17 Apr 2018
by Tim Heron
Discover what the new Microsoft security updates mean for the Apteco Marketing Suite.
You may have heard about some security vulnerabilities called 'Spectre' and 'Meltdown'. These are "speculative execution side-channel attacks" that affect many operating systems and modern processors, including processors from Intel and AMD.
These vulnerabilities are classified into three variants. Two of these variants can be mitigated against with Operating System and BIOS updates, but one of these variants – Spectre Variant 1, CVE 2017-5753 "Bounds Check Bypass" – requires changes to application code to avoid using the vulnerable 'speculative execution' processor feature.
No Apteco Ltd code runs in the Windows Kernel. All code written by Apteco Ltd runs in User mode and our testing has not indicated any compatibility problems caused by the Operating System or BIOS security updates.
There are two components within the Apteco Marketing Suite that are potentially affected by Variant 1 of Spectre. Beginning with the 2018 Q1 release, we’re applying the appropriate compiler options to generate code that avoids the use of the vulnerable processor feature.
These two components are the fs32svr.dll (the core query engine) and the cascade.dll (some of the processing work for Cascade) components. Full details of the mitigating compiler options we have applied are available here.
Enabling the compiler option to avoid the 'speculative execution' feature may have a minor performance impact on processing performed by these two components. However, the tests we have performed have not shown any measurable performance impact.
Microsoft have also released specific security updates for SQL Server. FastStats Enterprise installs, especially PeopleStage installs, do rely on SQL Server. However, it’s impossible for us to predict what performance impact these updates might have on specific hardware and workloads. Microsoft themselves are still evaluating the performance impact of their changes.
We recommend following Microsoft's advice on whether to patch SQL Server or not.