Microsoft rolls out emergency patch for CPU vulnerability
Microsoft has today rolled out an emergency patch for the widely reported CPU vulnerability.
Due to the severity, KB4056892 (OS Build 16299.192) will be downloaded and installed automatically by Windows Update on Windows 10 machines (standalone package here). Windows 8 and 7 users should also be getting the fix today, but the auto patching via Windows Update is happening next Patch Tuesday. (Note: Windows Insiders on the fast ring already got the patches in November.)
“We have not received any information to indicate that these vulnerabilities had been used to attack our customers,” Microsoft said. The fixes were originally planned for release on Jan. 9, but were rushed out Wednesday after the weakness was made public, according to a person familiar with the situation.
Microsoft’s Azure cloud infrastructure has also been updated to deal with the exploit. From the Azure blog:
The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. Many of you have received notification in recent weeks of a planned maintenance on Azure and have already rebooted your VMs to apply the fix, and no further action by you is required.
To be clear, the security vulnerabilities discovered - dubbed Meltdown and Spectre by researchers - affect nearly all modern processors. Meltdown is the easier to exploit of the two, and seems to only affect Intel processors. Patches against Meltdown are available for Linux, MacOS (apparently, in 10.13.2), and now, Windows. Cloud service providers using Intel CPUs in their servers are also patching their systems. On the other hand, Spectre, while harder to exploit, is also harder to fix, and it affects Intel, AMD, and ARM processors. (Yes, both computers and phones are affected.) For those interested to read more about both attacks, check out this Google Project Zero blog entry.
(Note: Chip vendors like Intel and AMD are expected to come out with their own patches, which you'd probably get through the PC OEMs. You may also need patches/updates for your anti-virus software, browsers, etc.)
Lastly, Microsoft warns that users may see that update installation stopping at 99%, as well as elevated CPU or disk utilization if a device was reset using the Reset this PC functionality after installing KB4054022. If you face this issue, try the workaround detailed here.
First published on Jan 4, 2018.