Microsoft updating Win10 today with “special fix” for the Kernel Memory Vulnerability

I’m seeing leaks all over, but no downloads as yet.

Ina Fried at Axios reports:

Microsoft is updating Windows 10 today with a special fix for the issue and also making available updates for Windows 7 and Windows 8.

“We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.”

Fried also reports on the statements from Intel:

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits”

AMD:

Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time.

and ARM:

Arm (has) been working together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors. This method requires malware running locally and could result in data being accessed from privileged memory. Please note that our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.

Let’s see what we get from Microsoft.

Important to note that there are NO KNOWN in-the-wild exploits at this point. Since this involves kernel code, a substantial amount of caution is in order.

UPDATE: Google Project Zero is laying claim to at least part of the discovery:

The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible.. These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them.

We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation. The full Project Zero report is forthcoming.

Google has published a detailed timeline for coverage of all of its products. Short version: Android security patches rolling out now; ChromeOS fixed in mid-December; Chrome browser fix coming Jan. 23; G Suite protected.