Vulnerabilities / Threats

1/11/2018
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Survey Suggests Many Are Still Waiting for Spectre, Meltdown Windows Updates

Microsoft's insistence on a specific registry key setting for offering the updates on systems appears to be the issue, security vendor Barkly says.

The results of a small survey suggest that many organizations could still be waiting to receive updates for patching their Windows systems against the critical Spectre and Meltdown microprocessor vulnerabilities disclosed last week.

The vulnerabilities affect a wide set of products and give attackers a way to read sensitive data in system memory, including encryption keys and passwords.

Security vendor Barkly this week surveyed 75 IT pros responsible for managing security updates at their organizations and found more than half said they had received updates for barely 25% of their vulnerable Windows systems. A surprising 26% said that none of their Windows systems had received an update even one week after Microsoft rushed them out in an out-of-cycle patch release.

The reason for the delay appears to be Microsoft's insistence that all vendors of antivirus products set a specific registry key on customer devices after they have verified their products to be compatible in order to avoid potential patch compatibility issues, Barkly said.

According to Microsoft, when AV products make unsupported calls to Windows kernel memory, the updates could cause computers to crash as a result, so it will not offer updates on computers without the required registry key. Systems that have not received the security updates are likely running incompatible AV products, and users should consult with their vendors directly on addressing the problem in such instances, Microsoft has said.

The compatibility issues add to concerns that fixes for Spectre and Meltdown could severely degrade system performance — in some cases by up to 30%.

"During tests, Microsoft discovered that their new [update] was creating instability with other low-level system management and protection products, notably some antivirus technologies," says Barkly co-founder and CTO Jack Danahy.

To address this, Microsoft has made delivery of the Windows security updates contingent on the presence of a special registry key. "It has recommended that AV vendors add this key to customer devices only after they've confirmed their products are compatible," Danahy says.

The problem is that AV vendors have taken different approaches to addressing Microsoft's requirement. Some have taken it upon themselves to set the required key — even if their AV software itself is compatible. Others have recommended that users add the registry key themselves manually. Twenty-five percent of the respondents in the Barkly survey, for instance, said their AV vendor had made the change, while 20% said their vendor recommended they do it themselves manually.

Compounding the situation is the fact that many organizations do not appear to be aware of Microsoft's stipulation. Forty-six of the respondents in the survey did not know about the need for a specific registry key, making it unlikely they would contact their AV vendor about it. And many AV vendors themselves do not appear to have been very proactive in informing customers of what's going on. Only 42% of respondents in the Barkly survey said their AV vendor had notified them regarding their product's compatibility with the patch.

"There is an added risk here that organizations running multiple AV products, or running varying versions of AV products, may find themselves adding the key universally and causing these stability problems to surface on mismatched versions," Danahy says.

Issues with patch updates are certainly not new. Even with critical vulnerabilities such as Meltdown and Spectre, enterprises often adopt a make-haste-slowly approach to deploying patches for fear of disrupting their systems. If patches are not tested properly, they can often break systems and cause more problems for organizations than if the patches had not been deployed at all.

Even so, concerns about attackers exploiting unpatched vulnerabilities have pushed enterprises to patch more quickly these days. A new survey by Tripwire and Dimensional Research released this week shows that a majority of organizations — 78% — patch all detected vulnerabilities on their network within 30 days of discovery. About four in 10 do it in less than 15 days, while 46% said they'd probably not wait more than seven days in order to start patching vulnerabilities.

"Some organizations are very prompt, automatically acquiring and applying patches as soon as they are available," while others lag, Danahy says. With the updates for Spectre and Meltdown, organizations appear to be more inclined to patch quickly, he notes.

"I think that we are seeing a much more responsive community to this particular patch," he says. "But it is an 80/20 proposition, where 80% are being even more prompt that they ordinarily would be, but the other 20% is probably going to lag behind by an even longer testing interval."

Related content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.