Windows administrators will have to be careful applying a Microsoft fix for the Meltdown/Spectre microprocessor flaws that burst suddenly in the news this week, cautioning that it may clash with anti-virus software.
The company has warned the Jan. 3 patch may cause compatibility problems with some anti-virus applications that make unsupported calls into Windows kernel memory. These calls may cause stop (blue screen) errors) that will stop a PC or server from booting. “To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update,” it says.
“If you have not been offered the security update, you may be running incompatible anti-virus software and you should follow up with your software vendor.”
It also says default installations of Windows 7, Windows Server 2008 R2, and Windows Server 2012 without AV should install a supported anti-virus application (including the free Microsoft Security Essentials) .
The only acceptable AV software is one that re-sets a specific registry key. If the key isn’t changed Microsoft won’t deliver the Jan. 3 fix.
“To help protect our customers from blue screens and unknown scenarios, Microsoft is requiring all anti-virus software vendors to attest to the compatibility of their applications by setting a Windows registry key,” the company said.
“In some cases, it may take time for security updates to be delivered to systems, particularly for devices that have been turned off or not connected to the Internet. After they are turned on again these systems should receive updates from their anti-virus software providers. Customers still experiencing problems 24 hours after ensuring their devices have proper internet connectivity should contact their anti-virus software vendor for additional troubleshooting steps.”
Some AV vendors have already issued fixes. Kaspersky issued its fix Dec. 29 in anticipation of a Microsoft fix to be issued Jan. 9 on the regular Patch Tuesday. McAfee has a page with products tested so far that are compatible. ESET said it has released Antivirus and antispyware scanner module 1533.3 for all consumer and business users that is compatible with the Microsoft patches.
Specific advice for WinServer is available here.
Microsoft has also said certain versions of SQL Server running on x86 and x64 processor systems are also impacted: SQL Server 2008, SQL Server 2008R2, SQL Server 2012, SQL Server 2014, SQL Server 2016, SQL Server 2017. See this document for patching advice.
A number of cloud service providers, including Microsoft, Google and Amazon, have issued patches to their systems. VMware issued some patches, found here.
Meanwhile Intel said it has begun issuing software patches and firmware updates to PC and server manufacturers and operating system makers for most processors made in the last five years.
“This chip vulnerability highlights the complexity of the attack surface enterprise security and risk pros are charged with defending,” said Forrester Research analyst Jeff Pollard. “In this scenario the underlying hardware that businesses depend on is vulnerable, and requires an urgent patch. Operating System developers are creating a patch to mitigate someone else’s hardware bug. Enterprise security teams will need to prioritize testing and deployment of the patch, or risk leaving an opening for attackers to exploit. This is why we stress Zero Trust (which mandates the creation of microperimeters of control around an enterprise’s sensitive data assets and provides visibility into how it uses data across its ecosystem) as a fundamental concept in cybersecurity. Your hardware is not secure, your software is not secure, and your security products are not secure.”
Meltdown and Spectre are vulnerabilities in CPU code that could allow an attacker to get hold of secrets stored in the memory of other running programs.
Researchers who discovered the flaws say every “Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013).” It is unclear whether ARM and AMD processors are also affected by Meltdown.
As for Spectre, it has been verified on Intel, AMD, and ARM processors.
There are patches against Meltdown for Linux ( KPTI (formerly KAISER)),
Advice for macOS users from Apple is available here.
The US-CERT has a comprehensive vendor list here.
In technical terms, these are side-channel attacks that take advantage of a processor’s use of speculative execution of code to make a guess at what the next process will be and caches the data. That cache is supposed to be cleared if the guess is wrong, but sometimes it isn’t.
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory, say researchers who found the flaw, so malicious applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.
Remote attack possible
Experts note to take advantage of Meltdown an attacker has to install code on a system. However, some say JavaScript could be used in a remote attack through a browser. According to one news report Mozilla has updated Firefox. Google says current versions of Chrome can be made safer by turning on a feature called Site Isolation. Further protection will be included in Chrome 64 to be released Jan. 23. Microsoft has updated its Edge and Internet Explorer browsers.
Experts quoted by SecurityWeek also believe some nation states already know of these exploits and may be using them.
McAfee said it is still testing products for compatibility with the Microsoft, Linux and macOS fixes. Those that have Microsoft compatibility include Data Loss Prevention 9.4 and later, Endpoint Security 10.2 and later, McAfee Agent 4.8.3 and later and VirusScan Enterprise 8.8 Patch 9 and later. The list is being updated.
McAfee still suggests first applying manual updates on noncritical systems, to ensure compatibility with software that involves the potential use of low-level operating system features.
“These exploits are uniquely attractive to malicious groups or persons because the attack surface is nearly unprecedented, the attack vector is relatively new, and the impacts (privilege escalation and leaks of highly sensitive memory) are detrimental,” McAfee said. “Additionally, both Meltdown and Spectre are exceptionally hard to detect as they do not leave forensic traces or halt program execution. This makes post-infection investigations and attack attribution much more complex.”
“The only naturally mitigating factor is that these exploits require local code execution. A number of third parties have already identified JavaScript as an applicable delivery point, meaning both attacks could theoretically be run from inside a browser, effectively opening an avenue of remote delivery.”
Symantec said any attack would need to run a malicious application on a system, use JavaScript to trigger an exploit or run JavaScript to map the kernel. “All of these malicious activities can be blocked by Symantec products. Nevertheless, users are advised to apply operating system patches as soon as they are made available.”
In a statement Varun Badhwar, CEO and co-founder of RedLock, a cloud threat defense company, said “the potential widespread impact of the flaws is truly frightening. The Meltdown flaw is a stark reminder that security of public cloud computing environments is a shared responsibility between the cloud service provider and the customer. In this case, Amazon, Microsoft, and Google are doing their part by immediately rolling out fixes on their cloud infrastructure. But it is equally as important for organizations to do their part and install the software patches for the various operating systems running within their cloud environment.”