Current Status on Meltdown and Spectre Patching
As previously mentioned, we cannot do anything about the physical issues with processors which has led to the Meltdown and Spectre vulnerabilities. However, Microsoft has started issuing patches that will mitigate the problem to a great degree.
In order to get these updates to the Operating System and Registry installed, we have to run a specific update for Trend Micro before that installation. Between Servers and Workstations, we have somewhere over 500 units to update. At this time, we have all Trend Agents updated with the exception of one site and expect to complete this action in the next week or so.
We have been working toward bringing all Trend agents under the online Managed Service Provider console but still have some older installations that are On-Premise (Agents that are managed and updated through the site Server). These will be transitioned as Trend renewals become due. The eventual goal there is to reduce your per-seat cost and have a central “Pane-of-Glass” to managed the antivirus application from anywhere we can access an Internet connection.
We don’t expect any major impact on our networks from these two vulnerabilities as the targets for this attack vector are more likely to be large data centers or Cloud-related providers. Still, there will likely be some performance hits once the final round of Registry patches are completed and of special note will be older systems running Pentium 4 or early versions of Core2 and Core2 Duo processors. So once the update patches are in place and vendor updates to the BIOS are verified and installed, it will become painfully evident which machines will have to be replaced. This is made even more critical as we move ahead with the Windows 10 upgrades. If it won’t work under Windows 7, it will be even worse under Windows 10.
Windows 10 Upgrade Cycle Planning
Once again, we need to emphasize the high priority that needs to be placed on budgeting and planning. We have until January 2020 to complete the upgrade cycle to Windows 10. That may seem like a long time out but it will be here before you know it. If you wait too long to budget and plan for this, it will put your business at major risk for everything from the ability to handle daily operations to wide open security vulnerabilities. You can expect web sites, software vendors and others to cease support for older Browsers and Operating Systems and with the high conversion rate of software applications moving to the Cloud, outdated equipment will cease to work.
At the completion of the Windows 10 upgrade cycle, all machines under support will need to be Windows 10 Professional 64-bit. This means no Windows 10 Home, Windows 8 or Windows 7. We will be working with each site to compile a list of systems and their compatibility with Windows 10. Many units that have been in the field for years simply won’t be able to be upgraded. In some cases, units that are upgrade compatible may have to be considered for replacement as the cost of the Operating System software, additional RAM or larger hard drives and the required labor to complete an upgrade of that order will not be cost-effective.
Replacing systems that underperform due to the fixes for Meltdown and Spectre are self evident. Many low end units running Windows 8.1 which were designed primarily for web browsing (i.e., Acer, HP and Asus laptops with Intel ATOM processors and 2GB maximum RAM) will need to be replaced. And as mentioned, any Pentium 4 unit cannot go forward. Please consider this with all seriousness.
Recent Items of Note
A couple of things have popped up recently which need to be posted:
- On Sunday 28 January, MalWareBytes released an update to their Web Protection package which caused a major problem. Systems receiving this update ran out of memory and some may even have crashed as a result of this update. MalWareBytes engineers immediately released a fix but we had a number of units impacted by this release. At this point, we have uninstalled MalWareBytes on those systems for now and fully expect this to be resolved to the point that we can soon reinstall it where needed.
- In early January, Intel informed all major vendors to issue certain patches for Meltdown and Spectre. This led to immediate problems with system reboots, reboot loops and outright crashes. Intel “revised” their guidance to vendors and asked them to stop issuing these patches. However, they were already available on the vendor websites for Dell, HP, Asrock, Acer and Lenovo and some IT providers had started rolling these out to their client base. We are a little more cautious so none of this impacted our clients.
- The micro code utilized in the PC BIOS will need to be updated for Meltdown and Spectre. Some vendors have rushed out a BIOS Flash update with the result that some systems Bluescreen, others were “bricked” and only show a black screen with no boot up. As mentioned in the last blog post, we will not issue BIOS flash updates until everyone quits chasing their tails and gets a grip on this situation. BIOS updates will be done from here during the normal update cycle, if possible. Also, we’ll be testing BIOS flash updates on a “per-system-type” basis, meaning run the BIOS update on one OptiPlex 380, one OptiPlex 980, one OptiPlex 3020, etc. Once it’s verified on a specific model of PC, we’ll issue it to all others of that type and so forth.
- Cisco’s Umbrella product is one of the critical parts of our three-point security configuration (Trend is at the end user level, SonicWall is at the Gateway and Umbrella is at the web..). Cisco changed the Umbrella pricing structure on us right after FY2018 Support Agreements were completed. With 400 user nodes, this raised the cost to us another $1536.00 per year. However, we’ll absorb the hit for this and no cost increases will be pushed to you for this year. The revised cost does include some major enhancements to Umbrella which include additional reporting, per user/unit web requests and tracking for infected download attempts and so forth. More info is always better and the cost for these features is minimal if it helps us help you…
If you have a question that you would like us to answer, send it to me at firstname.lastname@example.org and I’ll post the answer here as most questions we get do tend to apply to many others…