Home
%3CLINGO-SUB%20id%3D%22lingo-sub-141968%22%20slang%3D%22en-US%22%3EUpdated%3A%20Meltdown%20and%20Spectre%20-%20new%20vulnerability%20in%20modern%20processors%20-%20the%20WDATP%20angle%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141968%22%20slang%3D%22en-US%22%3E%3CP%3EOn%20Jan%203rd%2C%20a%20new%20serious%20vulnerability%20was%20made%20public%20that%20affects%20most%20computers%20out%20there.%20Details%20of%20it%20and%20what%20we%20can%20do%20is%20below%20in%20the%20context%20of%20the%20WDATP%20suite%20(both%20AV%20and%20EDR)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1730528342%22%20id%3D%22toc-hId-1764766698%22%3EWhat%20is%20the%20fuss%20all%20about%3F%20This%20one%20is%20big.%3C%2FH2%3E%0A%3CP%3EIn%20a%20nutshell%2C%26nbsp%3B%20Meltdown%20and%20Spectre%20exploit%20critical%20vulnerabilities%20in%20modern%20processors%20allowing%20an%20attacker%20running%20user-level%2C%20non%20admin%20code%2C%20to%20steal%20kernel%20memory%20data%20breaking%20the%20fundamental%20isolation%20of%20layered%20endpoint%20security.%20Simply%20put%2C%20if%20you%20have%20a%20host%20running%20multiple%20VMs%2C%20by%20running%20a%20non-admin%20code%20on%20the%20host%20machine%20you%20will%20potentially%20be%20able%20to%20see%20and%20harvest%20sensitive%20data%20belonging%20to%20apps%20running%20in%20the%20VMs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20a%20good%20read%20on%20this%20go%20to%20this%20dedicated%20website%20-%20%3CA%20href%3D%22https%3A%2F%2Fspectreattack.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fspectreattack.com%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--821628619%22%20id%3D%22toc-hId--787390263%22%3EWho%20is%20affected%3F%20Everyone.%3C%2FH2%3E%0A%3CP%3EDesktop%2C%20Laptop%2C%20and%20Cloud%20computers%20may%20be%20affected%2C%20smartphone.%20Essentially%20if%20you%20are%20running%20a%20modern%20CPU%20(not%20only%20Intel)%20you%20are%20at%20risk.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-921181716%22%20id%3D%22toc-hId-955420072%22%3EIf%20this%20is%20exploited%2C%20is%20it%20detectable%3F%20It%E2%80%99s%20tricky.%3C%2FH2%3E%0A%3CP%3EExploitation%20of%20this%20vulnerability%20is%20VERY%20hard%20to%20detect%20as%20it%20effectively%20exploits%20at%20the%20CPU%20level%20and%20therefore%20hard%20to%20be%20generically%20detected%20by%20AV%2FEDR%20solutions%20at%20large.%20That%20said%2C%20if%20an%20attacker%20is%20using%20this%20as%20part%20of%20campaign%20ATP%20is%20designed%20to%20detect%20across%20various%20stages%20prior%20to%20and%20after%20the%20exploitation.%20We%20continue%20to%20monitor%20activity%20around%20this%20exploit%20and%20will%20update%20our%20defenses%20accordingly.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1630975245%22%20id%3D%22toc-hId--1596736889%22%3EHow%20%3CSPAN%3Eto%3C%2FSPAN%3E%20%3CSPAN%3Eget%3C%2FSPAN%3E%20protected%3F%20Patch.%3C%2FH2%3E%0A%3CP%3EIt%20will%20be%20eventually%20a%20two%20step%20conditional%20operation%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EOS%20Patch%20for%20all%20machines%20from%20Microsoft%20per%20the%20MSRC%20advisory%20-%20%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FADV180002%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FADV180002%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3ESome%20machines%20-%20Firmware%20patch%20from%20the%20CPU%20vendors%20for%20the%20microcode.%20Release%20is%20ongoing%2C%20check%20vendor%20sites%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH2%20id%3D%22toc-hId-111835090%22%20id%3D%22toc-hId-146073446%22%3EHow%20WDATP%20can%20help%3F%20Security%20Analytics%20can%20help.%3C%2FH2%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3E%231%20See%20if%20the%20patch%20was%20applied%20to%20all%20machines%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EOS%20updates%20will%20be%20delivered%20through%20Windows%20Update%20-%26nbsp%3B%20see%20if%20machines%20are%20patched%20with%20latest%20security%20updates%20and%20view%20unpatched%20machines%20under%20the%20%E2%80%9COS%20Security%20Update%E2%80%9D%20section%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20610px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F26411i280596D0BEE722C4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22pic.jpg%22%20title%3D%22pic.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3E%232%20(coming)%20which%20machines%20require%20the%20firmware%20patches%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EOnce%20OS%20patches%20will%20be%20applied%2C%20resulting%20instrumentation%20will%20enable%20us%20to%20collect%20information%20about%20processor%20versions.%26nbsp%3BAs%20CPU%20vendors%20release%20detailed%20patch%20information%2C%20we%20will%20work%20to%20further%20enhance%20Security%20Analytics%20dashboard%20to%20help%20identify%20those%20machines%20still%20requiring%20patching.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1854645425%22%20id%3D%22toc-hId-1888883781%22%3ECheck%20your%203rd%20party%20solutions%20first.%20Some%20might%20blue%20screen.%3C%2FH2%3E%0A%3CP%3ESince%20the%20mitigation%20to%20this%20problem%20involves%20changes%20at%20the%20OS%20kernel%2C%20there%20is%20a%20possible%20compatibility%20issue%20caused%20when%20anti-virus%20or%20other%203rd%20party%20security%20applications%20make%20unsupported%20calls%20into%20Windows%20kernel%20memory.%3C%2FP%3E%0A%3CP%3EThese%20calls%20may%20cause%20stop%20errors%20(also%20known%20as%20blue%20screen%20errors)%20that%20make%20the%20device%20unable%20to%20boot.%3C%2FP%3E%0A%3CP%3ETo%20help%20prevent%20stop%20errors%20caused%20by%20incompatible%20anti-virus%20applications%2C%20customers%20will%20not%20receive%20these%20security%20updates%20and%20will%20not%20be%20protected%20from%20security%20vulnerabilities%20unless%20their%20anti-virus%20software%20vendor%20sets%20a%20dedicated%20registry%20key.%3C%2FP%3E%0A%3CP%3ESee%20here%20for%20more%20details%20-%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4072699%2Fimportant-information-regarding-the-windows-security-updates-released%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4072699%2Fimportant-information-regarding-the-windows-security-updates-released%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23ff0000%22%3E%3CSTRONG%3EUpdate%3C%2FSTRONG%3E%3C%2FFONT%3E%3A%20Some%20AVs%20are%20setting%20the%20registry%20key%20while%20others%20are%20providing%20KBs%20with%20instructions%20to%20their%20customers%20on%20how%20to%20mass%20update%20machines.%20Adding%20links%20to%20a%20table%20listing%20various%20AV%20vendors%20readiness%20status.%26nbsp%3Bnote%20this%20is%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20info%20posted%20by%20a%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FGossiTheDog%2Fstatus%2F948889660780175360%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20security%20influencer%3C%2FA%3E%2C%20so%20take%20it%20as%20%E2%80%9Cbest%20effort%E2%80%9D%20public%20information%20on%20the%20AV%20ecosystem.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.google.com%2Fspreadsheets%2Fd%2F184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ%2Fhtmlview%3Fusp%3Dsharing%26amp%3Bsle%3Dtrue%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.google.com%2Fspreadsheets%2Fd%2F184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ%2Fhtmlview%3Fusp%3Dsharing%26amp%3Bsle%3Dtrue%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--697511536%22%20id%3D%22toc-hId--663273180%22%3EWDATP%20and%20WDAV%3F%20Ready.%20protection%20is%20built%20in.%3C%2FH2%3E%0A%3CP%3EWDATP%20and%20WDAV%20are%20compatible%20with%20the%20security%20updates%20since%20they%20are%20built%20into%20the%20OS%20and%20therefore%20always%20certified%20with%20the%20updates.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EEnsuring%20WDAV%20cloud%20protection%20is%20enabled%20will%20serve%20to%20expedite%20the%20automated%20patching.%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

