Spectre and Meltdown Patches: A Long-term Project


By: Michael Vizard

IT security issues involving the Spectre and Meltdown processors flaws that were publicly revealed earlier this month will wind up haunting IT organizations for months to come.

Instead of being able to patch operating systems and update microcode as normal, it turns out that patches being made available are highly inconsistent in terms of their ability to remediate the problem without causing further disruption.

For example, Microsoft first suspended the delivery of patches aimed at fixing this issue on instances of Windows running on processors from Advanced Micro Devices (AMD) because some systems were crashing. Later this week Microsoft said that suspension only now applies to a specific classes of AMD processors.

Intel, meanwhile, has confirmed that an update to the microcode is provides to address this issue is causing machines to intermittently reboot. Intel is expected to issue another update to address the problem again next week.

These security issues are likely to be exponentially more challenging to fix in environments that make extensive use of embedded systems, says Chris Grove, director of industrial security for Indegy, a provider of management and monitoring tools for industrial control systems.

For example, unlike systems deployed in data centers, Grove notes most organizations that have deployed industrial control system don’t normally keep track of what patch has been applied when and where because most of that work is done manually. To apply Spectre and Meltdown patches many organizations are going to need to call in outside experts in the form of integrators or support personnel from manufacturers to apply these patches.

In some cases, Grove says that resistance to applying these patches will be high if it means taking operational systems offline.

Grove says that in hindsight, more thought might have been given to how information about these flaws were shared. But as a rule, Grove says full disclosure of vulnerabilities is always preferable because organizations can assume some cybercriminals already know about them.

“It’s always a race to patch to systems once a vulnerability is generally disclosed,” says Grove.

The difference now is that many organizations are frozen while they await fixes to flaws in the patches that were expected to address Spectre and Meltdown flaws that cybercriminals are likely anxious to exploit.

Of course, the biggest issue will be make sure whatever patches that address the problem get deployed. Many IT security breaches can be traced back to a failure to apply patches that would otherwise have prevented the exploit in the first place. At this point, it’s almost a certainty that within the coming year cybercriminals will be able to exploit Spectre and Meltdown. The thing that remains to be seen is the extent.