Processor Security Flaw: MSPs Emphasize Careful Patch Testing, Disciplined Approach In Addressing Spectre And Meltdown Threats

For managed service providers and vendors that deal with cyberthreats daily, the vulnerabilities recently reported in Intel and other processors are just the latest security concern to fall under a national microscope. And, unfortunately, they've seen broad exposures like these becoming an increasingly common part of life in the IT world.

"It's becoming much more of a reality than not in the overall landscape," said Brian Downey, senior director of software product management at Boston-based Continuum. "I've been telling [partners] this isn't something to overly panic about. There are a lot of vulnerabilities out there in every environment. It starts with the fundamental security practices you want to employ to avoid not just this attack, but future ones like this. They're going to keep coming."

Dubbed Spectre and Meltdown, the flaws discovered by Google Project Zero potentially allow bad actors to change how an application works based on the contents of memory or leak Linux kernel memory (Spectre) and read kernel memory via an application (Meltdown). Patches have either already been released or are being rushed out by Intel as well as OS and cloud providers like Microsoft, Google, Amazon and Apple.

[Related: Intel says Spectre and Meltdown are not a result of flaws in processors]

No known instances of malware exploitation have yet affected processors in PCs or servers in the field, according to Intel. MSPs are still pushing to issue the patches sooner than later, but many – like Lone Tree, Colo.-based Anchor Network Solutions – want to remain cautious with their deployment.

"Anytime there's an emergency patch, you've got to be careful, because sometimes Microsoft writes them in haste and in the end it brings other things," CEO Vince Tinnirello told CRN. "You have to be careful, test it first, and then deploy it to the masses."

Paul Breitenbach CTO of Jacksonville, Fla.-based CompassMSP echoed that disciplined outlook, saying that MSPs will want to ensure clients are using certified anti-virus vendors that meet OS patch requirements in order to prevent blue-screening on servers and PCs.

He also emphasized the need to set customer expectations when it comes to any performance loss that may occur during the vulnerability patching process. Some industry experts, he said, have estimated the CPU performance degradation could be as little as an "imperceptible" 5 percent or as high as 30 percent on systems, depending upon which applications and tasks are being run at the time.

"None of our clients we're particularly worried about," Breitenbach said. "We monitor the metrics of their servers to make sure they're not on the edge of any kind of performance [loss] on an ongoing basis. Having that overhead and keeping that overhead on the systems they do use and at peak usage times, it's not going to be detrimental to them. For MSPs and shops that don't make recommendations with regard to systems overhead, it could be something of concern for them."

Patch-related performance loss would be caused by the separation of user application and kernel memory into two locations, but Datto CISO Ryan Weeks said in a statement to CRN that it's difficult to tell how serious the effects may be. He advised MSPs to weigh data security risks against system performance risks with regard to patch deployment, and noted that MSPs have an important role to play with regard to threat education.

Intel has emphasized that Spectre and Meltdown apply to all major chip manufacturers, including AMD and ARM. The difference comes down to the performance effects – Breitenbach said Intel is alleged to see the most because of its mitigation techniques, but to what degree is unclear.

Kaseya MSPs can deploy Microsoft and Apple's Meltdown patches in bulk via VSA, Kaseya General Manager for VSA Frank Tisellano, Jr., said in a statement to CRN. Kaseya, Waltham, Mass., has added related content to its Automation Exchange and pledges to continue doing so in the coming days to provide MSPs with further protection tools.

Tisellano maintains that while the impact of performance delays remains speculative, the effects have been "relatively limited to this point."

"The details around Meltdown and Spectre are changing by the minute. To ensure that our customers are armed with the most up-to-date countermeasures to mitigate these vulnerabilities, the Kaseya Cybersecurity Task Force is on hand and at the ready to proactively share information and resolutions as they develop," Tisellano said.

Anchor Network's Tinnirello said his company, an Autotask and Datto partner, has contingency plans to distribute Microsoft's patch to every endpoint via its RMM tool. His team plans to conduct internal testing first and then deploy it in stages early next week.

"You can't get crazy about it and jump into pure firefighting mode. It needs to be dealt with in a relatively timely fashion," Tinnirello said. "The reality is, most malware is built to expose older things. Microsoft is going to push a patch out right away because they don't want to get caught with their pants down. But very often hackers are just figuring it out too. Often they'll write the code to expose people who haven't done anything about it.

"I'm not minimizing it, but it usually doesn't happen within days. It's months."

Continuum's Downey shared those same sentiments. While the hardware exploitation of Spectre and Meltdown make the threat somewhat distinct – although last year's Krack Wi-FI vulnerability shares that particular characteristic – he said adequate password protection and a layered security approach should mitigate most issues.

"The reality is all those layers have holes. There's always holes. All these layers are porous. You should accept the fact that there's going to be gaps," Downey said. "This [Spectre and Meltdown] is just another pinhole in those layers of protection. It's not one that would panic me. Look at it and take a very proactive approach. … It's really advanced attacks that have access to a machine. That's a fairly narrow attack vector."