Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0049 ADV180002 | Vulnerability in CPU Microcode Could Allow Information Disclosure 4 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Internet Explorer 11 Microsoft Edge Microsoft Windows 10 Microsoft Windows 7 Microsoft Windows 8.1 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 Microsoft Windows Server 2016 Publisher: Microsoft Operating System: Windows Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 Reference: ASB-2018.0002.2 ESB-2018.0048 ESB-2018.0047 ESB-2018.0046 ESB-2018.0044 ESB-2018.0042 Original Bulletin: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180002 - --------------------------BEGIN INCLUDED TEXT-------------------- ADV180002 | Vulnerability in CPU Microcode Could Allow Information Disclosure Security Vulnerability Security Advisory Published: 01/03/2018 Executive Summary Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as "speculative execution side-channel attacks" that affect many modern processors and operating systems including Intel, AMD, and ARM. Note: this issue will affect other systems such as Android, Chrome, iOS, MacOS, so we advise customers to seek out guidance from those vendors. Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See below for more details. Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues working closely with industry partners including chip makers, hardware OEMs and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and in some cases updates to AV software as well. This advisory addresses the following vulnerabilities: o CVE-2017-5715 - Bounds check bypass o CVE-2017-5753 - Branch target injection o CVE-2017-5754 - Rogue data cache load Recommended Actions For consumers, the best protection is to keep your computers up to date. You can do this by taking advantage of automatic update. Learn how to turn on automatic updates here. In addition to installing the January 2018 Windows security updates, you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates. If automatic updates are enabled, the January 2018 Windows security update will be offered to the devices running supported anti-virus (AV) applications. Updates can be installed in any order. 1. If you have automatic updating enabled and configured to provide updates for Windows, the updates are delivered to you when they are released, if your device and software are compatible. We recommend you verify these updates are installed. If automatic update is not enabled, manually check for and install the January 2018 Windows operating system security update. 2. Install applicable firmware update provided by your OEM device manufacturer. Potential performance impacts In testing Microsoft has seen some performance impact with these mitigations. For most consumer devices, the impact may not be noticeable, however, the specific impact varies by hardware generation and implementation by the chip manufacturer. Microsoft values the security of its software and services and has made the decision to implement certain mitigation strategies in an effort to better secure our products. We continue to work with hardware vendors to improve performance while maintaining a high level of security. Advisory Details Vulnerabilities Description Speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and can therefore lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment. Microsoft has been working with hardware and software makers to jointly develop mitigations to protect customers across Microsoft's products and services. These mitigations prevent attackers from triggering a weakness in the CPU which could allow the contents of memory to be disclosed. Microsoft Windows client customers In client scenarios, a malicious user mode application could be used to disclose the contents of kernel memory. Customers using Windows client operating systems including Windows 7 Service Pack 1, Windows 8.1, and Windows 10 need to apply both firmware and software updates. See Microsoft Knowledge Base Article 4073119 for additional information. Customers using Microsoft Surface and Surface Book products need to apply both firmware and software updates. