Intel's recommendation posted earlier this week that those using processors possibly impacted by the Spectre/Meltdown vulnerabilities should hold off on downloading the current, flawed versions of its patch is placing millions of people in a precarious, but not necessarily dangerous, situation.
The self-imposed moratorium means millions of end users have no recourse right now when it comes to dealing with CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715 that take advantage of the speculative execution performance feature in modern CPUs make the memory of virtually all computers and devices accessible to hackers. Although many companies have issued their own patches, the industry is still waiting on a final fix from Intel.
“We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior,” Navin Shenoy, executive vice president and general manager of Intel's Data Center Group, said yesterday.
In the meantime there are some steps IT managers, and even end-users, can take to keep their systems safe until Intel releases a proper update.
“In times like these, customers should be extra vigilant to ensure they have not been compromised. Network traffic analytics should be used to monitor their environment for anomalous traffic patterns and unusual behaviors,” said Bob Noel, Plixer's director of strategic relationships and marketing, to SC Media.
The other option for cybersecurity staffers is to simply keep up their normal level of vigilance while they wait.
“The basic advice is to continue to practice good security hygiene. You can't control the silicon issues of Spectre/Meltdown, and given that Intel completely fumbled the patches, to put it mildly, you should ensure that all of your software -- OS, applications, browsers and plugins, are all up-to-date. In addition, continue to practice "safe browsing" and don't visit suspect sites, click on links that you are unfamiliar with, and simply be diligent about reporting anything that seems strange to your IT Support,” Mike Kail, CTO of CYBRIC told SC Media.
Noel brought up the salient fact that not heeding Intel's recommendation and installing an unstable patch may not only lead to system problems, but could scare people off from updating their system in the future.
“The secondary problem this unstable patch code creates is a general hesitancy for end users to quickly apply future patches. Early adopters of these patches experienced hardware reboots and downtime, which is likely to leave them wary of becoming early adopters for future patches,” Noel said.
While Intel's suggestion might create some level of annoyance and anxiety among those using the affected processors, there are a few positive themes to focus upon.
Randy Abrams, Senior Security Analyst at Webroot, praised Intel for being forthright and telling its customers to hold off and wait for the proper patch.
“Historically we have seen cases where the cure is worse than the problem. Thoroughly testing an enormous matrix of hardware and software against any patch is increasingly error-prone when amount of time allowed for development and regression testing in inadequate. The risk of the unpatched vulnerability is nowhere close to cause for alarm as the buggy patch,” he told SC Media.
Another glass half-full thought is that at least the vulnerabilities are not actively being abused in the wild, said Alex Heid, white hat hacker and Chief Research Officer with SecurityScorecard.
“Although the vendor supplied patches for Meltdown and Spectre have been reported to cause performance issues and vendors are recommending waiting for a more stable version, consumers can be confident in the fact that these particular vulnerabilities and exploitation vectors have not been fully weaponized yet for use in the wild by malicious attackers,” he told SC Media.
Lane Thames, Tripwire's senior security researcher, pointed out that there other proactive steps that can be taken while waiting on Intel.
“Patch management and vulnerability management is always a game of managing risk. In this case, the problem revolves around Intel's patches. In general, I would follow their advice for this issue. However, keep in mind that mitigation (at least partially) is available by ensuring patches for these vulnerabilities available from operating system vendors are installed,” he told SC Media.
Richard Henderson, global security strategist at Absolute concurred saying, “Don't let the fact that Intel yanked these updates cause you to lose faith in the traditional maxim of patching as soon as you can. Intel's not the first vendor to pull patches after additional issues are found, or created by the patch itself. They certainly won't be the last.”