Thursday, January 04, 2018

Microsoft Out-of-Band Security Update for "Meltdown" and "Spectre" CPU Flaws



Microsoft released out-of-band security updates to address what are being referred to as "Meltdown" and "Spectre" CPU flaws, reported to be affecting almost all CPUs released since 1995.

As explained by John Hazen, Principal PM Lead, Microsoft Edge in Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer, Microsoft released KB4056890 with mitigations for the class of vulnerabilities which can be exploited as described in Security Advisory ADV180002These techniques can be used via JavaScript code running in the browser, which may allow attackers to gain access to memory in the attacker’s process.

The January security release consists of security updates for the following software:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows

    The updates address Elevation of Privilege and Information DisclosureThe related CVEs are CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. See Lawrence Abrams article at Bleeping Computer which includes a list of vendors official notices, patches and updates, including Amazon, AMD, Apple, Chrome, Intel, Mozilla, nVidia and more. 

    Important NoteThe update released is incompatible with a small number of anti-virus products and may result in BSOD's.  As a result, the update is only being released to devices running antivirus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.  See Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software for additional information.


    For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

    References


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...





    5 comments:

    Anonymous said...

    Do you know what anti virus programs work with the out-of-band security update from microsoft? I use AVG. Thank You, John

    Corrine said...

    Curiously, AVG is not on the list that I've been following: CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibility. I checked the AVG forum and apparently AVG developers are looking at it. See Meltdown and Spectre | AVG.

    Anonymous said...

    Corrine thank you for your quick response to my AVG Question. AVG must of fixed the situation overnight as this morning i received the out-of-band security update. I always followed your friends advice (Bill P.) to wait a few days till i run the update. I believe that advice holds true in this case too? Your site always keeps me informed and I thank you for that. John

    Corrine said...

    You're welcome, John. Since AVG is compatible with the update, I would go ahead and install it rather than waiting.

    Anonymous said...

    A quick update. The out-of-band update worked on my windows 7 computer with AVG FREE. Again thank you! John