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Microsoft will continue to work closely with industry partners to improve mitigations against this class of vulnerabilities. Microsoft Windows Server customers In server scenarios, a malicious user-mode application could be used to disclose the contents of kernel memory. In other multi-tenant hosting environments, a virtual machine could read the memory of the host operating system or the memory of other guest operating systems running on the same physical machine. Customers using Windows server operating systems including Windows Server 2008 R2 Service Pack 1, Windows Server 2012 R2, and Windows Server 2016 need to apply firmware and software updates as well as configure protections. See Microsoft Knowledge Base Article 4072698 for additional information, including workarounds. Microsoft will continue to work closely with industry partners to improve mitigations against this class of vulnerabilities. Microsoft cloud customers Microsoft has already deployed mitigations across the majority of our cloud services and is accelerating efforts to complete the remainder. More information is available here. FAQ 1. What systems are at risk from this vulnerability? o Client Operating Systems Windows Windows client systems are at risk o Server Operating Systems Windows servers are at risk 2. What are the associated CVEs for these vulnerabilities? o See CVE-2017-5715 o See CVE-2017-5753 o See CVE-2017-5754 3. Have there been any active attacks detected? No. When this security advisory was issued, Microsoft had not received any information to indicate that these vulnerabilities had been used to attack customers. 4. Have these vulnerabilities been publicly disclosed? Yes. The vulnerabilities were disclosed on January 3, 2018 at https:// bugs.chromium.org/p/project-zero/issues/detail?id=1272 5. I was not offered the Windows security updates released on January 3, 2018. What should I do? To help avoid adversely affecting customer devices, the Windows security updates released on January 9th, 2018 have only been offered to devices running compatible antivirus software. Please see Microsoft Knowledge Base Article 4072699 for more information about how to get the updates. Additional suggested actions o Protect your PC We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates, and installing antivirus software. For more information, see Microsoft Safety & Security Center. o Keep Microsoft software updated Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed. Acknowledgments o Jann Horn of Google Project Zero o Paul Kocher o Moritz Lipp from Graz University of Technology o Daniel Genkin from University of Pennsylvania and University of Maryland o Daniel Gruss from Graz University of Technology o Werner Haas of Cyberus Technology GmbH o Mike Hamburg of Rambus Security Division o Stefan Mangard from Graz University of Technology o Thomas Prescher of Cyberus Technology GmbH o Michael Schwarz from Graz University of Technology o Yuval Yarom of The University of Adelaide and Data61 o Additional information on the Meltdown and Spectre attacks can be found at their respective web sites. o Anders Fogh of GDATA Advanced Analytics Exploitability Assessment The following table provides an exploitability assessment for this vulnerability at the time of original publication. Publicly Exploited Latest Software Release Older Software Release Denial of Service Disclosed No No 2 - Exploitation Less Not Applicable 2 - Exploitation Not Not Likely Less Likely Applicable Applicable o Affected Products o CVSS Score Affected Products The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle. Product Platform Article Download Impact Severity Supersedence Windows 10 Security Internet Version 4056891 Update Information Important 4053580 Explorer 11 1703 for 4056891 Security Disclosure 32-bit Update Systems Windows 10 Security Internet Version 4056891 Update Information Important 4053580 Explorer 11 1703 for 4056891 Security Disclosure x64-based Update Systems