A critical flaw was found in all Intel processors launched in the past decade. The vulnerability can allow an attacker to gain access to protected kernel memory. This chip-level security flaw cannot be fixed with a CPU microcode (software) update. Instead, it requires modification of the OS kernel.
Here are some details.
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.
Refer to these web sites:
Patches have already been released for Linux and macOS. To resolve the issue, Microsoft has released the following patches for Windows 10:
- KB4056892 (OS Build 16299.192)
- KB4056891 (OS Build 15063.850)
- KB4056890 (OS Build 14393.2007)
- KB4056888 (OS Build 10586.1356)
- KB4056893 (OS Build 10240.17738)
The updates can be downloaded from the Windows Update catalog. For example, use the following link to download the KB4056892 package:
Download 2018-01 Cumulative Update for Windows 10 Version 1709
Microsoft made the following statement:
"We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers."
An unfortunate consequence of this security vulnerability is that its patches are expected to slow down all devices anywhere between 5 to 30 percent depending on the processor and software being used. Even ARM and AMD CPUs may get performance degradation due to fundamental changes in how the OS kernel works with memory. According to Intel, processors with PCID / ASID (Skylake or newer) will have less performance degradation.
Security fixes for Windows 7 and Windows 8.1 are expected to be released soon.
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
4 thoughts on “Microsoft is rolling out emergency fix for Meltdown and Spectre CPU flaws”
Thanks Sergey! Much appreciated! Updating now.
You’re most welcome.
Today is the day windows update gets disabled.
Sorry but the possibility of a hack does not outweigh the certainty of performance loss, especially someone doing heavy VM development.
Class action against Intel? What the hell are they going to do with laptop CPU’s then? Do we send them in and get new chips soldered in? What about bios firmware which might not be compatible? This is such a mess it’s never going to get fixed, we’re all just [censored]ed.
And that [censored] CEO cashed out nicely just before this happened. Would be nice if his ass got jailed to oblivion for OBVIOUS insider trading, but of course that won’t happen.
On the pages linked above it states “Due to an issue with some versions of Anti-Virus software, this fix is only being made applicable to the machines where the Anti virus ISV have updated the ALLOW REGKEY.” If you’re wanting to disable this update from auto installing without disabling Windows updates altogether, deleting that key might be an option.