Jump to content

Microsoft Out-of-Band Security Update for "Meltdown" and "


Corrine

Recommended Posts

Microsoft released out-of-band security updates to address what are being referred to as "Meltdown" and "Spectre" CPU flaws, reported to be affecting almost all CPUs released since 1995.

 

As explained by John Hazen, Principal PM Lead, Microsoft Edge in Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer, Microsoft released KB4056890 with mitigations for the class of vulnerabilities which can be exploited as described in Security Advisory ADV180002. These techniques can be used via Javascript code running in the browser, which may allow attackers to gain access to memory in the attacker’s process.

 

The January security release consists of security updates for the following software:

 

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows

The updates address Elevation of Privilege and Information Disclosure. The related CVEs are CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 See Lawrence Abrams article at Bleeping Computer which includes a list of vendors official notices, patches and updates, including Amazon, AMD, Apple, Chrome, Intel, Mozilla, nVidia and more.

 

Important Note: The update released is incompatible with a small number of anti-virus products and may result in BSOD's. As a result, the update is only being released to devices running antivirus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update. See Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software for additional information.

 

For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary. Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

 

References

  • Like 1
Link to comment
Share on other sites

Why does javascript have the capability to look into RAM to begin with? If for nothing else, having all browsers that do javascript getting it's power limited will be worth the kerfuffle.

 

I'd still like to know how easy is it to get any code to run that makes the peeks into RAM and how often do they hit upon something that can be used.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...