Jan 4 2018: Hardware Vulnerability Patching Schedule

In the last few days rumors of terrible, CPU-level security vulnerabilities have been appearing in the tech news. Last night the embargo on details was broken, and it's quite a mess. The BCG will need to patch all machines in the department, probably more than once, to address the problems.

Over the next week, please:

  1. Log out if you are away from a machine more than a few hours (including remotely). This lets us patch machines when we see no one is logged into them.
  2. Please avoid long-running compute jobs, either directly or through condor. This will minimize work lost when we reboot a machine.

One of the two vulnerabilities cannot be fully solved short of replacing the CPU. The patches for that are work-arounds which try to minimize the risk of the vulnerability. These patches do degrade the performance somewhat, from nearly 20% for certain kinds of database tasks, to more modest 3-5% hits for purely computational work. What the hit will be like for average, daily workloads is not yet clear.

Patches are already available for all three of our platforms: Windows, MacOS, and Linux. We have already begun to apply patches on free machines. As firmware updates become available BCG staff will need to visit people's desktop machines and spend time with laptops.

There are two different exploits: Meltdown and Spectre. Meltdown can be patched. Spectre is going to be harder to fix.

These vulnerabilities can be exploited by any software running on your computer. That includes the Javascript running in your web browser, which makes remote exploitation trivial. We are not sure if these are being used in the wild yet. We can expect that they will be soon.

We strongly recommend everyone update their personal machines (desktops, laptops, mobile) as well. Be aware that some Antivirus software on Windows has been blocking the Windows patches. [ZDNet]

If you are using Microsoft Windows Defender, Symantec Endpoint Protection, Kapersky, ESET, AVAST, or F-Secure SAFE, this is not a problem.

However, McAfee Endpoint Protection, Trend Micro, Sophos Anti-Virus and Central, Cyren F-PROT, EMSI Anti-Malware, Bitdefender, Carbon Black, Cylance PROTECT, CrowdStrike Falcon, and Webroot do have this problem until they release a patch.

For more details, see this table (Google Docs).

If you want to know whether your Windows 10 machine has the Microsoft patch, check PC Settings > Update and Security > click on Update history, and look for KB4056892. If it is not there, let it install updates.

Links:

Updates
  • Jan 4 2018. There are already proof-of-concept Javascript attacks. Browser vendors are releasing patches, so be sure to update the browsers on your personal devices, too. Chrome, IE11 and Firefox all have patches available.