Updates and the Road to Hell

FeaturesPCmag

Right now is the perfect storm of updates. In addition to the seemingly endless stream of operating system (OS) updates, there are updates for applications and now updates for your hardware. We've all become used to the monthly release of patches to Microsoft Windows to the point where we expect Patch Tuesday every month. But now there's more.

Continue Reading Below

Security researchers uncovered problems with Intel's Management Engine, which lives in its own little OS inside Intel processors. Then, researchers found serious problems with the way processors plan program execution, which led to vulnerabilities labeled Spectre and Meltdown. Meltdown affects security boundaries in processor caching while Spectre is involved with speculative execution and affects all processors, not just those from Intel. (For a full description, read Tom Brant's How to Protect Your Devices Against Meltdown, Spectre Bugs column.)

So, in addition to the usual updates to Windows and Linux and the less frequent updates to MacOS, we're now seeing updates to the processors that support them. In the fall of 2017, Intel provided updates to the Management Engine to PC makers, which then issued firmware patches. After that came patches to firmware and processor microcode to fix Meltdown on Intel processors, and to some extent Spectre on nearly every processor.

The Spectre and Meltdown patches are also showing up in OS software, so an important Windows Update was issued on January 3, out of the normal Patch Tuesday sequence. And, of course, there was still the regular Patch Tuesday.

To Update or Not to Update

All of a sudden, there are a lot of updates flying around. Do you just apply them as fast as they show up? The answer is: probably not. Intel is already addressing problems with some older processors that started rebooting once the patches were applied. Now there are reports that some industrial control systems are malfunctioning as a result of the patches.

Clearly, you should think twice about simply applying patches as they show up. But you also have to worry about the consequences if you don't. How to decide?

The consequences of choosing not to perform an update are known. Eventually, an unpatched vulnerability will open your systems to one of many exploits and that will cause data loss and all of the bad things that follow. But there are consequences that arise from choosing to patch as well. In addition to the issues related to Intel's fixes, there are times when updates to your OSes can cause problems. You need to consider those.

For example, it's possible that locally written or some custom apps might not work properly after applying a patch to Windows. This is very rare these days but the possibility exists. If you have such an app, then you must test the update before you apply it to all of your systems.

Problems are more likely when the update is a major one, such as when many computer systems were updated from Windows 7 to Windows 10. Then, despite the fact that commercial software should handle the transition, it's still important to test by making the change on a few computers before going all the way.

Under normal circumstances, when you're dealing with office computers running office apps, there's little reason not to let the update happen as soon as the workload of the person using it permits. There's little risk from the update and the risk from users doing something they shouldn't is quite high.

Special Considerations With Servers

Computers used as servers are a different problem. There the risk from users is somewhat lower but the risks that may come from an update with problems are higher. In addition, there's the cost of downtime if the server is essential to your business. In such a case, the process of applying the update needs to be considered carefully.

Perhaps the best way to update servers is one at a time, starting with a spare. You update a spare server and test that. When you're confident it's running as it should, then swap out a server with the updated one. Hang on to the old one for a while just in case the update doesn't play well with the rest of the network and then update it. Depending on how many servers you have, you may do this one at a time or you may automate it using your patch management software.

What's key is that you don't simply put off doing your updates forever. Many of the data breaches that succeeded in 2017 and earlier were possible because the hackers used exploits that depended on unpatched vulnerabilities that have had updates and patches available for months or years but which were never applied. The ready availability of exploits developed by the intelligence community--and since leaked--makes the risks of not patching even greater.

If you divide up the decision making, it becomes easier. First, patch immediately those systems where the risk of patching is low and the risk of not patching is highest, which includes your office machines and any public-facing computers. Next, apply patches and updates to systems where you can afford a short period of downtime, such as servers that can go offline overnight.

Finally, consider the patch-and-replace approach to the rest of your systems where you have more time to test and downtime is minimized. Again, give systems you swap out time to make sure they play well on the network.

But whatever you do, don't fail to apply critical patches. Schedule them to work with your requirements but don't simply put them off. You don't want to be the next company to hit the front pages because of an attack.

Continue Reading Below