Guidance from IT Lab's information security experts on the meltdown and spectre flaws making the news. UPDATED 26 JANUARY.
You will no doubt have seen information released very recently in the media regarding a serious design flaw termed ‘meltdown’ which affects Intel based processors in the majority of computers released in what may be as far reaching as the past couple of decades. As a result of this flaw, leading vendors of IT Operating Systems have already, or are set to release over the next few weeks and months, patch updates to address what could be a potential security vulnerability. A similar flaw termed ‘spectre’ has also been discovered which affects broader manufacturers’ processors such as AMD and ARM.
IT Lab has currently not experienced any reports of these vulnerabilities being exploited, nor is there significant evidence globally to suggest that they have. It is important to note that these vulnerabilities can generally only be exploited through an internally accessed network. Would-be mischief makers and hackers would have already needed to compromise existing security and gained access to internal systems to take advantage of these vulnerabilities.
It has been widely reported that following application of the updates, system performance might be impacted by as much as 30% for some tasks that computers process. However, this will be largely dependent on the specific workloads on any given computer, computer type and specification and any degradation is impossible to determine at this moment in time.
Due to the complexity of this situation and the touchpoints across a myriad of IT vendors, the situation is very fluid presently with not all vendors releasing patches to address the flaw. There are also multiple reports in the media and across the IT industry that many patches initially released in the post announcement frenzy have since been withdrawn. The reasons for this are due to reported instability and incompatibility problems post application. Major vendors have since issued new statements recommending rollback procedures to previous patching levels while others have yet to release reliable patches and guidance.
The reality is that the issue as a whole may take months, or even years to fully address across the industry and in some cases the risks of applying specific updates could potentially outweigh the risk of applying an unstable patch.
At this present time however, we do not suggest making any specific amendments to patching cycles from Microsoft. It is critically important to ensure backup routines are working as expected in the unlikely event of a Microsoft (or other vendor) patch having an undesired impact on your system but we are not advising to defer routine security patching.
Any additional patching such as hardware BIOS, Firmware or specific vendor updates should be given greater consideration before application with the appropriate continuity procedures in place through standard change management. As always, our strong advice remains around end user education and general security management and monitoring. Improving user awareness of Internet browsing activity, and the associated risks of clicking on advertisements or unexpected e-mail links, are a fundamental part of reducing any organisation's exposure.
For IT Lab clients who subscribe to our Managed Security Patching Service, the update to all Microsoft systems will be delivered as part of your regular schedule maintenance window(s) when the position across all impacted vendors is addressed. If you do not currently subscribe to the IT Lab Managed Security Patching service, have a query about how this may impact you, or would like to know more about IT Lab’s advanced Security Operations Centre (SOC) and Ethical Hacking (Pen Testing) capabilities please get in touch with your Account Manager or Service Delivery Manager.
Further advice will be published in due course or you can click here to contact us.
