What we have found is that there is not one cut-and-dry answer, as no two environments are the same. What this means is that there is no website you can go to that is going to tell anyone what the "best practice" for addressing these potential vulnerabilities. Though we have found some excellent and in-depth articles describing the details of the vulnerabilities, most articles simple tell you to apply the vendor patches. While this is currently the recommended approach, it is imperative to get as much information as possible before deploying any of these patches, as they have all had some repercussion.
The only people who should be panicking right now are the folks who run Azure and AWS. All kidding aside, there is no reason for most IT professionals to be panicking and rushing to address this vulnerability. We are not saying that it should not be addressed, but as I mentioned above, gather information, and prepare a plan to address the situation in your unique environment.
So what makes your environment unique and different from every other IT infrastructure? Well, a lot of things actually:
Yes. To patch the Spectre Vulnerability, you need to update the firmware of your device. But ensure that you do research and get guidance from your manufacturer.
"Customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, requires an update. These are available through your device manufacturer."
You might have heard that Microsoft pulled back their patches for AMD machines. The initial version of the patch that Microsoft released caused many devices to bluescreen. According to Microsoft:
"As of January 18, 2018, Microsoft has resumed updating all AMD devices with the Windows operating system security update to help protect against the chipset vulnerabilities known as Spectre and Meltdown."
On Jan 22nd, 2018, Intel updated their recommendations:
"We recommend that OEMs, Cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions on the below platforms, as they may introduce higher than expected reboots and other unpredictable system behavior."
So what this means is that Intel is recommending that we stop installing any version of the firmware updates that were released before January 22, 2018, as a method of remediating Spectre vulnerabilities. Our current advice is to stop patching intel based firmware and to check this link frequently for updated information.
The folks at Microsoft have been kind enough to do some basic performance tests, and the high-level results are below:
For more info check out this post.
Microsoft defined a registry key that needs to be set by Antivirus vendors when the Antivirus software has been tested and validated. Because of this, if the patch is installed on a machine with an unsupported antivirus, it has been known to cause computers to BSOD.
There have been reported issues with SEP and the January 9th patch. Shortly after that, on January 19, Symantec released an article addressing the problems that their customers were facing noting that the issues have been resolved in the January 17th Microsoft Updates.
When you patch a device's firmware, ensure that you suspend BitLocker and then upgrade the firmware and resume BitLocker protection. Some customers may experience devices prompting for BitLocker key entry after updating the firmware, even if not usually required. If you are using BitLocker, we recommend testing this behavior, and then consider whether to suspend BitLocker during this process.
Keeping track of Windows updates is tough nowadays. Thankfully Microsoft has provided a blog post documenting the different patches for the various operating systems that address the Meltdown / Spectre vulnerabilities. Read it here.
Post co-authored by Adam Eaddy, Consulting Architect and Cris Weber, Lead Development architect.
For more updates, follow Cris Weber and Adam Eaddy on twitter.