Security & Compliance Blog

To Patch or Not to Patch: The Latest on Fighting the Spectre and Meltdown Vulnerabilities

Antonio Vargas
3 minute read
Antonio Vargas

A few months ago, we wrote about the Spectre and Meltdown vulnerabilities discovered in Intel processors and how to address them: primarily, by deploying software patches. But recently, the plot thickened. Microsoft’s Meltdown patch actually made the original vulnerability worse, creating the new “Total Meltdown” vulnerability that puts its predecessor to shame.

While the original Meltdown vulnerability could read kernel memory at around 120 KB/s and was read-only, Total Meltdown can read complete system memory at gigabytes per second and provides hackers with complete write access. The vulnerability stems from a programming oversight that’s relevant to Windows 7 and Windows Server 2008 R2.

This isn’t the first or only issue with patches intended to mitigate Spectre and Meltdown (see here and here), but it is one of the most dramatic. It also puts IT departments between the proverbial rock and hard place. What should you do when you need to fix a security vulnerability but the patch impacts performance, or worse, makes the vulnerability worse? How do you know if you should patch or not, where, when, and how?

These aren’t easy questions and the answers aren’t cut and dry. It is, however, a critical issue to address. These “side channel” attacks are a new vector for hackers, so they aren’t as well understood by security specialists, yet their prevalence is quickly growing. You need a strategy to ensure that your fix helps, instead of hurts, your business.

3 steps to mitigating security vulnerabilities

While there is no foolproof path to protecting your company against security vulnerabilities, there are steps you can take to prevent attacks before they occur and quickly address them when they happen—because let’s face it: it’s not an “if,” it’s a “when.”

  1. Be as informed as possible. You need to know what you have in order to make smart decisions about how to protect it. This starts with a holistic view of all your systems and assets, from the data center to the cloud, but doesn’t stop there. Your insight should be both complete and contextual so you know which machines are most critical and how to prioritize your efforts based on business impact. It’s important to understand how they work together as well, since relationships between assets play a big role in their security status.
  2. Be ready to take informed action. Once you know where you’re vulnerable and which vulnerabilities take top priority, you need to be ready to act. That means an integrated approach to discovery and patching, in which you can easily deploy or remove patches based on your understanding of your environment from all angles.
  3. Upgrade. Vulnerabilities are often worse for older systems, like Total Meltdown’s attack on Windows 7 and Windows Server 2008 R2. Upgrading to newer versions not only brings performance enhancements, but also additional security protection. This is part and parcel with steps 1 and 2. When you have deep, real-time knowledge of what you have and how it all works together, plus the ability to act on that knowledge, upgrading becomes a regular part of business as usual and not a special event.

How BMC can help

BMC offers multiple paths to the knowledge you need to stay secure.

  • BMC Helix Discovery addresses security challenges with a complete view of your environment, including data center servers, cloud services, network, storage, and the mainframe. It streamlines data inventory, provides deep business service awareness, and acts as a single point of reference for understanding resources across your infrastructure to help you prioritize actions.
  • BMC Helix Client Management. Like BMC Helix Discovery, BMC Helix Client Management provides robust, automated inventory management. It also integrates endpoint management with your service desk or CMDB, and enables you to maintain current patches and deploy new ones – critical to step 2 listed above. With BMC Helix Client Management, you can assess, manage, deploy, and report on patches so you can reduce patch time by 30%—and ensure your systems remain safe and secure.
  • BMC SecOps Response Service helps you understand and prioritize risks and reduce your overall attack surface by providing operations teams with prescriptive and actionable data to address vulnerabilities based on perceived impact. Through integration with BMC Helix Discovery, security and operations teams can identify blindspots—systems previously unknown or unmanaged—and make adjustments. Through integration with BladeLogic Server Automation or Microsoft System Center Configuration Manager, you can trigger remediation actions like patching.
  • BladeLogic Server Automation helps server administrators manage the full server life cycle including provisioning, configuration, compliance, software deployments, and patching. It works across multiple server platforms to address vulnerabilities in a consistent manner. It’s also integrated with BMC SecOps Response Service and operationally aware so that patching can be targeted to maintenance windows that match business requirements.

For more information, check out our BladeLogic Server Automation, BMC Helix Client Management, and BMC SecOps Response Service web pages, or contact a BMC representative.

Download Now: Turbocharge IT Ops and Security

Increase management speed and agility across your complex environment

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing

BMC Bring the A-Game

From core to cloud to edge, BMC delivers the software and services that enable nearly 10,000 global customers, including 84% of the Forbes Global 100, to thrive in their ongoing evolution to an Autonomous Digital Enterprise.
Learn more about BMC ›

About the author

Antonio Vargas

Antonio Vargas

Antonio Vargas is a Principal Product Manager for BMC Helix Discovery. In this role, Antonio is responsible for gathering requirements and feedback from customers, sales, engineering, support, and R&D to shape future releases of BMC Helix Discovery. Antonio joined in January 2016 and was previously a customer of BMC Software. He has a wealth of experience with BMC Helix Discovery deploying over 600+ App Models and discovering consistently 95+% of infrastructure (Servers, Network Devices, etc.) for his previous company. He is also a subject matter expert in the BMC Atrium CMDB, with 28 service models configured and integrated to monitoring, SIEM, analytics, DevOps, asset management, and portfolio management solutions.