Patching the Meltdown Patch

Patching the Meltdown Patch

meltdown errorAccording to meltdownattack.com, these hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

It turns out the patch that Microsoft created for Meltdown could be worse than the original Meltdown vulnerability. Ulf Frisk, a Swedish penetration tester, warns in his blog:

“Did you think Meltdown was bad? Unprivileged applications being able to read kernel memory at speeds possibly as high as megabytes per second was not a good thing.

Meet the Windows 7 Meltdown patch from January. It stopped Meltdown but opened up a vulnerability way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well.

How is this possible?
In short – the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself.”

Read more at https://blog.frizk.net/

Last week, Microsoft released an out-of-cycle security patch to address the problems created for the original patch.

Meltdown Patch: CVE-2018-1038 | Windows Kernel Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.

The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.

More on the update from Microsoft: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038#ID0EWIAC

Patch Management Policy

Patching is a common issue that we discuss, in fact, it’s one of the top 5 common cyber threats. Did you know:

  • 45% of companies are not using a dedicated patch management solution to distribute and manage software updates.
  • 72% of decision-makers do not deploy a patch within 24 hours after it is released to the public.
  • Failure to patch caused the infamous Equifax breach, releasing the data of 143 million people.

In a recent interview, Chris Goetti, director of product management at Ivanti, says the vulnerability created by the Microsoft patch is pretty significant and something that needs to be addressed with haste, if possible.

“When Microsoft issued a fix for Windows 7 and Windows Server 2008, they made a mistake and ended up opening up read and write access in RAM so anybody could access anything in memory and write to it,” he says. “It is a significant vulnerability and leaves those systems pretty much exposed” without the update.

If you don’t have time to test the new patch, a best practice may be to roll back to the March update and wait for Microsoft’s next update on  April 11.

“We are close to the April update,” Goetti says. “Our guidance is to either apply the new update or roll back the March update,” for Windows 7 x64-bit systems and Windows Server 2008 x64-bit systems, he says.

Patches a Problem?

Message from Meltdown and Spectre: Create a Patching Strategy!

Message from Meltdown and Spectre: Create a Patching Strategy!

“Those who patch, prevail.” – Unknown

While patching may be the most boring, thankless job in the IT department, it could be the one that prevents the most cyber attacks. Hackers use known vulnerabilities to launch attacks on businesses. Having your systems updated and patched may be the best first line of defense.

On January 3rd, 2018, Meltdown and Spectre were revealed. These security flaws exist in nearly every Intel CPU built since 1995. Both vulnerabilities involve speculative execution side channels that can be exploited to steal sensitive data from the devices in your network.

The Meltdown vulnerability, CVE-2017-5754, can potentially allow hackers to bypass the hardware barrier between applications and kernel or host memory.

The Spectre vulnerability has two variants: CVE-2017-5753 and CVE-2017-5715. These vulnerabilities break isolation between separate applications.

Both flaws provide hackers with a way of stealing data, including passwords and other sensitive information. If hackers manage to get the software running on one of these chips, they can grab data from other software running on the same machine.

While these flaws are unique since the vulnerabilities were found in the way the chips were manufactured, there is a way to help prevent any damage. You guessed it, patching! But, it’s not that simple…

Updating your patches will not simply fix the Meltdown and Spectre vulnerabilities. Your team should take the time to test patches to minimize the impact on your hardware and applications. Be sure to use industry best practices and thoroughly test each patch before implementing them company-wide.

 Bleeping Computer has a full list of patches and updates available here.

Let’s make patching the best, most rewarding job in the IT department.  Remember WannaCry? And how many companies would have been protected if they had used the patch made available by Microsoft? Don’t wait for the next attack!

 Plan to Fail  = Plan to Win

When any new cyber attack or vulnerability is announced, many companies will panic and create more disorder that is necessary. The best thing your organization can do is to plan to be attacked and monitor your network like you are currently being compromised. Have a strategy ahead of time. Discuss worse-case scenarios with management and have a communications plan in case something goes wrong.

We recently discussed how the cyber attacks of 2017 didn’t change the attitude or security budget of many organization around their cyber risk strategy. In addition to making patching part of your core strategy, there are typically five fundamental services that should be done proactively to help protect your organization. Those services include 24×7 SIEM with security monitoring, vulnerability management, patch management, endpoint detection and response, as well as security awareness training. These services help you create a solid security practice that ensures compliance and proactively protect your organization.

To make it even easier, all five services are available in one integrated package called PREtect from Cybriant. Find out more: https://www.cybriant.com/pretect

By planning to be attacked, you will be aware of what is on your network. You’ll be able to protect your organization and reduce the dwell time of those attacks.