I am sure by now you have heard/read/watched about these two security vulnerabilities: Meltdown and Spectre. However, if you have not, here is a good place to start: A Simple Explanation of the Differences Between Meltdown and Spectre
In a nutshell, almost all of the major technologies are affected: Apple, Microsoft, Intel, Amazon, ARM, Google, RedHat, VMware, SUSE and more.
What you need to do:
- Identify the affected technologies in your environment and if you have not already received advisories from those vendors, contact them for updates and guidance.
- Start with the anti-virus (AV) vendor. The reason you need to start with them is that due to the special nature of these vulnerabilities, your anti-virus (AV) technology needs to be updated before Microsoft patches can be applied. Microsoft is pushing updates to only those systems that are running a compatible version of anti-virus.
- You can check the status of your AV using this Google Doc thanks to @GossiTheDog https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true
- Applying these patches will impact the performance of the CPU. The level of impact varies based on your system configuration and capacity, however, there have been reports of 15-30% performance impact. For this reason, it is important that you accommodate for the performance hit before pushing updates.
- To limit the performance impact of unplanned patching, Microsoft has added a manual step. After the patch is installed, you need to manually enable a registry key. Without updating the registry key the system remains vulnerable; Reference.
- Microsoft has released KB4056892 patch for Windows 10. Patches for Windows 7 and 10 are expected to be released on January 9th.
- All of the commonly used browsers are also affected. However, patches for some of these are already available and are expected to be released for others soon: Firefox, Safari, Chrome.
- In case of Chrome version 63 (released in Decmber 2017), there is the option to enable Site Isolation feature. This feature can be enabled by entering the following in Chrome: chrome://flags/#enable-site-per-process; Reference.
In summary, here are the steps:
- Contact technology vendors and review their advisories
- Plan in advance for any performance impact
- Apply patches in the development environment first and test!
- it is important to deploy patches in accordance with your AV’s recommendation. There are public reports of the system crash (BSOD) due to incompatible AV.
As of this writing, following CVE identifications have been assigned: CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754. These can be used to track remediation efforts.
This is a developing story and it is advised that you closely monitor communications from your technology vendors.