Microsoft to issue emergency Windows update for processor security bugs

But be careful, some antivirus do not take patch KB4056892 well.

Do proper testing.

Read here:

answers.microsoft.com/.../ead3f25e-6c55-4359-9cd9-5be87cbe7b4f

From https://forums.malwarebytes.com/topic/217734-meltdown-mitigation/?tab=comments#comment-1196663

For now, users with MalwareBytes3 based software installed and registered with Windows Action Center will not be able to receive any MS updates automatically, starting with the Jan. 2018 update. You can either apply the update manually or set the Malwarebytes action center setting to "Never register Malwarebytes in Windows Action Center" so that the MS update can apply automatically.

[To] clarify what is going on for our end. Malwarebytes does not break Windows when the patch is applied. The issue we have is that the patch cannot auto apply when Malwarebytes is registered to the Action Center, this is the part that is being tested and will be updated.

Firefox 57.0.4 is offering its own mitigation for these issues:

https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/

Fixed

• Security fixes to address the Meltdown and Spectre timing attacks 

"Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox."

The issue we have is that the patch cannot auto apply when Malwarebytes is registered to the Action Center, this is the part that is being tested and will be updated.

Malwarebytes was quick in issuing a fix with Malwarebytes Database Update 1.0.3624, that now allows MB3 to automatically download the Jan. 2018 patch.
forums.malwarebytes.com/.../

I have that database version on my Win 10 Pro MB3, but have yet to see KB4056892 installed. I do not have MB3 registered  with the Windows Action Center. When I check for security updates, I am informed I am up to date. All my security updates listed in history are from 2017. I suspect that my decision to delay Win 10 updates for 4 weeks might explain this, but I thought this applied to only non-security ("feature") updates.

I am not particularly worried about getting this patch ASAP for any of my Windows versions. As I understand it, these vulnerabilities are decades old. For home users, someone would have to be a hacker logged in to your system to access your files. It seems for now like a tempest in a teapot.

Got KB4056892 this evening when I booted my Inspiron laptop with i3-3217U CPU (Gen 3), running Win 10 Fall Creators, 64-bit.  This system dates from ~2012.

Took ~30-40 min to install with restarts and reboots, but this PC isn't exactly fast. So far everything seems to be working correctly.  And at first glance, it seems to be running as fast or maybe faster than before, but no hard data to back that up. :emotion-5:

Just wanted to append the information about these vulnerabilities from Microsoft:

These vulnerabilities are information disclosure vulnerabilities.  An attacker who successfully exploited these vulnerabilities could use them to leak sensitive information that could be used for further exploitation of the system.

In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another.

In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run untrusted code on the system to leverage these vulnerabilities.

In browsing scenarios, an attacker could convince a user to visit a malicious site to leverage these vulnerabilities. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site.

By themselves, these vulnerabilities do not allow arbitrary code execution.

https://blog.qualys.com/news/2018/01/18/meltdown-and-spectre-arent-business-as-usual

I'm going to highlight a few passages from the above article:

Meltdown:

Since hackers need to gain a foothold in systems before they can exploit Meltdown, it’s likely it will be part of “chained attacks,” which involve exploiting two or more vulnerabilities in sequence...

Meltdown can be extensively mitigated using KPTI (Kernel Page Table Isolation) via the OS patches provided by Microsoft, Apple and Linux OS vendors.

---------------------------------------------------

Spectre:

successfully exploiting Spectre is “very difficult” because attackers must have detailed knowledge of the victim process, meaning they’d have to know specifically which process they’re going to target...

The most likely exploit scenario in the short term for Spectre is a JavaScript type of attack, where JavaScript escapes its sandbox, and accesses forbidden memory from the browser process, allowing attackers to access to cookies and session keys...

For Spectre, patches are available via software updates for OSes and apps, and via processor microcode. Right now, the priority should be closing the JavaScript attack vector by patching browsers.

“Even if you don’t have the microcode updates to more completely mitigate Spectre, the browser vendors have made some changes that make it more difficult to exploit Spectre by removing things that a JavaScript attack would need, such as very precise timers ” .

The following is from https://www.wired.com/story/meltdown-and-spectre-vulnerability-fix/ ; take it for what it's worth:

Though possible, exploiting Meltdown and especially Spectre is complicated and challenging in practice, and some attacks require physical access. For hackers, the vulnerabilities will only get tougher to exploit as more devices start to get patched. Which means that at this point, the risk to the average user is fairly low. Besides, there are easier ways—like phishing—for an attacker to try to steal your passwords or compromise your sensitive personal information.

It has now been revealed that the patch Microsoft issued for Meltdown in January, on Windows 7x64 systems, inadvertently opened a new "security hole" for exploit.   This hole has since been fixed via the Microsoft update issued in March.

https://www.bleepingcomputer.com/news/microsoft/meltdown-patch-opened-bigger-security-hole-on-windows-7/