Microsoft Releases Emergency Updates to Fix Meltdown and Spectre CPU Flaws

by

By

  • January 4, 2018
  • 06:17 AM
  • 10

Meltdown and Spectre logos

Late last night, Microsoft issued out-of-band updates that address Meltdown and Spectre, two security flaws said to be affecting almost all CPUs released since 1995.

The Redmond-based OS maker was not planning on releasing the updates until next week, on Patch Tuesday, but was forced to roll out fixes after Google went public with details about the two vulnerabilities.

According to a Microsoft security advisories [12], these are the Windows security updates that address the Meltdown and Spectre flaws for various Windows distributions.

Operating System Version

Update KB

Windows Server, version 1709 (Server Core Installation)

4056892

Windows Server 2016

4056890

Windows Server 2012 R2

4056898

Windows Server 2012

Not available

Windows Server 2008 R2

4056897

Windows Server 2008

Not available

Windows 10 (RTM, 1511, 1607, 1703, 1709), Windows 8.1, Windows 7 SP1

ADV180002  (Multiple KBs, it’s  complicated)

The Microsoft updates are not all-out fixes. Some Windows PCs may require additional CPU firmware updates to mitigate Spectre attacks, but the Microsoft updates appear to fully-address the Meltdown flaw.

Problems with some anti-virus software may lead to BSODs

But Microsoft also warns that the Meltdown and Spectre security fixes are incompatible with some anti-virus products.

“During our testing process, we uncovered that some third-party applications have been making unsupported calls into Windows kernel memory that cause stop errors (also known as bluescreen errors) to occur,” Microsoft said in a compatibility note for yesterday’s security fixes.

“These calls may cause stop errors […] that make the device unable to boot. To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.”

“If you have not been offered the security update, you may be running incompatible anti-virus software and you should follow up with your software vendor,” Microsoft said.

In other words, if users are employing a third-party anti-virus product, they should first check if the AV has updated its anti-virus product to support the Microsoft patches.

There have been no reports of malicious groups using neither Meltdown or Spectre in real-world attacks, so Microsoft is also recommending that users give anti-virus vendors more time to update their products.

Microsoft says that when anti-virus vendors update their product to support the Meltdown and Spectre patches, they’ve been instructed to create a custom registry key on the OS, which will allow Windows to download and receive the proper security fixes (if the user also agrees to it).

If users aren’t willing to search their antivirus product’s homepage for such info, if they find the following registry key on their systems, the antivirus product has already been updated to support the Meltdown and Spectre patches.

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWAREMicrosoftWindowsCurrentVersionQualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”

A security researcher is currently keeping a Google Docs spreadsheet with the status of Meltdown and Spectre patches on various anti-virus engines. At the time of writing, only Microsoft, ESET, and Kaspersky AV engines support the patches, with others set to receive updates starting tomorrow.

Other vendors have also issued patches. You can find a full list here.

Meltdown and Spectre Vulnerability Advisories, Patches, Updates

by

List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates

By

  • January 3, 2018
  • 09:52 PM
  • 6

Two new vulnerabilities called Meltdown and Spectre, or speculative execution side-channel vulnerabilities, have been discovered in modern processors that allow malicious programs to steal information from the memory of other programs. This means that the malicious program can steal passwords, account information, encryption keys, or theoretically anything stored in the memory of a process.

Vendors have started to release information on how customers can protect themselves from Spectre or Meltdown and the status of their services. To make it easier to find this information, I will be adding links to various advisories as they are released. The related CVEs are CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754.

It is important to note, though, that a software update will not be able to completely resolve these vulnerabilities. It is also important to make sure you have the latest bios/firmware updates for your laptop or computer installed as well.

For those who want to monitor these updates, I suggest you check this page throughout the coming days to see if new information is available.

For more detailed information about the Spectre and Meltdown vulnerabilities, you can read our coverage in the articles below:

It is also strongly recommended that you read the security advisory by Google as it contains a very detailed description of these vulnerabilities.

If you are a vendor with a advisory or notice, please contact us to have your information added.

Last Updated: 01/05/18 16:52 EST

Official Advisories, Notices, Patches, or Updates:

Amazon

Amazon has released a security bulletin that provides information on how Amazon AWS services are affected by Meltdown and Spectre. In summary, this bulletin states:

This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices. All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications.

While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems. Updates for Amazon Linux have been made available, and instructions for updating existing instances are provided further below along with any other AWS-related guidance relevant to this bulletin.

