Here's How 17 Security Vendors Are Handling The Meltdown And Spectre Vulnerabilities
The Pathway To Getting Patched
The Meltdown and Spectre exploits uncovered late Wednesday are some of the broadest security vulnerabilities the channel community has ever faced, affecting a broad swath of mobile devices, desktops, laptops and servers running in cloud environments.
But many anti-virus providers are having to grapple with an additional complication centered around this week's Windows security update that patches the vulnerability. Specifically, Microsoft said some anti-virus applications make unsupported calls into Windows kernel memory, which may cause Blue Screen of Death errors and make a device unable to boot.
As a result, Microsoft said it is only offering the Windows security update addressing the Meltdown and Spectre bugs to devices running anti-virus products from vendors that have confirmed the compatibility of their software.
Here's a look at how 17 of the IT industry's leading endpoint security vendors are going about obtaining compatibility with the Microsoft patch, as well as what additional actions they're taking to keep customers safe in the wake of this unprecedented microprocessor vulnerability.
Avast Software confirmed in a forum on its website that, after issuing a micro-update Wednesday, the company's anti-virus software is compatible with Microsoft's fix for the Intel chip.
The Prague, Czech Republic-based security software vendor said the fix should be present on Avast Endpoint Protection 8 and all subsequent versions.
Bitdefender said on the Support section of its website that it is running extensive compatibility tests with all supported operating systems.
As soon as the Bucharest, Romania-based cybersecurity vendor validates Microsoft's security update against all of Bitdefender's supported consumer and business products, the company said it will deliver an automatic update that enables the installation of Microsoft's fix.
Check Point Software Technologies
Check Point said the Meltdown and Spectre exploits rely on local privilege escalation attacks, through which a local process is able to access or run code that requires higher privilege or wasn't supposed to be accessible at all.
But since code execution privileges for Check Point appliances are provided to administrators only, the Tel Aviv, Israel-based network security vendor said in its online Support Center that privilege escalation attacks are of lower relevance to the company's appliances.
Check Point said it is working with relevant parties to create a patch. But since the attack vector is only of low severity for the company's appliances, Check Point said it plans to provide a patch only after the company has confidence in its quality and performance impact.
CrowdStrike said that all released versions of its Falcon endpoint protection platform are already fully compatible with the Windows update.
Therefore, the Sunnyvale, Calif.-based cybersecurity vendor said that customers that have enabled the next-gen option in the Falcon user interface can safely apply the Microsoft patch.
Registering CrowdStrike with the Windows Security Center as a user's anti-virus protection disables Windows Defender anti-malware and results in the blocking and quarantining of all Windows executable files deemed malicious to a safe location.
Cylance said Thursday that its quality assurance teams are working around the clock to determine if the pending patches expected to be deployed by various operating system vendors will have any impact on the agent.
The Irvine, Calif.-based cybersecurity software developer said that initial tests show no impact to the CylanceProtect endpoint security product or the CylanceOptics endpoint detection and response (EDR) product from a compatibility perspective, according to a blog post Thursday.
Cylance said its Threat Guidance team has confirmed that there are no malware kits taking advantage of the Meltdown or Spectre vulnerabilities with rogue executables that the vendor's technology would prevent.
The registry key will only be required if customers wish to utilize Windows automatic updates, according to the company. If manually applying the update, the registry key is not required. Cylance said it is in the process of a full spectrum of quality assurance testing and will follow with full instructions on updating.
The patches released by Microsoft do not impact the Endgame agent in any way, and the Arlington, Va.-based endpoint protection vendor does not interfere with patches being applied across the enterprise.
Endgame customers will see no performance impact after applying the Microsoft patches, according to a post on the company's executive blog Thursday.
More broadly, Endgame said its protections apply across the breadth and width of the attack matrix and therefore provide holistic coverage against the delivery mechanisms in the Meltdown and Spectre attacks.
The company said its multi-layer approach is particularly well-positioned to stop a targeted attack leveraging these new exploits before damage and loss.
F-Secure said in its Help Forums Thursday that it was testing all product and operating system configurations to ensure full compatibility with the Windows Update.
Once the Helsinki, Finland-based cybersecurity vendor has concluded its testing, F-Secure said it would release an automatic product update that allows Windows updates to continue to apply as normal.
As of late Thursday, F-Secure had published an update applicable to internet security product Safe PC 17 as well as subsequent versions. The company estimated that fixes for its legacy or older products would be published Friday.
Juniper said its security incident response team is actively investigating the impact of Intel's processor security vulnerability on the Sunnyvale, Calif.-based network equipment and security vendor's products and services.
Intel processors with vulnerabilities are used in Juniper products such as Junos OS with Intel-based Res, Junos Space Appliance, some of the NSM appliances and the CTP appliance, according to article posted by Juniper to the J-Net Discussion forum.
To mitigate this vulnerability, Juniper recommends that access to critical infrastructure networking equipment be limited to only trusted administrators from trusted administrative networks or hosts.
Other Juniper products will provide patches as soon as they are made available by the operating systems vendors, according to the company.
Microsoft's security update has compatibility issues with Kaspersky's Anti-Ransomware Tool, Kaspersky Small Office Security, and a Windows version of Kaspersky Endpoint Security 10 and Kaspersky Endpoint Security Cloud, according to the Support section on the company's website.