Windows 10 Security Internet Version 4056892 Update Information Important 4054517 Explorer 11 1709 for 4056892 Security Disclosure 32-bit Update Systems Windows 10 Security Internet Version 4056892 Update Information Important 4054517 Explorer 11 1709 for 4056892 Security Disclosure 64-based Update Systems Windows Security Internet 10 for 4056893 Update Information Important 4053581 Explorer 11 32-bit 4056893 Security Disclosure Systems Update Windows Security Internet 10 for 4056893 Update Information Important 4053581 Explorer 11 x64-based 4056893 Security Disclosure Systems Update Windows 10 Security Internet Version 4056893 Update Information Important 4053581 Explorer 11 1511 for 4056893 Security Disclosure 32-bit Update Systems Windows 10 Security Internet Version 4056893 Update Information Important 4053581 Explorer 11 1511 for 4056893 Security Disclosure x64-based Update Systems Windows 10 Security Internet Version 4056890 Update Information Important 4053579 Explorer 11 1607 for 4056890 Security Disclosure 32-bit Update Systems Windows 10 Security Internet Version 4056890 Update Information Important 4053579 Explorer 11 1607 for 4056890 Security Disclosure x64-based Update Systems Windows Security Internet Server 4056890 Update Information Important 4053579 Explorer 11 2016 4056890 Security Disclosure Update Windows 7 for IE Internet 32-bit 4056568 Cumulative Information Important 4052978 Explorer 11 Systems 4056568 IE Disclosure Service Cumulative Pack 1 Windows 7 for IE Internet x64-based 4056568 Cumulative Information Important 4052978 Explorer 11 Systems 4056568 IE Disclosure Service Cumulative Pack 1 Windows IE Internet 8.1 for 4056568 Cumulative Information Important 4052978 Explorer 11 32-bit 4056568 IE Disclosure systems Cumulative Windows IE Internet 8.1 for 4056568 Cumulative Information Important 4052978 Explorer 11 x64-based 4056568 IE Disclosure systems Cumulative Windows Server 2008 R2 IE Internet for 4056568 Cumulative Information Important 4052978 Explorer 11 x64-based 4056568 IE Disclosure Systems Cumulative Service Pack 1 Windows IE Internet Server 4056568 Cumulative Information Important 4052978 Explorer 11 2012 R2 4056568 IE Disclosure Cumulative Windows 10 Security Microsoft Version 4056891 Update Information Important 4053580 Edge 1703 for 4056891 Security Disclosure 32-bit Update Systems Windows 10 Security Microsoft Version 4056891 Update Information Important 4053580 Edge 1703 for 4056891 Security Disclosure x64-based Update Systems Windows 10 Security Microsoft Version 4056892 Update Information Important 4054517 Edge 1709 for 4056892 Security Disclosure 32-bit Update Systems Windows 10 Security Microsoft Version 4056892 Update Information Important 4054517 Edge 1709 for 4056892 Security Disclosure 64-based Update Systems Windows Security Microsoft 10 for 4056893 Update Information Important 4053581 Edge 32-bit 4056893 Security Disclosure Systems Update Windows Security Microsoft 10 for 4056893 Update Information Important 4053581 Edge x64-based 4056893 Security Disclosure Systems Update Windows 10 Security Microsoft Version 4056888 Update Information Important 4053578 Edge 1511 for 4056888 Security Disclosure 32-bit Update Systems Windows 10 Security Microsoft Version 4056888 Update Information Important 4053578 Edge 1511 for 4056888 Security Disclosure x64-based Update Systems Windows 10 Security Microsoft Version 4056890 Update Information Important 4053579 Edge 1607 for 4056890 Security Disclosure 32-bit Update Systems Windows 10 Security Microsoft Version 4056890 Update Information Important 4053579 Edge 1607 for 4056890 Security Disclosure x64-based Update Systems Windows Security Microsoft Server 4056890 Update Information Important 4053579 Edge 2016 4056890 Security Disclosure Update Windows 10 Security for 32-bit 4056893 Update Information Important 4053581 Systems 4056893 Security Disclosure Update Windows 10 Security for x64-based 4056893 Update Information Important 4053581 Systems 4056893 Security Disclosure Update Windows 10 Security Version 1511 4056888 Update Information Important 4053578 