- The design flaw has been in existence for the last decade and does not affect Bromium.
- Operating system vendors are the only ones who can remediate the vulnerability.
- The Microsoft patch – out today – requires Bromium customers to upgrade before patching Windows.
- Spectre or Meltdown cannot be directly used to steal information from an unpatched machine with Bromium because there is no sensitive information in the VM.
You may have already heard about the Intel CPU design flaw that is a breaking story in today’s news. According to The Register, this vulnerability has been in chips shipped over the last decade. Based on how Bromium works, this vulnerability does not affect Bromium. You are still protected from kernel exploits because of our application isolation.
Microsoft’s patch triggers need for Bromium upgrade.
Unfortunately, the only way to remediate the vulnerability is for Microsoft – and other operating system vendors – to deliver a patch. The Microsoft Patch is out now and Windows 10 will try to automatically update – if you’re a Bromium customer, we recommend pausing that update until your Bromium upgrade is complete. Because of how we work with the operating system, the Microsoft patch will require a Bromium upgrade to ensure our protection continues to work as expected.
“This change also affects all other software that makes system calls on Windows, some vendors will be aware of this, while some will not,” according to Simon Plant, Senior Director Product Management. “We are still analyzing the full impact of this change because this release by Microsoft is sooner than we thought.”
Reports are that there could be anywhere from a 5% to 30% performance hit on various applications and workloads that utilize the CPU because of the Microsoft patch. This has yet to be substantiated and you’ll likely see news reports that reveal test results as this story unfolds. “We are doing our own performance testing to understand the impact on our customers, but we don’t think this will have any impact on Bromium,” Plant adds.
Download the Bromium update, then patch Windows
You’ll need to upgrade Bromium to 4.0.4, then patch. Our upgrade isn’t available yet, but it will be shortly – we are working rapidly now that the patch has been released. If you are still using our legacy product, this is a very good excuse to upgrade to our most recent release: you’ll immediately realize better performance and a smoother user experience. If that isn’t possible, we will have a patch for Bromium Advanced Endpoint Security 3.2. Details are available on our Knowledge Base.
And as always, if you need help, please contact us.
The post Bromium Response: Intel CPU Design Flaw Creates Work for Everyone appeared first on Bromium.
*** This is a Security Bloggers Network syndicated blog from Bromium authored by Jennifer Carole. Read the original post at: http://blogs.bromium.com/bromium-response-intel-cpu-design-flaw/