The Moscow-based anti-virus provider said its other Windows-based endpoint solutions for businesses were not affected.
Before Tuesday, Kaspersky said it will release the patch and update the installers on the website and in the Kaspersky Endpoint Security Cloud console so that the vendor's applications are installed correctly on computers with the Microsoft Security update installed.
Kaspersky Security Researcher Jordt van der Wiel said in a blog post Thursday that it's important for users to install the latest security updates as soon as they're available since it won't take long for bad actors to start exploiting these vulnerabilities.
All Malwarebytes users are able to receive the Microsoft patch to mitigate Meltdown thanks to a database update Thursday, according to a blog post on the company's website.
Prior to the update, most users could already receive the latest Microsoft update, with the Santa Clara, Calif.-based internet security vendor working to ensure that their entire user base has access to the patch.
Malwarebytes cautions that Microsoft's fix comes with a significant impact on performance. A Microsoft advisory recommends that users keep computers up to date and install application firmware updates provided by OEM device manufacturers.
No software patch for Spectre is currently available, according to Malwarebytes. Partial hardening and mitigations are being worked on, but Malwarebytes said they are unlikely to be published soon.
McAfee said its compatibility testing is under way and continuing since Microsoft released its update Wednesday. The Santa Clara, Calif.-based security software company said testing had been completed for 10 of its products, all of which have been confirmed as compatible with the Microsoft update.
Testing is also under way for McAfee's Linux and MacOS-based products, its cloud services infrastructure, and its appliance-based products. No issues have been found in any of those areas thus far, according to McAfee.
Although McAfee expects most solutions to lie within processor and operating system updates, the vendor said it is currently evaluating opportunities to provide detection within the scope of its products, according to a blog post Thursday. Based on published proofs on concept, McAfee said it is providing some limited detection for Spectre focus around OSX, Linux and Trojan.
Qualys said Thursday it has released several identification numbers for detecting missing patches for these vulnerabilities, according to a blog post.
The Foster City, Calif.-based cloud security company said its cloud agent can be used to detect processor types.
All told, Qualys said it is capable of helping security teams inventory their systems by processor type, apply vendor patches as they become available, and track progress.
Sophos has completed testing of installing the Microsoft patch and can confirm no compatibility issues were seen, according to an advisory posted Thursday to its online Knowledge Base.
The Oxfordshire, England-based security software and hardware vendor will begin to automatically add a registry key to the following products starting Friday: Sophos Central Endpoints/Servers; Sophos Enterprise Console Endpoints/Servers; Sophos Endpoint Standalone; Sophos Virtual Environment; and Sophos Home.
Customers wishing to apply the patch ahead of the Sophos update can either set the registry key manually or manually download and apply the patch without the registry key, according to Sophos.
Sophos said it is also evaluating products such as its XG Firewall, Unified Threat Management (UTM), and other appliances that run on Linux and Intel hardware to ensure that they are appropriately protected against this vulnerability.
Microsoft's security update contained a compatibility issue with a previously scheduled engine update to the Symantec Endpoint Protection Eraser scanning tool. As a result, the Mountain View, Calif.-based cybersecurity software company decided to move the Eraser engine release up from Jan. 8 to Jan 4.
The Microsoft security update should only be visible to the end user once the Eraser engine update has been applied, Symantec said. In the unlikely event a user installs the Windows Update without updating the Eraser engine, Symantec said the user may encounter a Blue Screen of Death upon executing an on-demand, scheduled, or active scan.
All of the malicious activities associated with the vulnerabilities can be blocked by Symantec products, according to a blog post Thursday by Symantec's security response team. Nevertheless, the vendor advises users to apply the operating system patches as soon as they are made available.
Trend Micro's commercial endpoint and server security products – including Trend Micro OfficeScan, Worry-Free Business Security and Deep Security – are all affected by the new Microsoft patch requirements.
The Tokyo-based security company said it has completed testing on seven of its endpoint and server security products, according to an article on the Business Support section of the company's website.
Trend Micro said it is finalizing patches that enable the specific registry key through the product for affected clients. These patches are not yet available, the company said.
The company said that most personal computers and virtual machines will not see much degradation in response time after installing the Microsoft patch.
Vipre said it is currently testing supported versions of its product for compatibility with the Microsoft patch, according to a critical alert on the business support section of the company's website.
As compatibility is confirmed, the Clearwater, Fla.-based security vendor said it will push out the associated registry key change – and hot fix, if necessary – as required by Microsoft. All 10 of Vipre's endpoint security, business, advanced security and internet security products are still being tested for compatibility.
To fix the vulnerabilities, Vipre said Microsoft has made fundamental changes to how Windows manages and accesses memory. These changes will have a residual impact on many applications running under Windows, according to Vipre.
Webroot said it has tested the current released version of its SecureAnywhere anti-virus product and has confirmed capabilities with the Microsoft patch, according to a Webroot post in the Business Community forum.;
The Broomfield, Colo.-based internet security company said that Microsoft requires that a registry key be set before deploying the patch. Webroot said it has released a file that contains the necessary registry key setting to make that process easier to execute.
Within the next week, Webroot said it will be releasing its next version of SecureAnywhere that, among other enhancements, will automatically set the registry key required to receive the security patch from Microsoft.