On Jan 3rd, a new serious vulnerability was made public that affects most computers out there. Details of it and what we can do is below in the context of the WDATP suite (both AV and EDR)

 

What is the fuss all about? This one is big.

In a nutshell,  Meltdown and Spectre exploit critical vulnerabilities in modern processors allowing an attacker running user-level, non admin code, to steal kernel memory data breaking the fundamental isolation of layered endpoint security. Simply put, if you have a host running multiple VMs, by running a non-admin code on the host machine you will potentially be able to see and harvest sensitive data belonging to apps running in the VMs.

 

For a good read on this go to this dedicated website - https://spectreattack.com/ 

 

Who is affected? Everyone.

Desktop, Laptop, and Cloud computers may be affected, smartphone. Essentially if you are running a modern CPU (not only Intel) you are at risk. 

 

If this is exploited, is it detectable? It’s tricky.

Exploitation of this vulnerability is VERY hard to detect as it effectively exploits at the CPU level and therefore hard to be generically detected by AV/EDR solutions at large. That said, if an attacker is using this as part of campaign ATP is designed to detect across various stages prior to and after the exploitation. We continue to monitor activity around this exploit and will update our defenses accordingly. 

 

How to get protected? Patch.

It will be eventually a two step conditional operation

  1. OS Patch for all machines from Microsoft per the MSRC advisory - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
  2. Some machines - Firmware patch from the CPU vendors for the microcode. Release is ongoing, check vendor sites

How WDATP can help? Security Analytics can help.

#1 See if the patch was applied to all machines

OS updates will be delivered through Windows Update -  see if machines are patched with latest security updates and view unpatched machines under the “OS Security Update” section

 

 pic.jpg

 

#2 (coming) which machines require the firmware patches

Once OS patches will be applied, resulting instrumentation will enable us to collect information about processor versions. As CPU vendors release detailed patch information, we will work to further enhance Security Analytics dashboard to help identify those machines still requiring patching. 

 

Check your 3rd party solutions first. Some might blue screen.

Since the mitigation to this problem involves changes at the OS kernel, there is a possible compatibility issue caused when anti-virus or other 3rd party security applications make unsupported calls into Windows kernel memory.

These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot.

To help prevent stop errors caused by incompatible anti-virus applications, customers will not receive these security updates and will not be protected from security vulnerabilities unless their anti-virus software vendor sets a dedicated registry key.

See here for more details - https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-securit... 

 

Update: Some AVs are setting the registry key while others are providing KBs with instructions to their customers on how to mass update machines. Adding links to a table listing various AV vendors readiness status. note this is 3rd party info posted by a security influencer, so take it as “best effort” public information on the AV ecosystem.

https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sha...

 

WDATP and WDAV? Ready. protection is built in.

WDATP and WDAV are compatible with the security updates since they are built into the OS and therefore always certified with the updates. 

Ensuring WDAV cloud protection is enabled will serve to expedite the automated patching.