own issues and/or dependencies that we need more time to test before rolling out a remediation plan. As such, we are not comfortable issuing a fix that might prove to be ineffective and/or cause unexpected degradation in performance to operating systems, SQL databases, hyper-visors, and more.
The next update is planned for early next week unless new information develops between now and then.
Original Post: Friday, January 5
Systems Engineering (SE) is aware of the latest vulnerabilities, known as Spectre and Meltdown, that are affecting a very large population of computers. We are researching the vulnerabilities and formulating our response.
Early reports indicate that software patches to address the vulnerabilities could slow down computers by as much as 30%, so we need to vet the viability of the patches. As always, having a layered approach to security is your best protection against the exploitation of vulnerabilities like this.
Software patches are being released to address the CPU vulnerabilities known as Meltdown and Spectre. These patches will then be put through our standard vetting process required to minimize the risk of unintended outcomes such as degraded performance impact, that initial analysis has indicated. We are also contacting our third-party service providers to understand more about their exposure and remediation plans.
At this point it is worth a deeper discussion on how these vulnerabilities work and the risk these represent.
First, why are there two names for this vulnerability, Meltdown and Spectre? Both attacks are similar in that they take advantage of how the computer processor manages data from applications (user programs) but, execute in slightly different ways. The effect is that, as the processor is managing data from an application, it moves it between various memory areas.
These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages, and even business-critical documents.
So what is your risk of an attack due to Meltdown and Spectre? Risk is defined in a formula defined as probability multiplied by the impact. In this case, the probability is "low" given the complexity of the exploit and the need for the attack to first get through all the layers. However, the impact is labeled "high" because, should the attacker have the adequate exploit tools to penetrate various layers of security, they could obtain a high level of control over the PC or server. This would provide the attacker the ability to take control of other systems on a network resulting in a breach of any sensitive data that is found. For this particular vulnerability, SE is suggesting the risk is medium to medium-high.
Meltdown and Spectre Risk = Probability (low) x Impact (high) = medium/medium-high
We strongly recommend addressing the vulnerability through patching of operating systems and other affected system software with the understanding that we have the time to make sure the process is complete and minimizes the risk of disruption.