Microsoft is having a different type of Patch Tuesday. Instead of simply pushing out security updates the company is dealing with several new issues surrounding the patches it released last week to mitigate issues surrounding the Spectre/Meltdown vulnerabilities found in Intel's processors.
The latest problems include a direct conflict between the patches and some AMD processors that has proven severe enough for Microsoft to halt the update roll out along with the company's statement that it will not roll out the Spectre/Meltdown patches to computers running incompatible antivirus software. In these cases Microsoft is requiring the end user to either change the A/V software, wait for the cyber-security company to update its product or even edit registry settings on their own, a task beyond the ability of most people.
Microsoft announced that some AMD chipsets are having trouble accepting the updates putting the computers into an unbootable state, or Blue Screen of Death, so it has temporarily halted the roll out until a resolution can be found. This can take place even if the system running on the AMD processor have the proper A/V software, Microsoft said.
“After investigating, Microsoft determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown,” Microsoft support wrote, adding it is working with AMD on a solution.
Microsoft patches have resulted in creating a Blue Screen of Death in the past, Jerome Segura, Malwarebytes lead malware intelligence analyst, told SC Media, but in this case end users are being confronted with a series of confusing issues when they try to patch the processor vulnerabilities.
“Microsoft's patches have always been the subject of heated discussions, and there were a few memorable BSOD crashes in the past that have left many feeling uneasy. At the moment, a lot of attention is centered around performance impacts after applying the Meltdown fix. Unfortunately, for most people this is making it more difficult to gauge what to do when receive conflicting messages,” he said.
The potentially even more severe problem is Microsoft's latest requirement that computers run compatible A/V software in order to receive security updates. Although a great many varieties are already, or soon will become compatible, there are those who could find themselves with a computer that cannot be updated.
Independent cyber-security researcher Kevin Beaumont has put together and made public a list of products noting whether or not they comply with Microsoft.
For some people their problem will center around Microsoft's new requirement that all A/V product have a specific registry key set. Without this key new updates will not be pushed to a computer and while most companies either have already or are in the process of placing the key in their products there are some people that could be caught out in the cold. These individuals may find it necessary to play IT professional and set it themselves a task that the average, or even skilled, person may not be able to accomplish.
“We cannot expect people to manually edit registry settings on their own, but Microsoft had to weigh the pros and cons looking at its telemetry data, and most likely decided that the requirement was worth the risk. The most people likely to be affected are those running Windows 7 since it does not have an antivirus installed by default, therefore missing the needed switch that allows updates to come through,” Segura said.
In addition to Microsoft, a long list of affected companies have released patches to fix Spectre/Meltdown. This includes Apple, Amazon and Linux.
Jaco Du Plooy, VP of Cloakware at Irdeto emailed SC Media UK to comment on how the whole issue should serve as a warning not to allow single points of failure, saying, "The Spectre and Meltdown bugs have taught us that complicated hardware and software systems will have bugs lurking inside and that hardware security is a single point of failure that should not be solely relied upon for securing critical assets like code, keys and private data. Hardware is difficult to patch or renew, causing chipset and operating system vendors to scramble to put patches in place before mitigations are developed.
“Spectre and Meltdown also taught us that system architects and developers should assume that systems will be breached and that a complementary software strategy for security is required to better protect against these types of attacks. Implementing a defence in depth approach to security along with software protection will protect code, keys and data against these and other bugs that we may not even know about yet over the product lifecycle, even in the face of hardware vulnerabilities.
"Software protection has the added advantage that it only needs to be applied to critical security assets that need protection and doesn't have a general impact on overall system performance like the system-wide patches for Spectre and Meltdown will have. In addition, implementing technologies such as code and data transformations, whitebox cryptography and diversity will protect against Meltdown and Spectre exploits. These types of solutions will protect code and data at rest and in transit, ensuring that critical assets are kept secure."
The issue is succinctly summarised by Acellere CEO Vishal Rai who said in an email to SC Media UK: “The Meltdown breach affects computers where one process can siphon data from another through something called ‘side-channel attacks'. This is at the microarchitecture level because modern CPUs now run multiple processes in parallel and use ‘out-of-order' execution to improve performance. This allows processes to access the kernel memory of other processes, in effect obtaining information they are not supposed to.”
“Because this is at the chip-level and not OS-specific it may not be fixed with a short-term solution such as an OS update, as we are seeing with the issues Microsoft are encountering and may even require complete re-architecture of future CPUs designed by Intel at the chip-level.”