Spectre / Meltdown cuts off Microsoft updates causing potential long term risk for unknowing companies
What you probably know about Intel, Spectre & Meltdown
2018 had its first big security scandal right off the bat with the revelation that nearly all Intel processors are susceptible to an architectural bug that can expose raw data in kernel memory, presenting a serious vulnerability at a very low level. In particular, two techniques dubbed Meltdown and Spectre have emerged as the primary exploits of these flaws in the chip.
Meltdown breaks the fundamental expected isolation between user applications and the OS, allowing a malicious program to access system memory used by other programs. Spectre similarly breaks the isolation between different user applications, completely circumventing process-level permissions. User permissions lose all meaning at the arbitrary system memory level. Microsoft rushed to address these bugs, and came up with a new patch on January 3rd.
What you may not know about the fallout of Spectre & Meltdown
There was a twist: the patch caused some machines to completely crash. As in, totally bricked and in need of reimaging. All because of a conflict with certain anti-virus solutions.
What I found on Tuesday morning when I set about updating the workstation images for Novacoast’s Imaging Service, though, is something a lot more disturbing from a security point of view. Microsoft’s solution to keep their patch from destroying computers is this: if you have a machine whose antivirus is not up-to-date, the Microsoft patch just won’t show up on that machine. There will be no sign of it, you will have no way to access it.
And this has a much bigger implication than missing one patch, or even than staying susceptible to Meltdown and Spectre. If your machines are deemed currently too risky for this update, that will permanently leave them out of the loop for any and all patches in the future. No more security updates, no more Windows updates. Nothing.
What you need to know is that Windows is relying on the Anti-virus manufacturers and/or the users themselves affected by this conflict to sort it out on their own by setting a particular registry entry to indicated the machine should be safe to update. Read more on how to here. But Windows hasn’t sent out any notifications to those affected. Meaning most organizations affected by this probably don’t even realize it.
If you don’t get this done, you’re not just going to be left out of the Spectre and Meltdown patches, your workstations will cease to be included in the distribution of further updates of any kind from Microsoft.
What to do about Microsoft withholding its Spectre/Meltdown patch
For now, the only thing to do is to wait until your Anti-Virus manufacturer patches its product. And if any workstation is running without an Anti-Virus solution, you will likely be left out of the loop of future updates as well unless you manually set the registry entry.
It’s a headache, but being cut off from Microsoft’s ongoing updates could be catastrophic.
As always, if you have questions about Meltdown, Spectre or how best to ensure you aren’t left behind by Microsoft’s patches in the future, feel free to reach out to us for advice and assistance.