Posted by: kurtsh | January 10, 2018

INFO: Microsoft’s Spectre, Meltdown, & Windows Systems

We sent the following to our Enterprise Support customers about Spectre, Meltdown, & Windows Systems a week ago and I thought I’d share it:

Alert – Guidance to protect against the speculative execution side-channel vulnerabilities

What is the purpose of this alert?

This alert is to provide you with guidance concerning CPU Microcode vulnerabilities being reported in press starting on Wednesday, January 3, 2018. To get all available protections, customers will need to install updates from both software and hardware vendors.

Executive Summary

Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems including Intel, AMD, and ARM. Note: this issue will affect other systems such as Android, Chrome, iOS, MacOS, so we advise customers to seek out guidance from those vendors.

Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See below for more details.

Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues working closely with industry partners including chip makers, hardware OEMs and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and in some cases updates to AV software as well.

This advisory addresses the following vulnerabilities:

  • CVE-2017-5715 (branch target injection)
  • CVE-2017-5753 (bounds check bypass)
  • CVE-2017-5754 (rogue data cache load)

Recommended Actions – Consumers

For consumers, the best protection is to keep your computers up to date. You can do this by taking advantage of automatic update. Learn how to turn on automatic updates here. In addition to installing the January 2018 Windows security updates, you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates.

If automatic updates are enabled, the January 2018 Windows security update will be offered to the devices running supported anti-virus (AV) applications. Updates can be installed in any order.

  1. If you have automatic updating enabled and configured to provide updates for Windows, the updates are delivered to you when they are released, if your device and software are compatible. We recommend you verify these updates are installed. If automatic update is not enabled, manually check for and install the January 2018 Windows operating system security update.
  2. Install applicable firmware update provided by your OEM device manufacturer.

Recommended Actions – Enterprise

Security Advisory 180002 has sections that provide specific guidance for Windows clients, Windows servers,  and Microsoft Cloud platforms. Additional guidance provided in the security advisory includes answers to frequently asked questions, guidance for how to verify that protections are enabled.

Associated Support Articles and Additional Resources

Regarding Information Consistency

We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative.

Much of this and more is reflected on this post from our Support database:

More discussion is available from our Security web sites:

MICROSOFT SECURE BLOG
Refer this blog to understand the performance impact of Spectre and Meltdown mitigations on Windows Systems.

MICROSOFT SECURITY RESEARCH CENTER
For more technical details, please see:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002


Categories

%d bloggers like this: