Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • AMD Ryzen processor vulnerability

    Posted on March 13th, 2018 at 20:49 woody Comment on the AskWoody Lounge

    It’s been all over the news, but I’m not yet convinced that there’s anything there, there.

    Dan Goodin at Ars Technica has a technical analysis:

    The flaws—in AMD’s EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile lines of processors—require attackers to first gain administrative rights on a targeted network or computer, which is a hurdle that’s difficult but by no means impossible to clear. From there, attackers can exploit the vulnerabilities to achieve a variety of extraordinary feats that would be catastrophic for the owners’ long-term security.

    That — and the whole super-hyped marketing pitch — have given me pause.

    I like the balance from Kevin Beaumont on his personal blog:

    I would encourage security researchers not to disclose vulnerabilities like this. If you have vulnerabilities that you truly think are serious and truly want to provide information so people can protect themselves, work to get them resolved and work with the cyber security community around mitigations. The only real public exploit here at the moment is a press exploit. This situation should not be happening.

    Which is exactly why I’m not going to write anything about it for Computerworld.

  • March 2018 Patch Tuesday

    Posted on March 13th, 2018 at 12:47 woody Comment on the AskWoody Lounge

    The patches are starting to appear. I’ll keep this post updated as the situation becomes more clear.

    OF COURSE We’re still at MS-DEFCON 2. You’d have to be a real glutton for punishment — and a daft one at that — to install any of these patches just yet.

    SANS Internet Storm Center has its visual analysis. There are no “critical” vulnerabilities that have been disclosed, or used in the wild.

    Martin Brinkmann has his usual in-depth look on ghacks.net. And it’s a busy Tuesday:

    Windows 7: 21 vulnerabilities of which 21 are rated important
    Windows 8.1: 20 vulnerabilities of which 20 are rated important
    Windows 10 version 1607: 29 vulnerabilities of which 29 are rated important
    Windows 10 version 1703: 28 vulnerabilities of which 28 are rated important
    Windows 10 version 1709: 24 vulnerabilities of which 24 are rated important
    Internet Explorer 11: 7 vulnerabilities, 2 critical, 5 important
    Microsoft Edge: 16 vulnerabilities, 12 critical, 4 important

    Don’t tell me how Edge is so much more secure than IE.

    @PKCano has updated the list in AKB2000003, for those of you who apply Win7 and 8.1 Security-only patches manually.

    I’ve updated the list of recently revised KB articles, KBNew. Quick check confirms that this month’s new KBs are listed there.

    The master list — the Security Update Guide — is up on the MSRC Security TechCenter blog. Looks like there are 157 separately identified patches.

    John Cable has the official Patch Tuesday announcement on the Windows blog.

    Based on our analysis of available data, we are now lifting the AV compatibility check for the March Windows security updates for supported Windows 10 devices via Windows Update.

    (Note that the antivirus check is still in effect for Win7 and 8.1.)

    Microsoft has updated its Security Advisory ADV180002 Guidance to mitigate speculative execution side-channel vulnerabilities:

    The following updates have been made: 1. Microsoft has released security updates for Windows Server 2008 and Windows Server 2012 to provide mitigations against the vulnerabilities discussed in this advisory. See the Affected Products table for links to download and install the updates. Note that these updates are also available via Windows Update. 2. Microsoft has also released security updates to provide additional protections for the 32-bit (x86) versions of Windows 7 and Windows 8.1. These updates are included in the March Security Only and Monthly Rollup updates. See the Affected Products table for links to download and install the updates. 3. Updated FAQ #14 to announce that the following stand-alone updates for Windows 10 are available via the Microsoft Update Catalog. These updates include microcode updates from Intel: For devices running Windows 10 Version 1703, for the latest available microcode updates see Microsoft Knowledge Base Article 4091663 (https://support.microsoft.com/en-us/help/4091663). For devices running Windows 10 Version 1607 and Windows Server 2016, for the latest available microcode updates see Microsoft Knowledge Base Article 4091664 (https://support.microsoft.com/en-us/help/4091664). For devices running Windows 10, for the the latest available microcode updates see Microsoft Knowledge Base Article 4091666 (https://support.microsoft.com/en-us/help/4091666). 4. Corrected FAQ #12 to better describe what customers need to do if they have not installed the January or February 2018 Security Only updates, and they want to be protected from the vulnerabilities described in this advisory.

    These updates are currently available via the Microsoft Update Catalog for devices running Windows 10 Version 1703. For more information and the latest available microcode update for devices running Windows 10 Version 1703, see Microsoft Knowledge Base Article 4091663.

    These updates are currently available via the Microsoft Update Catalog for devices running Windows 10 Version 1607 and Windows Server 2016. For more information and the latest available microcode update for devices running Windows 10 Version 1607 or Windows Server 2016, see Microsoft Knowledge Base Article 4091664.

    These updates are currently available via the Microsoft Update Catalog for devices running Windows 10. For more information and the latest available microcode update for devices running Windows 10, see Microsoft Knowledge Base Article 4091666.

    Microsoft will make available Intel microcode updates for Windows operating systems as they become available.

    Worth noting: “Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. ”

    Ed Bott’s overview is up on ZDNet:

    a variety of security updates for all supported Windows versions, as well as removing a compatibility check for antivirus software. A separate release significantly expands available microcode updates for affected Intel CPUs… includes security updates that defend against the Meltdown vulnerability on PCs running x86 versions of Windows 7 and 8.1. With those updates, all currently supported Windows releases now include defense against this vulnerability.

    Trend Micro’s ZeroDay Initiative posted its analysis:

    Microsoft released a whopping 75 security patches for March covering Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Microsoft Office, and ASP.NET Core. Of these 75 CVEs, 14 are listed as Critical and 61 are rated Important in severity. Six of these CVEs came through the ZDI program. Two of these bugs are listed as being publicly known, but none are listed as being under active attack.

    The official Office Update page is up:

    The March 2018 Public Update releases for Office are now available! This month, there are 23 security updates and 26 non-security updates. All of the security and non-security updates are listed in KB article 4090988.

    Thx @PKCano, @sb