Microsoft this week made available another round of microcode updates created by Intel for mitigating the recently disclosed speculative execution vulnerabilities tracked as Foreshadow and L1 Terminal Fault (L1TF).
The Foreshadow/L1TF vulnerabilities are CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).
A piece of malware installed on a vulnerable system can exploit the flaws to gain access to potentially sensitive data stored in supposedly protected memory. The security holes affect Intel’s Xeon and Core processors.
Intel and other major tech firms have released mitigations which, in combination with the patches released previously for Meltdown, Spectre and other speculative execution vulnerabilities, should prevent attacks.
Microsoft this week released five new updates: KB4346084, KB4346085, KB4346086, KB4346087 and KB4346088. They deliver Intel’s microcode patches for Windows 10 Release To Market (RTM), Windows 10 version 1709 (Fall Creators Update), Windows Server 2016 version 1709 (Server Core), Windows 10 Version 1703 (Creators Update), Windows 10 version 1607 (Anniversary Update), Windows Server 2016, Windows 10 version 1803 (April 2018 Update), and Windows Server version 1803 (Server Core).
The microcode updates are for devices with Skylake, Kaby Lake and Coffee Lake processors, and they resolve Spectre Variant 3a (CVE-2018-3640), Spectre Variant 4 (CVE-2018-3639), and the Foreshadow flaws (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646).
The mitigations for the Foreshadow vulnerabilities should not have a noticeable performance impact on consumer PCs, but performance degradation may be seen on some data center workloads.
According to Microsoft, patching the Foreshadow vulnerabilities may require both software and firmware (microcode) updates, depending on how the system is configured. However, the company says most devices running Windows client operating systems will only need software updates for protection.
Related: Microsoft Releases Mitigations for Spectre-Like ