This year started off with a bang with news coming out that major security flaws have been identified in many modern processors and operating systems including Intel, AMD, and ARM. The issue is so widespread that it is said to impact nearly all CPUs released since 1995, as outlined by Google’s Project Zero team. This begs the question, how do the Meltdown and Spectre vulnerabilities affect you and your Microsoft Dynamics environment?
To start, we have to know what’s at risk. Meltdown and Spectre is more than just a title of a future blockbuster action-thriller. In short, exploiting Meltdown allows someone to view data owned by other users, including other servers hosted on the same hardware, which implicates everyone running on Microsoft Azure. But don’t worry, some good news is ahead. Spectre, while a lesser problem in the short-term in comparison to its companion, is expected to be a longer-term concern. It’s both harder to exploit and mitigate and would allow someone to steal your username and password information.
For a deeper dive into understanding how the Meltdown and Spectre vulnerabilities work, Josh Fruhlinger from CSO provides as clear an explanation as there is. Onto the patches!
Patches and Fixes
AZURE AND SQL SERVER
When it comes to Azure, there is nothing to worry about. Microsoft updated much of the Azure infrastructure by the time the news broke out and automatically rebooted the remaining impacted VMs shortly thereafter. This means that other customers running on Azure can’t attack your application using these vulnerabilities. However, all is not done.
Not everyone is under the same scenario when it comes to SQL Server, so Microsoft has outlined each potential scenario with a given recommendation below. Visit this link to review your recommendations and find links to available SQL patches.
Any devices from desktops and laptops to smartphones and tablets will also need their hardware and software updated. The easiest and quickest thing you can do is turn on automatic updates. While your operating system should have been updated by now, as mentioned earlier, this is by no means a short-term issue so protect yourself with future updates. Also, you will need to install all available firmware updates from your device manufacturer. If you need any guidance, you can find a list of device manufacturers and their links, as well as Windows OS updates, here.
Note: Some third-party antivirus softwares are incompatible with some of the recent Microsoft updates, which may be why you have yet to receive any updates. If that’s the case, check for a status update with your antivirus provider. In this situation, the current industry recommendations are to wait for an update from your antivirus provider rather than switching given that Microsoft is working with them to address the issues and no recorded attack via these vulnerabilities has yet occurred.
Finally, we get to the big question, how will it impact your Microsoft Dynamics environment? Unfortunately, Windows Server updates, especially in an IO-intensive application such as Dynamics NAV, can have a significant performance impact. It varies, but people have been reporting performance impacts anywhere from 5% to 40%.
The reason behind the performance impact has to do with one of the vulnerabilities being addressed: speculative execution. Simply put, it’s the action of a chip computing functions in advance of them being used so that it has a head start for when they actually are used. Like a marathon runner getting a head start, you can expect a faster finish. With recent patches however, the runner is no longer given a head start.
As Terry Myerson, Executive Vice President, Windows and Devices Group, explains, “you want to be careful to evaluate the risk… and balance the security versus performance tradeoff for your environment.” In more than 99% of cases, the consequences of losing usernames, passwords, or other information outweighs the consequences of a slower system for the time being. Nonetheless, should you decide to disable these patches, guidance can be found in the previous link provided. Just remember, it’s always safe to err on the side of caution, especially with such sensitive information.
Microsoft and others in the industry continue to work towards addressing Meltdown and Spectre. Reality is the vulnerabilities, while patched, aren’t fixed. Meltdown and Spectre are taking advantage of typical and expected processor operations, so until those are changed, we’re in for a long ride. So, what can you do?
For most organizations, it’s as simple as ensuring your automatic updates are turned on and apply patches as you normally would. If you have a noticeable performance impact as a result of these patches, you can try working internally or with your partner to identify potential solutions in changing your process. Perhaps some tasks can be started earlier in order make up for the added time needed. Another avenue may be upgrading your Azure environment size to support the performance loss from the patches, if the situation calls for it. Although it may seem like it, the sky is not falling.