Meltdown-Spectre: Four things every Windows admin needs to do now
The confetti from New Year’s Eve celebrations had barely been swept up before the first major security incident of 2018 arrived. News of a serious security flaw in modern processors broke on January 2, after engineers at every big technology company had spent a feverish few weeks and months dissecting the problem of “speculative execution side-channel attacks” and building fixes.
Meltdown and Spectre are impressively ecumenical in their ability to create havoc, affecting devices running nearly every desktop and mobile operating system. (BleepingComputer has an excellent list of advisories, patches, and updates for both vulnerabilities.)
And while software patches can mitigate the effects for now, the long-term solution involves fundamental changes to CPU design that could take years to reach the market.
One week after the (premature) public disclosure of the details of these attacks, we now know enough to survey the threat landscape and plan the long-term response.
The first order of business is: Don’t panic. The tech press loves to treat security incidents like this one as apocalyptic but the reality is you have time to devise a comprehensive response. “Ready, fire, aim” is rarely a good strategy, especially when there are no known exploits in the wild at this time.
If you’re responsible for one or more PCs in your business, the rest of your response plan is straightforward. Here are four key things to focus on right away.
1. Be prepared to install firmware updates for PC hardware.
Some of the worst flaws can be ameliorated with UEFI firmware and BIOS updates, using microcode supplied by the maker of that component and adapted for each specific PC model. In the case of Microsoft Surface devices and Apple-branded hardware, these updates arrive along with regular security and reliability updates and thus don’t require additional steps beyond your normal patching policy.
For third-party hardware, you might need to go through significant extra work to find out whether your devices are eligible for a firmware update and, if so, when that update will be available. Don’t expect firmware updates to arrive in the next few days or even weeks. This type of code change requires extensive testing, and every PC maker has a different approach to the problem.
In large organizations, you can check firmware versions using asset management software. To check a Windows PC manually, use the System Information tool (Msinfo32.exe). The System Summary page includes details about the hardware model and the current BIOS/firmware version.
Armed with that information, you can search the PC maker’s support site for information about available updates. Consider bookmarking those search pages and adding them to reminders that you can check at least monthly.
2. Replace outdated hardware.
In its initial advisory, under the heading Solution, CERT offered this blunt advice: “Replace CPU hardware.” That recommendation, while probably technically defensible, isn’t all that helpful, given that those replacement CPUs don’t exist yet. Even when next-gen CPUs arrive, we won’t have the option to swap them into the billions of PCs, Macs, and smartphones already in use.
An update to that advisory offered more practical advice: “Apply updates. Operating system, CPU microcode updates, and some application updates mitigate these attacks.”
Some older devices will never get the firmware updates that are required for full protection from these vulnerabilities. Even if Intel releases the microcode for those CPUs, it’s still up to the device maker to develop, test, and release a patch. Microsoft’s list of firmware updates it plans to deliver for the Surface family, tellingly, does not include the Surface Pro 2 or the original Surface Pro.
In addition, devices that use pre-Haswell Intel CPUs (Ivy Bridge and earlier designs) are most likely to suffer serious performance issues as a result of software updates.
In either case, even for a device that’s less than four years old, the correct strategy might be to retire it early and replace it with a newer, faster, more secure model.
3. Develop a patching strategy.
Microsoft initially released a series of out-of-band security updates (details on Windows client updates are in this advisory) the week before its normal Patch Tuesday deployment for January.
Sometimes those “zero-day” patches can be as disruptive as the flaws they’re intended to fix. That’s a lesson some owners of PCs with AMD Athlon CPUs learned the hard way, with some suffering from crashes and unable to boot after installing Microsoft’s Windows 10 Meltdown-Spectre patch. Acknowledging that some AMD devices have gotten into “an unbootable state” after installing this update, Microsoft paused Windows OS updates to devices with impacted AMD processors while it worked on a fix.
Anyone who resisted the urge to panic and instead tested those updates first was probably safe. In fact, anyone who configures Windows Update for Business to delay the normal installation of security and reliability updates by a week or so will probably avoid most update-related problems, which are typically identified and fixed within a matter of days.
Deferring these so-called quality updates requires that you be running Windows 10 Pro (including Windows 10 S), Enterprise, or Education; you can’t manage updates for Windows 10 Home. In version 1709 or later, the option is available in Settings Update Security Windows Update Advanced Options, as shown here.
For earlier Windows 10 versions, you’ll need to make an adjustment in Group Policy settings. Detailed instructions are in “FAQ: How to manage Windows 10 updates.”
Of course, delaying updates shouldn’t just be a matter of kicking the can down the road. Use that time to test.
4. Re-examine every layer of your security infrastructure
Ironically, anyone running third-party antivirus software on a Windows PC was, at least initially, prevented from installing Microsoft’s out-of-band updates. That’s because Microsoft’s testing found that some of those third-party products were causing the dreaded Blue Screen of Death (BSOD) by making unsupported calls into Windows kernel memory.
SaaS has set off a revolution in the way companies consume services on-demand. We look at how it’s spreading to other IT services and transforming IT jobs.
Those third-party programs themselves had to be tested to verify their compatibility with the Windows updates, and it was up to the developers of those products to declare their compatibility by flipping a bit in the Windows Registry. One week after the release of that update, most such products had delivered the necessary compatibility fix, but for a variety of reasons (some involving justifiable concern over interactions with additional security software) not every AV vendor was making that registry change. (Security researcher Kevin Beaumont is maintaining an authoritative list of the status of these third-party products.)
As computing systems get more complex, the potential for security software to be part of the problem instead of part of the solution becomes greater. Third-party security software can itself contain vulnerabilities, and the infrastructure that delivers updates can be compromised or misused.
Given that background, now might be a good time to look at how your security software vendors handled this update. If you’re not satisfied with their response, perhaps it’s time for a change.
It’s also worth re-examining the remainder of your security infrastructure, especially the parts that allow you to monitor for potential breaches and intrusions. As this excellent whitepaper from Rendition Infosec notes:
Simply put, monitor like your network is already compromised. Keeping attackers out is so 1990. Today, we assume compromise and architect our monitoring systems to detect badness. The #1 goal of any monitoring program in 2018 must be to minimize attacker dwell time in the network.
In fact, the end result of all this work is to build a routine so that you’re not surprised when the next major security incident occurs.
Because if recent history has taught us anything, it’s that another incident is just around the corner.