I wanted this week to take a few minutes to share with you our latest thinking on the Intel Spectre and Meltdown fiasco. In a nutshell, there are two issues:
- An actual hardware flaw that exists in Intel and other compatible processor chips. This issue exists on chips manufactured from 1995 to the present.
- A software flaw that affects Microsoft Windows, Linux, and Mac OSes.
What it means to you:
The belief is that these exploits will start off as simple browser-based credential theft, but also then quickly evolve to stealing not only passwords but actual session keys for multi-factor authentication (MFA) and even the contents of what is in memory (i.e. your data).
- For machines with Intel processors from 1995 through 2012 it appears the only "fix" is a full processor replacement.
- For machines 2013 to the present, you should be able to apply an Intel microcode update to fully patch the processor.
- I have not seen an official Intel position on how to resolve the 1995-2012 hardware flaw issues.
- Various OS vendors have released patches for the subset of these issues that can be patched via software.
- Antivirus vendors have released patches to make their antivirus "compatible" with the software patches.
- Update your web browsers to current versions.
- Update Java to current versions.
What is going on:
- There have been a number of false starts and re-releases of patches. Major issues seem to revolve around Blue Screen of Death (BSoD) and spontaneous reboot issues.
- Intel has pulled their microcode update due to many reports of devices spontaneously rebooting after the update is applied. They are working on a new microcode update, but no release date has been given.
- Patches for AMD processors has been problematic, with BSoD issues. Microsoft has just re-released these updated patches for AMD.
- Microsoft implemented an "approved" antivirus registry key to prevent the update from being offered on any machines that haven't had their antivirus patched. This has caused confusion because Microsoft WSUS and Windows Update won't deliver the patches to eligible machines because of lack of antivirus updates. This is to prevent BSoDs.
- There are reports that Windows 10 Pro 1511 won't get the updates - even with the approved antivirus registry keys. The solution is to switch to Windows 10 Enterprise or Education 1511 which do work.
- Specialized software such as SQL and SCCM require special steps to properly install the updates.
- Generically there are reports of 5-25% decrease in performance after the patches are applied.
- Windows 10 machines with processors from 2013 to present generally have a minimal noticeable performance impact.
- Windows 10 machines on older processors will experience substantial performance degradations in some situations.
- Windows 7 machines may experience substantial performance decreases in some situations
What to do now:
- Check with all your vendors for BIOS, firmware, microcode and software updates.
- Test the patches and updates on a portion of your hardware to see what happens.
- Update all your anti-virus to current versions and make sure Microsoft recognizes it as approved.
- Update all your Java to current versions.
- Update all your web browsers to current versions.
- Patch your processors, BIOS, firmware when practical
- Patch your OSes when practical.
- Make sure you are using a multi-layered defense to detect when bad things are going on such as Cisco AMP, Cisco Umbrella, and CSI Paladin CyberSentinel.
Remember one way or another you will need to touch everything you own.
If you want to discuss your specific situation or require assistance, please give us a call.