Meltdown and Spectre – Important Masstech Update on potential cyber-security breaches
On January 3rd several groups of international IT security researchers simultaneously disclosed two types of security vulnerabilities which apply to nearly all server hardware and operating systems deployed since 1995. This includes all servers on which Masstech’s MassStore and FlashNet applications are known to run.
The vulnerabilities have been named Meltdown and Spectre (M&S) and have been given the designations CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754 by the US National Cybersecurity FFRDC. We encourage you to learn more at this link.
In fact, M&S affect not just the machines used in broadcast environments, but effectively all servers (including those running Windows, Linux, Mac OS), desktops, laptops, tablets (IOS & Android), smartphones and much of the internet of things. As much pain as M&S will cause Broadcasters, the larger IT industry will experience exponentially larger amounts of concern and pain. This should drive attempts to mitigate and solve the M&S problem much more effectively and with greater speed than were this an issue that affected only Broadcasters.
No exploits are yet known to exist in the wild. In order to exploit M&S, arbitrary software must be installed on vulnerable machines. If your servers are presently protected from installation of arbitrary/unauthorized software (either through isolation or the use of anti-virus software) they are not at immediate risk of an exploit.
OS patches from Microsoft and others were made available last week, coincident with the disclosure of M&S. These patches are said to mitigate rather than completely eliminate the threat, and when applied, come at the expense of some amount of processing speed. Because we know our customers will want to make a decision to install the Windows OS patch from Microsoft as soon as possible, our efforts at Masstech are focused now on quantifying any performance degradations the patch might force on Masstech products. Thus far, we have observed no catastrophic effects. We will share more information with you as soon as we have developed a clear view.
We’ve received a number of questions from customers already, which we’ve tried to answer directly and with the best information we have at this time:
What are Masstech’s plans to patch for the Meltdown and Spectre vulnerabilities?
M&S expose vulnerabilities in CPU hardware architecture through exploits in the operating system. In order to make advantage of these exploits, an application containing malicious code must be installed and run on a system. When that happens, malicious code exploiting M&S may be able to read contents of shared and kernel memory. However, neither of these exploits have been described as having the direct ability to write or make changes to memory.
Our understanding so far of the problem indicates that only the chip and OS manufacturer have the ability to mitigate or fix the issue by providing patches.
It is our customer’s responsibility to apply (or not apply) OS patches to servers on which Masstech’s MassStore and FlashNet applications are run. Masstech can provide advice, but the application of OS patches is ultimately the customer’s responsibility.
We understand Intel has been working with Microsoft for some months on Windows Server patches that were made available last week. Given the nature of the problem and possible impact on performance of any/all applications running on Windows Server platforms, we would not be surprised to see some number of additional iterative releases from Microsoft to improve M&S mitigation and reduce the possible impact on performance of any/all applications.
At this time, Masstech does not plan any changes to the MassStore or FlashNet applications. We expect customers to eventually apply the Microsoft patch that was developed in conjunction with Intel.
That said, as we learn more and examine the performance and behavior of patched systems in more depth, if we spot an opportunity to improve performance or mitigation after the patch, we will fully explore all possibilities.
What is the potential impact on the performance of Masstech products associated with an OS patch?
Though we have seen no obvious or catastrophic impact on systems to which the Microsoft patches have already been applied, neither have we had time to carefully measure any potential negative impact on our software’s performance.
MassStore and FlashNet are both CPU and IO intensive and because of this fall into both categories of applications which have been described as being the most at risk of performance degradation. Thus, we consider both MassStore and FlashNet to be at some degree of risk of performance degradation when the Microsoft patches are applied.
After we are able to carefully measure pre and post patch performance, we will share our results with you.
M&S patches are available now from Microsoft. What is Masstech’s recommendation for applying them?
It is our understanding systems are not at immediate risk of the M&S exploits unless arbitrary applications containing malicious code are loaded and run on vulnerable systems. Most Masstech systems are locked down to a greater rather than lesser degree, and live within highly protected networks. Masstech systems are also generally protected by customer-provided anti-virus software. We assume this is the case at your sites.
If you are confident that unauthorized software will not be installed on the MassStore or FlashNet systems at your sites, we recommend you avoid immediate deployment of the Microsoft patches.
Masstech will continue pre and post patch performance testing in our labs and will share our results with you as soon as we have them. At that time you should be in a position to determine for yourself whether any degradation in MassStore or FlashNet performance might outweigh any possible security risks, as you determine.
If you believe M&S present a clear and present danger to your business, we recommend you treat MassStore or FlashNet servers as you would any other standard Microsoft Server and apply the patch at your discretion, though we cannot yet predict or guarantee performance of the Masstech applications.