You can read the full security bulletin here: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

AMD

AMD has not released an official advisory where they essentially say that their CPUs are not vulnerable to the speculative execution vulnerabilities.  Below is the table from this press release:

Google Project Zero (GPZ) Research Title Details
Variant One Bounds Check Bypass Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.
Variant Two Branch Target Injection Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
Variant Three Rogue Data Cache Load Zero AMD vulnerability due to AMD architecture differences.

The full advisory can be found here: https://www.amd.com/en/corporate/speculative-execution

As the security landscape continues to evolve, a collaborative effort of information sharing in the industry represents the strongest defe

Furthermroe, Tom Lendacky, a software engineer at AMD, had posted a email to the Linux Kernel Mailing List stating:

AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against.  The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

Disable page table isolation by default on AMD processors by not setting the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI is set.

You can read the full post here: https://lkml.org/lkml/2017/12/27/2

Windows internals expert, Alex Ionescu also had this to say:

Alex Ionescu@aionescu

Official AMD response shows that they _are_ susceptible to at least some of these variants, so again, Intel’s response was *not* dishonest, just cleverly crafted. This is a design-level issue affecting many, many chip vendors. https://twitter.com/rhhackett/status/948676213505232897 

5:14 PM – Jan 3, 2018
Twitter Ads info and privacy

Android

The Android team has updated their January 2018 bulletin with the following note:

CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754, a set of vulnerabilities related to speculative execution in processors, have been publicly disclosed. Android is unaware of any successful reproduction of these vulnerabilities that would allow unauthorized information disclosure on any ARM-based Android device.

To provide additional protection, the update for CVE-2017-13218 included in this bulletin reduces access to high-precision timers, which helps limits side channel attacks (such as CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754) of all known variants of ARM processors.

We encourage Android users to accept available security updates to their devices. See the Google security blog for more details.

The full bulletin can be found here: https://source.android.com/security/bulletin/2018-01-01

Antivirus Vendors

Microsoft will only distribute the emergency update to users if a particular registry key has been made by an installed antivirus vendor. Kevin Beaumont has created a spreadsheet that keeps tracks of antivirus vendors and whether they make this key: https://docs.google.com/spreadsheets/u/2/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview

Below are links to various antivirus vendors who have released advisories:

Apple

Apple has released an official advisory that states:

Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by either Meltdown or Spectre. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, and tvOS.

The full advisor can be read here: https://support.apple.com/en-us/HT208394

Windows internals expert, Alex Ionescu had this to say:

View image on TwitterView image on TwitterView image on TwitterView image on Twitter
Alex Ionescu@aionescu

The question on everyone’s minds: Does MacOS fix the Intel  Issue? Why yes, yes it does. Say hello to the “Double Map” since 10.13.2 — and with some surprises in 10.13.3 (under Developer NDA so can’t talk/show you). cc @i0n1c @s1guza@patrickwardle

12:39 PM – Jan 3, 2018
Twitter Ads info and privacy

ARM

ARM has released a security bulletin that lists the ARM processors that are susceptible to the Meltdown and Spectre attacks.

Based on the recent research findings from Google on the potential new cache timing side-channels exploiting processor speculation, here is the latest information on possible Arm processors impacted and their potential mitigations. We will post any new research findings here as needed.

The full ARM security bulletin can be found here: https://developer.arm.com/support/security-update

Chromium Project

The Chromium Project has issued an advisory where they provide best practices for web developers and recommend that Chromium users enable Site Isolation.

The full advisory is here: https://www.chromium.org/Home/chromium-security/ssca

Computer Emergency Response Team (CERT)

CERT has issued an advisory regarding thee Meltdown and Spectre CPU vulnerabilities. This advisory can be found here: http://www.kb.cert.org/vuls/id/584653

Google

As Google was one of three teams that discovered this bug, they have some of the most detailed information regarding Spectre and Meltdown. A detailed bulletin regarding what Google products are affected by these vulnerabilities and how they are being mitigated can be found here: https://support.google.com/faqs/answer/7622138

I strongly suggest that everyone read the following articles for detailed technical information:

Google has also issued a bulletin for users of Google Cloud, G Suite, and Chrome. To summarize, this bulletin states that Google Cloud & G Suite have been updated to mitigate these vulnerabilities. If a customer uses their own operating system then they will need to install any related OS updates. Finally, Chrome & ChromeOS users can turn on Site Isolation to provide further protection.

