Meltdown and Spectre Update: Patching Suspended

Meltdown and Spectre Update: Patching Suspended

Meltdown and Spectre Update: Patching Suspended

Damned If You Patch, Damned If You Don’t

The furore over Meltdown and Spectre continues. Not only have an abundance of (seemingly rushed) patches been released this week and last, but Intel and Microsoft have finally confessed to performance impacts across workstations and desktops. With no single authoritative voice on the full extent of these impacts, we have decided to suspend patching by default across our client estate this week until we have verified (or nullified), the claims made.

An overly precautionary step? Not when you read on to learn of just a few of the post-patch issues reported. 

Blue Screens and a New Patch Pre-Requisite

Due to a mismatch between the patch and the antivirus software, many early adopters of the patches saw blue screen errors upon reboot. To mitigate this, Microsoft has now introduced a fundamental change to the patching process. According to Microsoft, machines will not receive the January 2018 security updates it had advised previously, or any subsequent security updates, unless a new registry key is set.

This is major, but according to Trend Micro, this registry key is only required if the machine utilizes Microsoft Automatic Windows Updates.

Performance Impacts Across Desktops and Servers

The uncertainty we reported last week hasn’t abated. Every major news and tech blog on the web continues to report their own (and, in some cases, exaggerated) figures on the performance hits caused by the Meltdown and Spectre patches.

According to Microsoft, the average user on new operating systems (Windows 10) shouldn’t notice any performance degradation as the percentages are reflected in milliseconds. However, older operating systems such as Windows 7 and 8 should expect to see a decrease in the overall performance.

Testing Times Call For Robust Testing 

We know that patching can sometimes break things (and why the Options standard protocol is to test, test, and test again before deploying across client desktops). We continue to work closely with Ivanti and our antivirus vendor as we rigorously perform internal tests on all Meltdown and Spectre related patches released. We have set up test machines on varying OS versions, along with Nagios agents to monitor performance over the next few days. So far, we haven’t detected anything of alarm, but our desktop management team remains vigilant.

Our clients are aware of the patching pause as we continue our test period, and appreciate that we don’t take a gamble on their estate. They can elect to “opt-in” to this week’s patching cycle if they wish, but we caution on the afore-mentioned issues experienced with premature remediation.

Final Thoughts

If nothing else, these vulnerabilities highlight the intricacies vendors are faced with in producing patches for multiple software and hardware versions, and the interconnected nature of shared vulnerabilities in today’s IT world. Despite the complexity, Microsoft, Intel and other major vendors need to stabilise the patches, and to do it quickly.

Sophie McDonald, Options Security Specialist

 

Leave a Reply

Your email address will not be published. Required fields are marked *