This content was translated from the ADV180002 security bulletin issued by Microsoft.
executive summary
Microsoft noticed a new open vulnerability called "specific execution side channel attachments". This vulnerability affects many modern processors and operating systems, including Intel, AMD and ARM. For other operating systems (not owned by Microsoft), such as Android Chrome、IOS、MacOS, We recommend that you get guidance from relevant manufacturers.
(For Microsoft operating system) Microsoft has released several security updates to help you mitigate the impact of these vulnerabilities. We have also taken necessary actions to ensure the security and reliability of our cloud services. See below for details.
Microsoft has not received any reports of using these vulnerabilities to attack customers. Microsoft will continue to work closely with industry partners including chipmakers, hardware OEMs and application vendors to protect customers. If you want to obtain all available protection measures, you must update the hardware/firmware and software. These update measures include microcode updates obtained from hardware manufacturers, and updating your anti-virus software to the latest version when necessary.
This security notice involves the following vulnerabilities:
Cve-2017-5753 - Boundary check bypass
Cve-2017-5715 Branch target injection
Cve-2017-5754 rogue data cache load
Recommended actions
For ordinary consumers, the best protection is to keep your computer up to date. (For operating systems) You can use automatic updates to ensure that the operating system is up to date. In addition to installing the January 2018 windows security update, you may also need to obtain and install the upgraded firmware from the device manufacturer to obtain higher protection. For this, please contact the device manufacturer to obtain relevant updates.
If automatic update is enabled (Windows operating system, omitted below), Windows security update will provide anti-virus applications for supported devices in January 2018, and you can install updates in any order.
If you enable Windows Automatic Update, we will push you this security update when your device and software are compatible. We recommend that you check that these updates are installed. If you do not enable automatic update, please manually check and install the security update of Windows operating system in January 2018.
Install applicable firmware updates from OEM equipment manufacturers.
Potential performance impact
In the test (of this patch), Microsoft noticed that this patch may have an impact on computer performance. For most consumer electronic devices, these impacts may not be obvious, but different hardware and different hardware manufacturers are affected differently. Microsoft will implement some corresponding disaster reduction strategies to ensure the security of Microsoft software and services. We will continue to work with hardware vendors to improve performance while maintaining a high level of security.
Vulnerability description (inaccurate translation)
The channel vulnerability on the speculative execution side can be used to read the memory content on the trusted boundary, thus leading to information disclosure. An attacker can trigger multiple vulnerabilities based on the configured environment.
Microsoft has been working with hardware and software manufacturers to develop mitigation measures to protect customers using Microsoft products and services. These mitigation measures will be used to prevent an attacker from triggering a CPU memory leak vulnerability.
Microsoft Windows client users (affected)
Too many, see for yourself, slightly
Microsoft Windows server users (affected)
Same as above, omitted
Xxx users are affected by
slightly
FAQ
1. Which (Microsoft's) operating systems will be threatened by this vulnerability?
Client operating system: windows client
Server operating system: windows server
2. What are the related vulnerabilities?
CVE-2017-5715、CVE-2017-5753、CVE-2017-5754
3. Is there any active attack using this vulnerability detected?
No, when this security warning was issued, Microsoft did not receive any detailed reports (about attacks), and there is no evidence that these vulnerabilities have been used to attack customers.
4. Have these vulnerabilities been publicly disclosed?
Yes, these vulnerabilities were found on January 3, 2018 https://bugs.chromium.org/p/project-zero/issues/detail ? ID=1272 disclosed. (Google is the best in the world)
5. I didn't receive the push of Windows security updates on January 3, 2018. What should I do?
In order to avoid adverse effects on user devices, the Windows security update released by Microsoft on January 9, 2018 will only be provided to devices running compatible anti-virus software. For more information, please refer to Section 4072699 of Microsoft Knowledge Base( https://support.microsoft.com/help/4072699 )。
Additional recommendations
Protect your PC: We encourage customers to follow our computer protection guidelines, including using firewalls, getting the latest software updates, installing anti-virus software, etc. For more information, see Microsoft Security and Security Center.
Keep Microsoft software updated: Users running Microsoft software should obtain and install the latest Microsoft security updates to ensure that their computers are protected as much as possible. If you are not sure whether your software is up to date, please visit Microsoft Update, scan your computer for available updates, and install any high priority updates that (we) provide to you. If automatic update is enabled and configured to provide updates for Microsoft products, the updates will be pushed to you after publishing, but you should verify whether they are installed.
thank
Jann Horn of Google Project Zero
Paul Kocher
Moritz Lipp from Graz University of Technology
Daniel Genkin from University of Pennsylvania and University of Maryland
Daniel Gruss from Graz University of Technology
Werner Haas of Cyberus Technology GmbH
Mike Hamburg of Rambus Security Division
Stefan Mangard from Graz University of Technology
Thomas Prescher of Cyberus Technology GmbH
Michael Schwarz from Graz University of Technology
Yuval Yarom of The University of Adelaide and Data61
Additional information on the Meltdown and Spectre attacks can be found at their respective web sites.
Anders Fogh of GDATA Advanced Analytics
A Brief Comment on Hares
This year is really not a peaceful year~
