Solution Providers: It's Time To Restart The Clock On Spectre, Meltdown Patch Rollout Time Line
Solution providers say there is no clear time line for the resolution of Spectre and Meltdown security exploits now that Intel has stopped deployment of current versions of patches.
Marc Harrison, president of Silicon East, a Marlboro, N.J.-based Intel partner, said that the guidance from Intel around its strategy for dealing with the Spectre and Meltdown flaws has been "muddied."
Harrison said he hopes that Intel will soon correct its patching issues so that solution providers can move forward but thinks that the company is still weeks – if not months – away from a "definitive response" due to the extensive testing necessary for patches and fixes.
’Intel doesn't seem like they have a good handle on what's going on and they're rushing to put out patches,’ he said. ’I hope it will shake out and we'll have some solid patching we can do. We're waiting at this point for the next steps. … The most important part is setting up perimeter defenses and a good firewall to keep people out in the first place."
John Barker, co-founder and CEO of Versatile, Marlborough, Mass., said he expects the patching and testing for the new Intel patches to be completed over the next 90 days. "There are too many interdependencies that we will need to look at and test for," he said. "We are having discussions with our customers on what the plan of attack is moving forward."
The Spectre and Meltdown exploits have put solution providers front and center as trusted advisers in a complex, multivendor ecosystem of patches and security updates, said Barker. "There is a lot of mixed information out there," he said. "You need a trusted adviser to sort through it and give you the real skinny. We do this kind of thing all the time. We are using our cumulative technical expertise dealing with multivendor environments and applications in defense of our customers."
Versatile offers a variety of managed services that assist customers grappling with the fallout from Spectre and Meltdown. "These patches need to be thoroughly tested," he said. "You can't behave like you're in a DevOps environment, which is what it feels like right now."
Intel Monday told customers and solution providers to cease deployment of the company's patches for the Spectre exploit after it acknowledged the patch was creating reboot issues for its Broadwell and Haswell chips. Further, Intel asked solution providers to focus efforts on testing "early versions" of new patches so the company can "accelerate" the release schedule. Intel, Santa Clara, Calif., said it expects to "share more details on timing later this week."
"We thought we were getting to the end of the game until yesterday when Intel put the brakes on the current patches; now we are back at square one," said Bob Venero, CEO of Holbrook, N.Y.-based solution provider Future Tech, No. 119 on the 2017 CRN Solution Provider 500. "I don't have a crystal ball. We had a call with one of our larger customers yesterday and told them whatever the time line is now you need to double it because we don't know if there are going to be additional challenges that will slow down deployment. IT executives are losing face. It's time to restart the clock. Right now if you are patching, you are causing more problems in your IT environment and creating more work for customers."
Venero said the new release schedule likely will be lengthened by rigorous testing from the broad swath of Intel partners from PC and server OEMs to software vendors and cloud service providers. "You are going to see OEMs and OS vendors take a much longer time to test and vet the new patches to make sure they don't roll something out that will potentially wreak havoc," he said.
Among the major vendors that have been hit hard is VMware, which retracted faulty Intel firmware patches that were causing unexpected reboots. AMD, meanwhile, was forced to backtrack on claims that it had a "near-zero risk" to the Spectre security flaw. AMD's acknowledgement that it would issue microcode and patch updates came after some users who installed the latest Windows security update experienced freezing on devices with AMD processors.
The Spectre and Meltdown security exploits, which were revealed in early January, have set off an unprecedented security offensive with literally every segment of the industry impacted. "I have never seen anything so vast, impactful and risky for everyone as this," said Future Tech's Venero. "Right now no one has successfully attacked the vulnerability, but I believe it is only a matter of time before it will be exploited."
One Intel system builder, who did not want to be identified, said Intel needs to do more to emphasize the "far-flung risks that are running rampant" in the wake of the Spectre and Meltdown threats. "The actual risk versus the perception is way off," said the executive.