Federal IT executives must move quickly to apply patches for the recently discovered Meltdown and Spectre security vulnerabilities, but should also be on the lookout for potential performance hits and unforeseen glitches associated with the bug fixes.
That’s the latest guidance from the Computer Emergency Response Team Coordination Center (CERT/CC) for how to deal with the chip flaws, which could affect virtually all computers produced in the past 20 years, from servers to smartphones.
There have been zero attacks to date associated with Meltdown and Spectre, but computer vendors aren’t taking any chances. They are scrambling to deliver patches for the vulnerabilities. For example, Intel says that by Friday it expects to have issued updates for more than 90 percent of its processors introduced within the past five years.
According to the CERT alert, “Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.”
Travis Rosiek, chief technology and strategy officer at security vendor BluVector, says that applying these patches “will strain and test the internal processes” of Federal agencies. “Patching tens of millions of servers, desktops, laptops, mobile devices, and network appliances is a large challenge,” he adds.
Rosiek recommends that Federal IT execs work with vendors to ensure that patches are developed for legacy systems. They also should work with vendors and agencies to help ensure that any performance impacts of the patches are addressed. In addition, Rosiek recommends identifying systems and data that are still susceptible even when patches have been applied.
What are Meltdown and Spectre?
Both Meltdown and Spectre were independently discovered by teams of security researchers, who announced the vulnerabilities last week. These vulnerabilities could lead to side-channel attacks, so named because they extract information from instructions that have executed on a CPU using the CPU cache as a side-channel.
The security researchers named the first vulnerability Meltdown because it melts down barriers protecting data stored in memory. That data could include passwords, personal information, emails, instant messages, and business-critical documents.
Spectre also breaks down isolation between different applications, but does so in a different way. The name is based on the root cause of the vulnerability, which is the speculative execution process that processors employ to reduce memory latency, thus speeding up modern CPUs.
According to the CERT Vulnerability Note, multi-user and multi-tenant systems, primarily virtualized and cloud environments, face the greatest risk because of the shared environments that Federal agencies may not completely control. Single user systems like personal desktops or laptops are the least vulnerable.
What agencies can do
The way to protect government networks is to apply any and all patches to CPUs, operating systems, applications, and browsers. However, CERT points out that even if you patch all of your systems, that might not be enough. “Due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.”
Even more worrisome, CERT says that after patching, performance may be diminished by up to 30 percent, although other industry experts say the performance hit will be far less than that. Already, impacts to availability in some cloud service providers (CSPs) have been reported because of patches to host operating systems and environments. Administrators who rely on cloud infrastructure should work with their vendors to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting, CERT adds.
On top of that, there have been reports that applying Microsoft’s Windows 10 patch is wreaking havoc with some antivirus products, so Federal IT administrators need to be aware of the possibility that these patches could cause problems elsewhere.