February 5, 2018 – At this point in time, Alvaka Networks is not advising clients rush into applying Meltdown and Spectre patches. We don’t normally advocate waiting long to apply patches, but the situation is still so uncertain with software and hardware makers releasing and then recalling their patch and firmware updates. At this time, the risk of doing updates is potentially greater than the threat. We expect this situation to resolve itself shortly.
Here are some new and interesting updates on the Meltdown and Spectre problem:
- InSpectre – This utility was designed to clarify every system’s current situation so that appropriate measures can be taken to update the system’s hardware and software for maximum security and performance. It is written by Steve Gibson, who to me is a rock star in the computer world. I had my first contact with him circa 1986 when he walked into my office with a utility called SpinRite, for managing drive performance and data recovery. In Gibson fashion, it appears to be free at this time. Here is an InSpectre review from Computerworld; and I can say as of this writing, the problem with AV software has been resolved.
- Microsoft also has Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities, but it is difficult to decipher the information they provide.
Summary
Microsoft is aware of a new publicly disclosed class of vulnerabilities that are called “speculative execution side-channel attacks” that affect many modern processors and operating systems, including Intel, AMD, and ARM. Note: This issue also affects other operating systems, such as Android, Chrome, iOS, and MacOS. Therefore, we advise customers to seek guidance from those vendors. Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more details.
Microsoft has not yet received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft is working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software as well.
The following sections will help you identify and mitigate client environments that are affected by the vulnerabilities that are identified in Microsoft Security Advisory ADV180002. Windows Update will also provide Internet Explorer and Edge mitigations. And we will continue to improve these mitigations against this class of vulnerabilities.
- This MeltdownAttack page continues to be a good repository of information, especially the bottom half that lists official infos/security advisories of involved/affected companies.
| Link | ||
|---|---|---|
| Intel | Security Advisory | Newsroom | Whitepaper | |
| ARM | Security Update | |
| AMD | Security Information | |
| RISC-V | Blog | |
| NVIDIA | Security Bulletin | Product Security | |
| Microsoft | Security Guidance | Information regarding anti-virus software | Azure Blog | Windows (Client) | Windows (Server) | |
| Amazon | Security Bulletin | |
| Project Zero Blog | Need to know | ||
| Android | Security Bulletin | |
| Apple | Apple Support | |
| Click here for the rest of the list…. |
- MSSQLTips – I found this website resource for patching SQL servers, but use your own caution and judgement when following their recommendations to make sure it works for your environment:
- SQL Servers Assessment for the Meltdown and Spectre Vulnerabilities
- Problem:
- 2018 started out with bad news for most IT professionals. A new “speculative execution side-channel attacks” vulnerability affected many modern processors and operating systems. This vulnerability is very complex and requires patching on many layers, including hardware, operating systems and the application layer.
- Database Administrators (DBAs) have to be prepared to patch every SQL Server starting with SQL Server version 2008 and the recommended patching procedure is different for different servers depending on SQL Server configuration settings and features used.
- Problem:
- SQL Servers Assessment for the Meltdown and Spectre Vulnerabilities
- SolarFlare – This is not an endorsement of this solution. We have not even tested it, but for those concerned about performance hits, SolarFlare is offering up a $199 per server solution that includes a hardware NIC and their software. They claim this combo is less than a 2% hit on performance. Click here to read more.
—Oli Thordarson, CEO of Alvaka Networks
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.