Meltdown/Spectre – A tale of two vendors
The new year erupted with a lot of activity because of Microsoft’s patches to deal with the Meltdown and Spectre vulnerabilities. Due to concerns about incompatibilities with AVs, Microsoft will release these patches to only those devices which have a specific registry key set.
A superficially conservative move, this is going to leave millions of endpoints exposed for a longer window of time than the macs, primarily because Apple pushed changes to all devices as part of their recent High Sierra release.
High Sierra was a very difficult release for SentinelOne to support – but we were able to support it as soon as it was released. Apple made many late-breaking changes (even in their last beta release) that forced us to re-architect and re-design many components of our agent. Compounding the issue, they made more changes in their service pack (10.13.2) to protect against Meltdown and Spectre.
All these changes meant that SentinelOne customers had to update to our agent version 184.108.40.2068 before upgrading to High Sierra.
Please note: If you upgraded to High Sierra with an older version, your only recourse was to uninstall the agent and do a fresh reinstall of our agent. We suspect many other AVs were faced with similar limitations when dealing with High Sierra.
In breaking existing security products and forcing every vendor through a redesign, Apple succeeded in making sure that High Sierra was protected and secure as soon as it was released.
Microsoft has taken a different approach, by transferring the responsibility of setting the registry key to the AV vendor. While our testing revealed no incompatibilities, we are unwilling to take on the risk of setting this registry key.
This is because our customers may have other software products that use unsupported/undocumented APIs that are incompatible with Microsoft’s latest patches. In such a case, our customers may experience stop errors/system instabilities caused by other products that are not compatible with Microsoft fixes.
This is why we’re giving our customers the choice of whether to set the registry key, instead of forcing a solution on them that presents the risk of a real meltdown. While some vendors in the market are taking the approach of checking for incompatible software, we do not believe that this approach can be done in a comprehensive manner.
Because of this, we are strongly recommending that our customers test the patch with our agent and their full stack of software applications before setting the registry key.
Given the diversity and large number of windows applications used in the Enterprise, we suspect that such testing is going to take a few days/weeks for our larger customers. While this process would leave the Spectre and Meltdown vulnerabilities exposed for exploitation by attackers – the alternative to forcing the registry key on customers risks a system wide meltdown if other software products are not compatible.
We believe the best approach for customers and all enterprises is to continue to embrace best security practices and diligence to prevent attackers a foothold, while making an organizational commitment to the testing and patching process.
The vulnerabilities and the patching process have left customers and vendors in a Catch-22 – security is often scary and complex. But we believe this approach gives customers the best opportunity for maintaining operations while securing their organization.
Reversing Malware on macOS
Endpoint Protection Platform Free Demo