Meltdown/ Spectre Vulnerability
As you have probably heard, two serious vulnerabilities that could allow attackers to access information stored in system memory were recently released. These vulnerabilities have been named Meltdown and Spectre. Although these are serious vulnerabilities that may require future changes to CPU architecture, there are several things to consider before you apply the patches.
What Systems are Affected
The Meltdown vulnerability affects all Intel processors manufactured in recent years. The Spectre vulnerability affects all Intel, AMD, and ARM processors. Since these vulnerabilities are related to the CPU, all OS versions are affected including all versions of Windows, all distributions and version of Linux, and all versions of MacOS.
At this time, in order to exploit a system, the attacker would need to execute untrusted code on the target system. This could be done through malicious web code or malicious software installed on the system. If basic system security measures are followed it is unlikely that servers would run untrusted code. Keep this in mind when deciding whether to patch your systems as there are potential impacts as noted below.
In order to fully patch against Meltdown and Spectre, three patches must be applied. An OS patch. a browser patch, and a firmware patch for the CPU microcode.
Impact of Patches
Microsoft has confirmed that the patches will cause a performance impact on all Windows servers. Linux users have noted similar slowdowns. These slowdowns are caused by additional overhead in the way memory is handled by the system and depend on how the system is being utilized. There is currently no method to mitigate the performance decrease. Initial Microsoft patches released to AMD have caused system failures, which required interaction with Microsoft to repair. Microsoft believes they have resolved these issues
Microsoft Windows Systems
Microsoft has released patches to close the Meltdown vulnerability as well as variant 1 of the Spectre vulnerability. Spectre variant 2 requires a firmware update which will need to be downloaded from the hardware vendor. Dell is the hardware vendor for all Hostway customers.
Microsoft has noted that some third-party antivirus software may block the implementation of these patches unless a specific registry key exists. Please refer to this spreadsheethttps://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true for information on your antivirus software. If the "Sets registry key" is marked an "N" you will need to set the key before the patches are applied. You can refer to this article for more details https://support.microsoft.com/en-us/help/4072699.
Patches to the Linux kernel to mitigate Meltdown have been released. At this time no Linux OS patch has been released for Spectre. Redhat has released detailed info on performance issues, which can be found at https://access.redhat.com/articles/3307751.
Chrome is set to release a patch on January 23rd. All other major browsers have already released patches.
Updates to microcode have been released and Dell has updated firmware for affected systems. Intel has noted that systems have experienced sudden reboots after the updates were applied. Intel estimates that processor performance will be impacted by about 6%. Details on performance impacts can be found here https://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/.
Hostway recommends that customers patch their systems against the Meltdown and Spectre vulnerabilities. Due to the performance impact and relatively low risk to servers not running untrusted code, you may choose not to do so. In either case, Hostway is here to assist you. If you have additional questions or would like assistance with patching your systems at Hostway please contact Hostway Support.
Over the past several days, Intel has made further progress to address the exploits known as “Spectre” and “Meltdown.” We are continuing to support our ...
The recent speculative execution CVEs address three potential attacks across a wide variety of architectures and hardware platforms, each requiring slightly different ...
Microsoft has identified a compatibility issue with a small number of anti-virus software products.