for 32-bit 4056888 Security Disclosure Systems Update Windows 10 Security Version 1511 4056888 Update Information Important 4053578 for x64-based 4056888 Security Disclosure Systems Update Windows 10 Security Version 1607 4056890 Update Information Important 4053579 for 32-bit 4056890 Security Disclosure Systems Update Windows 10 Security Version 1607 4056890 Update Information Important 4053579 for x64-based 4056890 Security Disclosure Systems Update Windows 10 Security Version 1703 4056891 Update Information Important 4053580 for 32-bit 4056891 Security Disclosure Systems Update Windows 10 Security Version 1703 4056891 Update Information Important 4053580 for x64-based 4056891 Security Disclosure Systems Update Windows 10 Security Version 1709 4056892 Update Information Important 4054517 for 32-bit 4056892 Security Disclosure Systems Update Windows 7 for Security 32-bit 4056897 Only Information Systems 4056897 Security Disclosure Important Service Pack Only 1 Windows 7 for Security x64-based 4056897 Only Information Systems 4056897 Security Disclosure Important Service Pack Only 1 Windows 8.1 Security for 32-bit 4056898 Only Information Important systems 4056898 Security Disclosure Only Windows 8.1 Security for x64-based 4056898 Only Information Important systems 4056898 Security Disclosure Only Windows Server 2008 Security R2 for 4056897 Only Information Itanium-Based 4056897 Security Disclosure Important Systems Only Service Pack 1 Windows Server 2008 Security R2 for 4056897 Only Information x64-based 4056897 Security Disclosure Important Systems Only Service Pack 1 Windows Server 2008 R2 for Security x64-based 4056897 Only Information Systems 4056897 Security Disclosure Important Service Pack Only 1 (Server Core installation) Security Windows 4056899 Only Information Important Server 2012 4056899 Security Disclosure Only Windows Security Server 2012 4056899 Only Information Important (Server Core 4056899 Security Disclosure installation) Only Windows Security Server 2012 4056898 Only Information Important R2 4056898 Security Disclosure Only Windows Security Server 2012 4056898 Only Information R2 (Server 4056898 Security Disclosure Important Core Only installation) Security Windows 4056890 Update Information Important 4053579 Server 2016 4056890 Security Disclosure Update Windows Security Server 2016 4056890 Update Information Important 4053579 (Server Core 4056890 Security Disclosure installation) Update Windows Security Server, 4056892 Update Information version 1709 4056892 Security Disclosure Important 4054517 (Server Core Update Installation) CVSS Score The following software versions or editions that are affected have been scored against this vulnerability. Please read the CVSS standards guide to fully understand how CVSS vulnerabilities are scored, and how to interpret CVSS scores. Excel Icon Download Product Platform Scores Vector Base Temporal String Environmental Windows 10 Internet Explorer 11 Internet Version 1703 0 0 Explorer 11 for 32-bit Systems Windows 10 Internet Explorer 11 Internet Version 1703 0 0 Explorer 11 for x64-based Systems Windows 10 Internet Explorer 11 Internet Version 1709 0 0 Explorer 11 for 32-bit Systems Windows 10 Internet Explorer 11 Internet Version 1709 0 0 Explorer 11 for 64-based Systems Internet Explorer 11 Internet Windows 10 Explorer 11 for 32-bit 0 0 Systems Internet Explorer 11 Internet Windows 10 Explorer 11 for x64-based 0 0 Systems Windows 10 Internet Explorer 11 Internet Version 1511 0 0 Explorer 11 for 32-bit Systems Windows 10 Internet Explorer 11 Internet Version 1511 0 0 Explorer 11 for x64-based Systems Windows 10 Internet Explorer 11 Internet Version 1607 0 0 Explorer 11 for 32-bit Systems Windows 10 Internet Explorer 11 Internet Version 1607 0 0 Explorer 11 for x64-based Systems Internet Explorer 11 Internet Windows 0 0 Explorer 11 Server 2016 Windows 7 for Internet Explorer 11 Internet 32-bit Explorer 11 Systems 0 0 Service Pack 1 Windows 7 for Internet Explorer 11 Internet x64-based Explorer 11 Systems 0 0 Service Pack 1 Internet Explorer 11 Internet Windows 8.1 Explorer 11 