1. #1
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,836

    Microsoft Out-of-Band Security Update for "Meltdown" and "Spectre" CPU Flaws

    Microsoft released out-of-band security updates to address what are being referred to as "Meltdown" and "Spectre" CPU flaws, reported to be affecting almost all CPUs released since 1995.

    As explained by John Hazen, Principal PM Lead, Microsoft Edge in Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer, Microsoft released KB4056890 with mitigations for the class of vulnerabilities which can be exploited as described in Security Advisory ADV180002. These techniques can be used via JavaScript code running in the browser, which may allow attackers to gain access to memory in the attacker’s process.

    The January security release consists of security updates for the following software:

    • Internet Explorer
    • Microsoft Edge
    • Microsoft Windows

    The updates address Elevation of Privilege and Information Disclosure. The related CVEs are CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 See Lawrence Abrams article at Bleeping Computer which includes a list of vendors official notices, patches and updates, including Amazon, AMD, Apple, Chrome, Intel, Mozilla, nVidia and more.

    Important Note: The update released is incompatible with a small number of anti-virus products and may result in BSOD's. As a result, the update is only being released to devices running antivirus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update. See Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software for additional information.

    For more information about the updates released today, see https://portal.msrc.microsoft.com/en...idance/summary. Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

    References


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.


    • Ad Bot

      advertising
      Beep.

        
       

  2. #2
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,836

    Re: Microsoft Out-of-Band Security Update for "Meltdown" and "Spectre" CPU Flaws

    From Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key:

    According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches.
    As explained by Kevin Beaumont in Important information about Microsoft Meltdown CPU security fixes, antivirus vendors and you:

    There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes. To be honest, some of the techniques are similar to ones used by rootkits — Kernel Patch Protection was introduced by Microsoft a decade ago to combat rootkits, in fact. Because some anti-virus vendors are using very questionable techniques they end up cause systems to ‘blue screen of death’ — aka get into reboot loops.
    Check this list to see if your A/V requires a manual registry key setting: Important information about Microsoft Meltdown CPU security fixes, antivirus vendors and you. If so, Bleeping Computer has created a reg file that can be used. See the article at Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key. The file is at the bottom of the article but be sure to read the entire article first. You can also check the status with PowerShell (See How to Check and Update Windows Systems for the Meltdown and Spectre CPU Flaws).

    Microsoft Support Page: Important: January 3, 2018, Windows security updates and antivirus software
    satrow, niemiro and JMH say thanks for this.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

Similar Threads

  1. Replies: 2
    Last Post: 07-04-2017, 08:44 AM
  2. [SOLVED] Windows Update Errors: "WindowsUpdate_800F0900" "WindowsUpdate_dt000"
    By Gruffman in forum Windows Update
    Replies: 9
    Last Post: 10-01-2016, 10:58 AM
  3. Replies: 3
    Last Post: 11-22-2015, 12:59 PM
  4. Replies: 12
    Last Post: 10-05-2015, 10:38 AM

Log in

Log in