The full bulletin can be found here: https://blog.google/topics/google-cloud/what-google-cloud-g-suite-and-chrome-customers-need-know-about-industry-wide-cpu-vulnerability/

Intel

Intel has released a press release regarding these vulnerabilities. A portion of this press release states:

Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

The full press release can be found here: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

Linux Foundation

Thomas Gleixner, a Linux kernel developer, posted in December to the Linux Kernel Mailing List about new KAISER isolation patches. These are suspected to have been introduced to resolve the Meltdown and Spectre bugs in Linux. If anyone has more information, I would appreciate you letting me know.

The mailing list post can be found here: https://lkml.org/lkml/2017/12/4/709

Microsoft

Windows Information:

On January 3rd 2018, Microsoft released emergency out-of-band updates for Windows 7 SP1, Windows 8.1, Windows 10, and various Windows Server versions. Though these updates help to mitigate the Spectre and Meltdown speculative execution side-channel vulnerabilities, but to be fully protected you will also need to install the latest firmware & bios updates for your computer.

Advisories for these updates can be found here:

Microsoft Edge Information:

Microsoft has released an advisory specifically related to Microsoft Edge. This advisory states:

Initially, we are removing support for SharedArrayBuffer from Microsoft Edge (originally introduced in the Windows 10 Fall Creators Update), and reducing the resolution of performance.now() in Microsoft Edge and Internet Explorer from 5 microseconds to 20 microseconds, with variable jitter of up to an additional 20 microseconds. These two changes substantially increase the difficulty of successfully inferring the content of the CPU cache from a browser process.

We will continue to evaluate the impact of the CPU vulnerabilities published today, and introduce additional mitigations accordingly in future servicing releases.  We will re-evaluate SharedArrayBuffer for a future release once we are confident it cannot be used as part of a successful attack.

The full advisory can be found here: https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/

Azure Information:

Microsoft also released a compatibility note that you should read in order to understand why you may not see these updates being offered: https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

For Azure users, Microsoft has released an advisory that states:

The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. Many of you have received notification in recent weeks of a planned maintenance on Azure and have already rebooted your VMs to apply the fix, and no further action by you is required.

The full Azure advisory can be found here: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

Mozilla

Mozilla has released an advisory stating that older versions of Firefox are susceptible to these attacks. To mitigate these attacks, starting in Firefox 57, Mozilla has reduced the precision of Firefox’s internal timer functions. Therefore, all Firefox users should upgrade to Firefox 57 for the extra protection.

The advisory can be found here: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

Nvidia

Nvidia has released an advisory that states they currently believe their GPUs are not affected by this bug, but will continue investigating:

NVIDIA’s core business is GPU computing. We believe our GPU hardware is immune to the reported security issue and are updating our GPU drivers to help mitigate the CPU security issue. As for our SoCs with ARM CPUs, we have analyzed them to determine which are affected and are preparing appropriate mitigations.

The full bulletin can be found here: https://forums.geforce.com/default/topic/1033210/nvidias-response-to-speculative-side-channels-cve-2017-5753-cve-2017-5715-and-cve-2017-5754/

Redhat

Redhat has released an advisory that provides a list of affected products and their status. This advisory states:

Red Hat customers running affected versions of the Red Hat products are strongly recommended to update them as soon as errata are available. Customers are urged to apply the appropriate updates immediately.  All impacted products should apply fixes to mitigate CVE-2017-5753 (variant 1) and CVE-2017-5754 (variant 3).  CVE-2017-5715 (variant 2) can be exploited both locally and through the virtualization guest boundary.

The full advisory can be found here: https://access.redhat.com/security/vulnerabilities/speculativeexecution?sc_cid=701f2000000tsLNAAY&

SUSE

SUSE has posted an advisory related to these attacks that states:

SUSE engineers have been collaborating with our partners and the Linux community on upstream Linux kernel patches. As a result of that collaboration, we are now able to release patches for most recent SUSE Linux Enterprise (SLE) versions. Additional patches for other SLE versions and environments will follow shortly.

The full advisory can be found here: https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/

Ubuntu

Ubuntu has released an advisory that states new kernels will be available on the original disclosure date of January 9th. The full advisory can be read here: https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/

VMware

VMware has released an advisory that contains information about what products are affected and available patches. This advisory can be found here: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

Xen

The Xen Project has released an highly detailed advisory regarding how the Spectre and Meltdown vulnerabilities affect Xen hypervisors:

Xen guests may be able to infer the contents of arbitrary host memory, including memory assigned to other guests.

An attacker’s choice of code to speculatively execute (and thus the ease of extracting useful information) goes up with the numbers.  For SP1, or SP2 on systems where SMEP (supervisor mode execute protection) is enabled: an attacker is limited to windows of code after bound checks of user-supplied indexes.  For SP2 without SMEP, or SP3, an attacker can write arbitrary code to speculatively execute.