for 32-bit 0 0 systems Internet Explorer 11 Internet Windows 8.1 Explorer 11 for x64-based 0 0 systems Windows Server 2008 Internet Explorer 11 Internet R2 for Explorer 11 x64-based 0 0 Systems Service Pack 1 Internet Explorer 11 Internet Windows Explorer 11 Server 2012 0 0 R2 Windows 10 Microsoft Edge Microsoft Edge Version 1703 0 0 for 32-bit Systems Windows 10 Microsoft Edge Microsoft Edge Version 1703 0 0 for x64-based Systems Windows 10 Microsoft Edge Microsoft Edge Version 1709 0 0 for 32-bit Systems Windows 10 Microsoft Edge Microsoft Edge Version 1709 0 0 for 64-based Systems Windows 10 Microsoft Edge Microsoft Edge for 32-bit 0 0 Systems Windows 10 Microsoft Edge Microsoft Edge for x64-based 0 0 Systems Windows 10 Microsoft Edge Microsoft Edge Version 1511 0 0 for 32-bit Systems Windows 10 Microsoft Edge Microsoft Edge Version 1511 0 0 for x64-based Systems Windows 10 Microsoft Edge Microsoft Edge Version 1607 0 0 for 32-bit Systems Windows 10 Microsoft Edge Microsoft Edge Version 1607 0 0 for x64-based Systems Microsoft Edge Microsoft Edge Windows 0 0 Server 2016 Windows 10 for 32-bit Systems 0 0 Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 for 0 0 x64-based Systems Windows 10 Version 1511 for 32-bit Systems Windows 10 0 0 Version 1511 for 32-bit Systems Windows 10 Version 1511 for x64-based Systems Windows 10 0 0 Version 1511 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 0 0 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 0 0 Version 1607 for x64-based Systems Windows 10 Version 1703 for 32-bit Systems Windows 10 0 0 Version 1703 for 32-bit Systems Windows 10 Version 1703 for x64-based Systems Windows 10 0 0 Version 1703 for x64-based Systems Windows 10 Version 1709 for 32-bit Systems Windows 10 0 0 Version 1709 for 32-bit Systems Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for 0 0 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 0 0 7 for x64-based Systems Service Pack 1 Windows 8.1 for 32-bit systems 0 0 Windows 8.1 for 32-bit systems Windows 8.1 for x64-based systems Windows 8.1 for 0 0 x64-based systems Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 0 0 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for 0 0 x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 0 0 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows 0 0 Server 2012 Windows Server 2012 (Server Core installation) Windows 0 0 Server 2012 (Server Core installation) Windows Server 2012 R2 Windows 0 0 Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows 0 0 Server 2012 R2 (Server Core installation) Windows Server 2016 Windows 0 0 Server 2016 Windows Server 2016 (Server Core installation) Windows 0 0 Server 2016 (Server Core installation) Windows Server, version 1709 (Server Core Installation) 0 0 Windows Server, version 1709 (Server Core Installation) Mitigations Microsoft has not identified any mitigating factors for this vulnerability. Workarounds Microsoft has not identified any workarounds for this vulnerability. FAQ Acknowledgments Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See acknowledgments for more information. Disclaimer The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions Version Date Description 1.0 01/03/2018 Information published. This vulnerability has no revisions. (C) 2017 Microsoft - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWk27bIx+lLeg9Ub1AQiEUxAApHA5tcwZqtWNyAcG38lQbx0KzR8uRmjf sVXQ6PICP4WJ67TOMh4vSmvy/UDciUIhm3gkIs2rlTuXgs5ATpabi6n9uV7sOlL4 Gduh+EX9uAbcsqN6sVhvtyoLAHUBxQZwsPvGnrfTdR2PlWaGdOoOXI1F+pB/tyyX tzZt5KEllV5tw1k9dgKVE/uZaGolTTsK2lhqmA63i9ejzT6PMQN8t31tbomtS+2o Zqm5TDU+jJdeyNbmHai/a/kF4KM957RvWoZYy95rwajOXsJ519x4m/artLL4/deb 17IDDrDSlid0buYqugifuDgtSPpmiEHnjMgxBokCUMszgCLakZuX/FxudmNUMYUs 97FWp7o50McgRzB/HmWTw8yFeQyP4aRRcJhevMIyrsB+dfx/qJS/1bEqCUKq/aVC iFex8zNA6pd+Pkwjw/LAdfU3xpY7XmM7qnwaXW7b6TfWBMIyso82i6cH4GprrPrJ oXMaJhEXIzVDviVMxwW10zyqsWOhVx4EIC83sME6vY8b2KLNKEbn035aE1EF9PVn 59pZ3c+GUfytqh8VtW9iipLLBxKhsa7Y2lUEZvET/VlzIGUMhIufRi27P6UeT0VD uhS7KKJp+oX13YBKvG0g5zK5t8EJ6tieCvZs0u0QVSjWIG1XUPdzuhLA9tB9spUJ VGeISycGgrE= =O8G0 -----END PGP SIGNATURE-----