Meltdown – Issues with CPU microcode fixes and the need for risk assessments
Bearing in mind how little time there has been for testing it’s little surprise that the CPU patches being released are causing issues. The BBC story probably gives some insight.
Why are these issues happening
The main issue is that a release cycle which would normally take a couple of years is being crammed into just a few weeks. This would normally involve vendors testing their software with the new CPU and microcode – and then fixing any issues.
We are now seeing not just one new CPU model being introduced with the associated microcode. We are seeing a re-release of all recent models of CPU.
The real question now for IT and security specialists is where the balance lies between the risk of patching and not patching. Processor exceptions (blue screen of death) may be annoying on desktops. If the same issues were to occur on servers then this would be extremely disruptive. Imagine for example a database server randomly re-booting, losing data – and taking 10-15 minutes to come back online.
The Need for Risk Assessment
This is one scenario where a serious risk assessment needs to be performed before patching systems. The following need to be balanced –
- The risk of the exploit being used to compromise security
- The risk of applying the patch compromising availability and reliability of services
In looking at this once again IT and Information Security professionals need to look at possible modes of attack. The main risk is with
- Browsers – and other interfaces on endpoints that interact with the internet
- Hypervisors in multi-tenancy environments
- Hypervisors where machines on different firewall segments are on the same physical host
In any case the realistic risk of an attack needs to be balanced against a fairly high probability service disruption.
The best advice at the moment is probably to start patching the less mission critical services. The allows patch stability to be assessed – and starts to lower the attack surface area. The other priority is to lower the attach service area by removing unnecessary software and services.