The announcement of these vulnerabilities created quite the ruckus, but I've seen many organizations to nothing to directly mitigate them --- given the risk of performance impacts --- & instead rely on their existing security controls.
On my personal laptop, I applied the Windows updates & updated the BIOS, ensuring that the system was secure via the SpeculationControl module for MS PowerShell. (My AV had no objection to all this)
It came at the price of performance --- while I could initially run a VM and also have a movie playing on the host, there's now a noticeable lag.
I also secured Google Chrome using Site Isolation, & though this may have slowed things down, it was shadowed by the impact of the Windows and BIOS updates)
The effects of these controls on operations in corporate environments could be devastating, so they'd prefer to 'leave well enough alone.'
Depending on whether the danger of not doing anything, in regards to your environment is greater than the issue of performance degredation, then you should consider carefully applying those patches needed only to those system on which it is needed.
I know a few organizations that applied the patches to servers and suffered catastrophic performance hits which required some of them to perform full restores. I am talking about a 30 to 50 percent degredation.
Taking everything under consideration, as well as the latest staements from Intel, we have decided not to install updates at this point, and have enhanced as much as possible our "eyes on" those systems which are most at risk.
Neither servers, workstations nor laptops will be upgraded.
Regarding browsers such as Chrome, all our users brows through a proxy system whether they are in our out of the corporate sites which limits what they can and can't do, and we utilize file whitening and sandboxing so are less concerned.
we have been rolling our the non-revoked patches based on expected load impact (file servers seem to suffer most).
We have had so far only minimal impact on the load and have also not received any negative feedback from our users.
We are also actively working on implementing the recommendations from Google and Microsoft to our SSDL so that we are also mitigating threats in regards to speculative attacks here.
Also in regards to performance impact I would not set a VM to the gold standard as they are affected twice on an application like VirtualBox or VMware Workstation/Fusion.
I have not seen an pattern that could detect generic attacks so mitigating here might work on a policy level but not practically.
I think the bigger discussion may be why some companies were notified much later than others and this in part now contributes to issues with patches not working, being delayed and having to be rolled back.
While this was in general a significant issue in terms of vulnerability, I do not think the situation was helped by delaying information of this issue. In general, as a consultant I was in the strange position to have to inform clients - it is bad, but you cannot do anything just now because applying the patches may really hurt you more than just waiting it out. Clients felt really uncertain and for many it was the first time that a public disclosure came without a remedy being available.
I have heard from colleagues that the performance impact is no laughing matter and roll backs were made.
So far, the only impact we've seen has been with our Cloud solutions. We are patching our internal systems, but we have not seen any attempts due to our various security postures, such as all external to internal access requires multi-factor authentication.
We did not experience any significant performance impact during testing, so we went ahead and patched internal server and client systems. So far, we've only seen a small increase in resource utilization, which is far from being an issue for us.
it might have been new to some but it also means that there is no working rollout strategy for emergency patches and testing of them in place as well as risk management.
These are decisions that happen on almost daily basis in our environment.
The case that the vulnerability was underestimated by large chip vendors makes me shiver in regards to future findings in these areas. It seems they are not prepared for security issues in their architectures and a mitigation in time.
To my knowledge the directly affected vendors were informed 6 months ahead. Some companies like Google and AWS seem to have made their homework, some have not.
Good insight from everyone on this.
I think though that we should not at all be surprised with the fact that shared information, especially from major suppliers where such a share could harm them, is not something we need to look forwards to or even expect.
Large corporations consider themselves first. We see this constantly and on every level in every country.
Sadly, most governments are those who help this happen because of the direct connection between them and the lobies.
therefore it is us who should share information umongst each other.
It's faster and it gets around faster.
Actually, everyone's feedback catered to half of my question --- there's been no mention of a personal impact.
In a corporate environment, if you aren't in top management, you might just have to provide a risk analysis report, and the let those at the top 'flip a coin.'
On a personal system, the choice is yours. In my case, I did the needful --- OS & BIOS updates on my laptop --- since I could afford the risk. (Yes, there was a performance drop. )
So, did the rest of your guys attempt the fixes on personal systems, & if yes, what were the results?
I did not recognize any significant impact on my system but to be fair, it hardly runs on high loads and I did not run any performance monitoring to compare.
Nevertheless I did the updates as soon as they were available as on my private computer I do not have the same security perimeter as in my company and have a way higher internet exposure.