Microsoft has released out-of-bounds patches for Windows 10 to help protect against new Spectre and Foreshadow CPU attacks.
The Windows 10 updates, made available late on Monday, contain Intel's latest microcode fixes for the recently discovered Spectre variant 3a and 4 vulnerabilities, which affect many modern computer processors.
These vulnerabilities were detailed back in May. Spectre variant 4 allows for a Speculative Store Bypass attack, which lets a malicious script manipulate a program into revealing data handled by that program that the script shouldn't have access to, for example, letting a script running in one browser tab read data from another. It affects a range of CPUs, including those from Intel and AMD, IBM's POWER8 and POWER9, and certain ARM processors.
Meanwhile Spectre variant 3a could allow ordinary programs to view system information, such as status flags, that should only be visible to low-level system software, such as device drivers or the operating system kernel.
SEE: 20 pro tips to make Windows 10 work the way you want (free PDF) (TechRepublic)
These new patches also include new Intel microcode that tackles the recently revealed Foreshadow chip vulnerability. Foreshadow affects a range of SGX-enabled Intel Core processors, and allows a malicious program to bypass protections and read data from the L1 cache, fast memory available to each processor core.
Microcode is a type of firmware for CPUs, and these latest fixes are for Intel sixth-generation through to the most recent eighth-generation processors, as detailed here.
The Microsoft updates have been released for every version of Windows 10, from the first build, 1507, through to 1803, also known as the April 2018 Update.
The updates should appear automatically for those managing machines using Windows Server Update Services (WSUS). They are available to download directly via Microsoft Update Catalog, see the updates added on 8/20/2018. If you are using Windows Update you can go to Settings > Update & Security > Windows Update and then select Check for updates to trigger the update.
Spectre and Meltdown are vulnerabilities in modern chip design that could allow attackers to bypass system protections on nearly every recent PC, server and smartphone—allowing hackers to read sensitive information, such as passwords, from memory.
The first variants of the vulnerabilities were revealed in January this year, and led to a series of patches by chipmakers and system software vendors to try to mitigate the risk of attacks. Fortunately major browsers have since been updated to make attacks exploiting these vulnerabilities very difficult to pull off.
Patching against variant 2 of the Spectre vulnerability has proven to be particularly difficult, due to it being related to a fundamental feature of modern CPUs, specifically their use of Branch Prediction and Speculative Execution to accelerate the rate at which they operate.
The upshot was that Intel firmware updates to reduce the risk of a successful attack exploiting Spectre variant 2 caused instability and unexpected reboots in systems, leading Intel to replace some fixes.
However, it remains to be seen whether AMD and Intel will be able to redesign their processors to nullify the risk from Spectre without having a significant impact on performance.
The big takeaways for tech leaders:
- New fixes are available for every version of Windows 10 that help protect against recently revealed CPU vulnerabilities, both Foreshadow and newer variants of Spectre.
- The microcode updates are available for systems running on Intel sixth to eighth generation processors.
- Windows 10 April 2018 Update: A cheat sheet (TechRepublic)
- Windows users attacked via critical Flash zero-day: Patch now, urges Adobe (ZDNet)
- Windows 10 April 2018 Update problems: Users struggle with mystery 'black screen' (ZDNet)
- Microsoft kills its forum support for Office 2013, Surface Pro, Windows 8.1 and more (CNET)
- Windows 10 users should wait to install the latest update-it's bricking some PCs (TechRepublic)
- Microsoft Windows, Apple macOS, Linux, BSD: All hit by same 'serious' security flaw (ZDNet)
Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.