The full post can be found here: https://xenbits.xen.org/xsa/advisory-254.html 

Microsoft Working on Two Windows 10 Features Named Timeline and Sets

by

Microsoft Working on Two Windows 10 Features Named Timeline and Sets

By

  • November 30, 2017
  • 08:52 AM

In an email sent to all Windows Insiders Program (WIP) participants, Terry Myerson, Executive Vice President of the Windows and Devices Group, gave a preview of two new features Microsoft will be testing in the next iteration of the Insiders Program (Windows 10 Redstone 4).

Known as Timeline and Sets, these two features bring major changes to the Windows interface and how users interact with the OS and their files.

Windows Timeline

The first of the two, Windows Timeline, is a modification of the Windows Task View, a feature introduced with Windows 10.

Microsoft introduced Task View as an alternative to the classic ALT+TAB interface, as a better view for opened windows. Windows Timeline expands Task View on a vertical timeline, showing both current and past windows.

In theory, this should allow users to quickly go back and open a file, site, or application they interacted in the past. Details are scant, but Myerson did share a low-resolution screenshot of what users can expect to see.

Windows Timeline

Windows Sets

The second feature is just as intriguing as the first. Called Sets, this feature expands the concept of an app’s “window” with the addition of tabs, a UI concept found in modern browsers.

Adding tabs to Windows Explorer has been the #1 most requested Windows feature in the past years.

Nonetheless, from the video Myerson published online, Sets is not the tabbed interface users have been requesting, but more of a centralization of all Windows-related apps and services under one window, with tabs capable of opening Edge, Office apps, OneNote, and other Microsoft-made apps.

It is unclear if Sets will allow other apps access to the “shared window space” Microsoft is creating, but common sense dictates that UWP-compatible apps will be likely to support it.

Myerson said both features would roll out to WIP users “in the coming weeks,” and that not all WIP users will get it, as Microsoft wants to compare how users who get and those who don’t get the features interact with Windows.

RSL Computer Solutions, LLC

(513) 816-1344
10 Douglas Ln
 Hamilton, Ohio 45011

FOLLOW US

Testimonials

  • Excellent technical and customer service. Rick is always ready to respond to a request and resolves them within a timely manner. He is a pleasure to have as part of our extended team. He is always prompt on follow ups as well. Thank you for your commitment to Class-A service! Read More
    Jill Kohrs
    Prolocity
  • 5 Star service. Off the charts computer knowledge. Would highly recommend Rick & RSL Computer Solutions! Read More
    Jeff Driver
    Consumers Mortgage Source
  • I highly recommend RSL for any computer / network issues you may be having. RSL recently revamped our network here at Mehas Music in downtown Hamilton - Rick took care of multiple complex issues, and was able to get us back up and running in much less time than we were expecting (AND at a... Read More
    James Mehas
    Mehas Music
  • I would highly recommend RSL for all of your networking, computer or technology support needs. The company completely set up a new office complex for my company and did a great job. The remote monitoring service is a lifesaver! Read More
    Sid Vance
    MAJ Companies
  • I called Rick a year ago (02-2017) to rid my computer of a virus. Rick took care of that situation and installed new protection software. No problem since then. Recently Rick transferred files/programs from several of my old computers to a new computer. Now I've got one new "family" computer with all the files/programs I... Read More
    John S. Comella N8AA
  • Rick is the best. If you want fast and quality service, he is definitely the one to call. I am so impressed with the service I received. I would recommend him to everyone. Read More
    Terry Singer Huffman
  • First and foremost, Rick is very smart about computers and networks. On top of that, he really cares about his clients. Your problem is his problem until he has it solved. My computers and network have never worked better. Read More
    Thomas J. Ruwe, Attorney at Law
  • I would like to take a minute to thank you for all your help with setting me up with a new laptop, transferring all my info and files and such, and supporting me with questions and all the help. Your prompt attention to my needs is always helpful and fast. I recommend you and your... Read More
    Gary B. KC9PTD
    Somonauk, IL
  • We have been using Rick with RSL Computer Solutions, LLC for almost a year now. So glad that we switch because we were not happy with who we were using before and since switching to Rick we have had a lot less issues. Makes things so much smoother when you have your trust in somebody... Read More
    Reffitt’s Garage & Towing Service, Auto Body Repair, LLC
    Reffitt's Garage & Towing Service, Auto Body Repair, LLC
  • All of the Hamilton Amateur Radio Club (HAMARC) desktop computers at the station were built by Rick and have working great for several years without any problems! Read More
    Bob KD8RLA
    HAMARC