Microsoft has released an out-of-band emergency security update to Windows 10 to bring fixes to the Meltdown and Spectre kernel flaws that affect Intel, AMD and ARM chips. "We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers," the company spokesperson said.
We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD.
The Windows maker suggests that these security vulnerabilities haven't been used in the wild to attack Windows consumers. "We have not received any information to indicate that these vulnerabilities had been used to attack our customers," it added.
Spectre is Jedi mind trick; Meltdown a pickpocket...
As we reported earlier Google has made the details of these security flaws - that were first discovered last year - available to the public. Security researchers have said most of the PCs and phones being used today are affected. "Think of a Star Wars movie where someone wants to steal money," Daniel Gruss, one of the security researchers who discovered the Meltdown and Spectre flaws, said. "Spectre is like a Jedi mind trick: you make someone else give you their money, this happens so quick that they don't realize what they're doing."
"Meltdown just grabs the money very quickly like a pick-pocket. The Jedi mind trick is of course more difficult to do, but also harder to mitigate."
Patches for Windows 10 available now - unclear exactly which variants it's fixing
The update brings "security updates to Windows SMB Server, the Windows Subsystem for Linux, Windows Kernel, Windows Datacenter Networking, Windows Graphics, Microsoft Edge, Internet Explorer, and the Microsoft Scripting Engine." The attack has three variants, but it remains unclear if this patch fixes all of them or only some. Microsoft will be automatically patching Windows 10 machines, according to The Verge. While the fixes are also available for supported Windows 7 and 8 versions, they won't be automatically applied until the scheduled Patch Tuesday, next week.
Along with Microsoft and other tech companies, UK’s National Cyber Security Center has also said there is no evidence of malicious exploits in the wild. However, since the details are out in the open now along with proof of concepts, it would be wiser to deploy patches as soon as they are made available.
— Michael Schwarz (@misc0110) January 4, 2018
Here are the details of these cumulative updates bring rolled out to supported Windows 10 devices right now.
- Windows 10 Fall Creators Update is receiving KB4056892 (Build 16299.192)
- Windows 10 Creators Update Version 17033 gets KB4056891 (Build 15063.850)
- Version 1607 is getting KB4056890 (Build 14393.2007)
- 1511 receives KB4056888 (Build 10586.1356) - for enterprise and education only.
- The original Windows 10 version is receiving KB4056893 (Build 10240.17738) - for enterprise only.
You can find more details and known issues here.
[Update]: Microsoft shares more details; suggests all variants are fixed but you might need firmware updates from your device manufacturer
At the time this rare emergency update was pushed out, it was unclear what exactly was fixed. In a statement to Wccftech, the company spokesperson said that it has been "working closely with chip manufacturers to develop and test mitigations" to protect Windows users against these three reported bugs. It added that the released patches secure users on all affected chips from Intel, AMD, and ARM.
To confirm, Meltdown and Spectre affect both Windows client and server operating systems, the company said. Microsoft also added that patches would be automatically deployed if you have automatic updates turned on, and that performance does take a hit in some cases but may not be noticeable for average consumer.
Here's the complete security advisory (slightly modified for precision; emphasis is ours):
Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems including Intel, AMD, and ARM.
Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and in some cases updates to AV software as well. This advisory addresses the following vulnerabilities:
- CVE-2017-5753 - Bounds check bypass
- CVE-2017-5715 - Branch target injection
- CVE-2017-5754 - Rogue data cache load
For consumers, the best protection is to keep your computers up to date. You can do this by taking advantage of automatic update. Learn how to turn on automatic updates here. In addition to installing the January 2018 Windows security updates, you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates.
If automatic updates are enabled, the January 2018 Windows security update will be offered to the devices running supported anti-virus (AV) applications. Updates can be installed in any order.
- If automatic update is not enabled, manually check for and install the January 2018 Windows operating system security update.
- Install applicable firmware update provided by your OEM device manufacturer.
Potential performance impacts
In testing Microsoft has seen some performance impact with these mitigations. For most consumer devices, the impact may not be noticeable, however, the specific impact varies by hardware generation and implementation by the chip manufacturer. Microsoft values the security of its software and services and has made the decision to implement certain mitigation strategies in an effort to better secure our products. We continue to work with hardware vendors to improve performance while maintaining a high level of security.
Speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and can therefore lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment.
Microsoft has been working with hardware and software makers to jointly develop mitigations to protect customers across Microsoft’s products and services. These mitigations prevent attackers from triggering a weakness in the CPU which could allow the contents of memory to be disclosed.
Microsoft Windows client customers
In client scenarios, a malicious user mode application could be used to disclose the contents of kernel memory.
Customers using Windows client operating systems including Windows 7 Service Pack 1, Windows 8.1, and Windows 10 need to apply both firmware and software updates. See Microsoft Knowledge Base Article 4073119 for additional information.
Customers using Microsoft Surface and Surface Book products need to apply both firmware and software updates. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically.
Microsoft Windows Server customers
In server scenarios, a malicious user-mode application could be used to disclose the contents of kernel memory. In other multi-tenant hosting environments, a virtual machine could read the memory of the host operating system or the memory of other guest operating systems running on the same physical machine.
Customers using Windows server operating systems including Windows Server 2008 R2 Service Pack 1, Windows Server 2012 R2, and Windows Server 2016 need to apply firmware and software updates as well as configure protections. See Microsoft Knowledge Base Article 4072698 for additional information, including workarounds.
Microsoft Azure has taken steps to address the security vulnerabilities at the hypervisor level to protect Windows Server VMs running in Azure. More information can be found here.
Microsoft cloud customers
Microsoft has already deployed mitigations across the majority of our cloud services and is accelerating efforts to complete the remainder. More information is available here.
Microsoft SQL Server customers
In scenarios running Microsoft SQL Server, customers should follow the guidance outlined in Microsoft Knowledge Base Article 4073225.