In January we learned about a pair of cybersecurity vulnerabilities called Spectre and Meltdown. Discovered last summer by different security researchers, these vulnerabilities are proving difficult to mitigate because the problem exists in the way central processing units (CPUs) have been designed and manufactured. These processor cores are at the heart of all computer hardware, from PCs and servers, to smartphones, networking gear, you name it. Hardware problems, as opposed to operating system or applications vulnerabilities, are not easily mitigated. The best fix would be to replace the defective hardware. But since this issue affects nearly every processor manufactured in the last 20 years, replacement is not a realistic option.
Patches have been pushed out, with results that have produced new problems. A marked decrease in performance, up to 30%, or systems that continuously reboot, or won’t boot at all have plagued some of the early fixes. Then new patches have to be pushed out to fix the bad patches.
To help with this herculean task, Microsoft has developed an update to its Windows Analytics service to help information technology professionals analyze how Meltdown and Spectre patches have been deployed to individual systems across the LAN, and where security patching still needs to happen.
The service is available for Enterprise, Professional, and Education editions of Windows 7 SP1, Windows 8.1, and Windows 10, and presumably current Server versions. It requires an Azure Active Directory subscription.
The new features include:
- Windows OS Security Update Status – This will show which Windows security updates are running on each device, and if any of the updates has been disabled.
- Firmware Status – This report shows what chipset firmware version is installed on any device.
- Anti-malware Status – This will show if any Windows updates are incompatible with the installed endpoint anti-malware product.
If you are running a Microsoft network, this is a tool that may be beneficial for your IT department.
Additionally, Intel recently has published which systems are safe to apply its microcode updates to mitigate variant 2 of the Spectre vulnerability. You will need an Intel account to log in for the information.
The really bad news is that most of these patches and updates offer only a partial fix, and to some extent this vulnerability will continue to exist until the current installed base of devices is eventually replaced with new gear. In the interim, hardware exploits will be added to the tool kit of cyber-criminals, government intelligence agencies, and other bad actors. Not good news to be sure.