Intel has recently named Michael Mayberry as its new chief technology officer and senior VP. This leadership change, plus other management changes, is amid a time when nearly every day there’s a new alarming headline about the two security vulnerabilities, such as “Meltdown And Spectre Patching Has Been A Total Train Wreck,” “Intel’s Never-Ending Spectre Saga Continues to Be a Hot Mess,” and “OK, panic again: patching Spectre and Meltdown has been a disaster.” Both Intel and Apple are also now facing class action lawsuits over the Meltdown and Spectre bugs. And just this week, German antivirus testing firm AV-Test discovered 139 samples of malware that appear to be early attempts at exploiting the Meltdown and Spectre CPU bugs.
Glitches with the Meltdown-Spectre patches
As software and cloud service companies have rushed to push out updates and patches, there’s been conflicting information and opinions on whether it’s a good idea or not to install the patches. In January, Intel announced there were glitches in the patch. And Linux creator Linus Tovalds has been an outspoken critic of Intel’s patches for the Linux kernel, writing in a public message board, “The patches are COMPLETE AND UTTER GARBAGE. … They do things that do not make sense.”
A study by IT company Spiceworks found that while 70 percent of businesses surveyed had already begun patching for Meltdown and Spectre, these efforts were met with issues, like a performance drop, locked-up systems. and boot-up problems.
Okay, so, what’s a business to do?
Here are a few tips that TechRepublic has suggested.
1. Test patches on disposable systems
Test patches on non-critical servers before rolling them out to production. The test systems should be identical in every way to your production systems.
2. Have a quick recovery plan set up for your systems
Having a recovery plan in place will save you a lot of time, energy, and frustration.
3. Check for the latest patches and always use the most immediately available fixes
Check the vendor website consistently. “Companies currently working off the old microcode_ctl-1.17-25.2.el6_9:1.x86_64 microcode_ctl package initially released are in for a nasty surprise which is why it’s crucial to stay abreast of package changes,” TechRepublic wrote.
4. Learn about the patch ramifications
Read the vulnerability/patch advisories before you proceed. Consider what possible issues could occur, what the resolutions might be, and how to prepare in advance. “The more hype is involved with a vulnerability and the associated fix means the more caution you must employ when proceeding; these patches are often rapidly pushed out with less testing than may be advisable,” TechRepublic states.
5. Look for alternate solutions where necessary
TechRepublic notes that many problematic patches for such vulnerabilities don’t necessarily need to be applied. “You can employ a workaround by turning an unneeded process off, for instance, or disabling an unused setting. Follow vendor guidelines and determine your best course.”