Highlighted
ky331
Diamond

Microsoft to issue emergency Windows update for processor security bugs

Microsoft to issue emergency Windows update for processor security bugs

Microsoft is issuing a rare out-of-band security update to supported versions of Windows today. The software update is part of a number of fixes that will protect against a newly-discovered processor bug in Intel, AMD, and ARM chipsets.

The company will issue a Windows update that will be automatically applied to Windows 10 machines at 5PM ET / 2PM PT today.

The update will also be available for older and supported versions of Windows today, but systems running operating systems like Windows 7 or Windows 8 won’t automatically be updated through Windows Update until next Tuesday.

https://www.theverge.com/2018/1/3/16846784/microsoft-processor-bug-windows-10-fix

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 7 Pro SP1 (64-bit), avast! v17 Free, MBAM3 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [IE set to WARN, FF set to BLOCK]), uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

0 Kudos
10 Replies

RE: Microsoft to issue emergency Windows update for processor security bugs

But be careful, some antivirus do not take patch KB4056892 well.

Do proper testing.

Read here:

answers.microsoft.com/.../ead3f25e-6c55-4359-9cd9-5be87cbe7b4f

0 Kudos
ky331
Diamond

RE: Microsoft to issue emergency Windows update for processor security bugs

From https://forums.malwarebytes.com/topic/217734-meltdown-mitigation/?tab=comments#comment-1196663

For now, users with MalwareBytes3 based software installed and registered with Windows Action Center will not be able to receive any MS updates automatically, starting with the Jan. 2018 update. You can either apply the update manually or set the Malwarebytes action center setting to "Never register Malwarebytes in Windows Action Center" so that the MS update can apply automatically.

[To] clarify what is going on for our end. Malwarebytes does not break Windows when the patch is applied. The issue we have is that the patch cannot auto apply when Malwarebytes is registered to the Action Center, this is the part that is being tested and will be updated.

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 7 Pro SP1 (64-bit), avast! v17 Free, MBAM3 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [IE set to WARN, FF set to BLOCK]), uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

0 Kudos
ky331
Diamond

RE: Microsoft to issue emergency Windows update for processor security bugs

Firefox 57.0.4 is offering its own mitigation for these issues:

https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/

Fixed

"Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox."

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 7 Pro SP1 (64-bit), avast! v17 Free, MBAM3 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [IE set to WARN, FF set to BLOCK]), uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

0 Kudos
joe53
Diamond

RE: Microsoft to issue emergency Windows update for processor security bugs

The issue we have is that the patch cannot auto apply when Malwarebytes is registered to the Action Center, this is the part that is being tested and will be updated.

Malwarebytes was quick in issuing a fix with Malwarebytes Database Update 1.0.3624, that now allows MB3 to automatically download the Jan. 2018 patch.
forums.malwarebytes.com/.../

I have that database version on my Win 10 Pro MB3, but have yet to see KB4056892 installed. I do not have MB3 registered  with the Windows Action Center. When I check for security updates, I am informed I am up to date. All my security updates listed in history are from 2017. I suspect that my decision to delay Win 10 updates for 4 weeks might explain this, but I thought this applied to only non-security ("feature") updates.

I am not particularly worried about getting this patch ASAP for any of my Windows versions. As I understand it, these vulnerabilities are decades old. For home users, someone would have to be a hacker logged in to your system to access your files. It seems for now like a tempest in a teapot.

_________________________________________


Dell Forum Member since 2,000


 Use OpenDNS   MalwareBytes' Anti-Malware Free


Windows 7/sp1 (64- Bit): Malwarebytes 3.x Premium, Windows Firewall, WinPatrol PLUS, Emsisoft Emergency Kit Free and HitmanPro Free (on-demand scanners), OpenDNS, MVPS Hosts file, SpywareBlaster, Pale Moon web browser, Sandboxie, CCleaner Free.


Windows 10 Pro (64- Bit): Same protection plus Windows Defender AV.


"In the future, everyone will be anonymous for 15 minutes" - Banksy

0 Kudos
RoHe
Diamond

RE: Microsoft to issue emergency Windows update for processor security bugs

Got KB4056892 this evening when I booted my Inspiron laptop with i3-3217U CPU (Gen 3), running Win 10 Fall Creators, 64-bit.  This system dates from ~2012.

Took ~30-40 min to install with restarts and reboots, but this PC isn't exactly fast. So far everything seems to be working correctly.  And at first glance, it seems to be running as fast or maybe faster than before, but no hard data to back that up.

Ron

   Forum Member since 2004
   I am not a Dell employee

0 Kudos
zductive
Copper

RE: Microsoft to issue emergency Windows update for processor security bugs

Intel processor - does not boot after jan update

0 Kudos
ky331
Diamond

RE: Microsoft to issue emergency Windows update for processor security bugs

 

Just wanted to append the information about these vulnerabilities from Microsoft:

 

These vulnerabilities are information disclosure vulnerabilities.  An attacker who successfully exploited these vulnerabilities could use them to leak sensitive information that could be used for further exploitation of the system.

In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another.

In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run untrusted code on the system to leverage these vulnerabilities.

In browsing scenarios, an attacker could convince a user to visit a malicious site to leverage these vulnerabilities. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site.

 

By themselves, these vulnerabilities do not allow arbitrary code execution.

 

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 7 Pro SP1 (64-bit), avast! v17 Free, MBAM3 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [IE set to WARN, FF set to BLOCK]), uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

0 Kudos
ky331
Diamond

RE: Microsoft to issue emergency Windows update for processor security bugs

 

https://blog.qualys.com/news/2018/01/18/meltdown-and-spectre-arent-business-as-usual

I'm going to highlight a few passages from the above article:

Meltdown:

Since hackers need to gain a foothold in systems before they can exploit Meltdown, it’s likely it will be part of “chained attacks,” which involve exploiting two or more vulnerabilities in sequence...

Meltdown can be extensively mitigated using KPTI (Kernel Page Table Isolation) via the OS patches provided by Microsoft, Apple and Linux OS vendors.

---------------------------------------------------

Spectre:

successfully exploiting Spectre is “very difficult” because attackers must have detailed knowledge of the victim process, meaning they’d have to know specifically which process they’re going to target...

The most likely exploit scenario in the short term for Spectre is a JavaScript type of attack, where JavaScript escapes its sandbox, and accesses forbidden memory from the browser process, allowing attackers to access to cookies and session keys...

For Spectre, patches are available via software updates for OSes and apps, and via processor microcode. Right now, the priority should be closing the JavaScript attack vector by patching browsers.

Even if you don’t have the microcode updates to more completely mitigate Spectre, the browser vendors have made some changes that make it more difficult to exploit Spectre by removing things that a JavaScript attack would need, such as very precise timers ” .

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 7 Pro SP1 (64-bit), avast! v17 Free, MBAM3 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [IE set to WARN, FF set to BLOCK]), uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

0 Kudos
ky331
Diamond

RE: Microsoft to issue emergency Windows update for processor security bugs

 

The following is from https://www.wired.com/story/meltdown-and-spectre-vulnerability-fix/ ; take it for what it's worth:

Though possible, exploiting Meltdown and especially Spectre is complicated and challenging in practice, and some attacks require physical access. For hackers, the vulnerabilities will only get tougher to exploit as more devices start to get patched. Which means that at this point, the risk to the average user is fairly low. Besides, there are easier ways—like phishing—for an attacker to try to steal your passwords or compromise your sensitive personal information.

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 7 Pro SP1 (64-bit), avast! v17 Free, MBAM3 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, IE11 & Firefox (both using WOT [IE set to WARN, FF set to BLOCK]), uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

0 Kudos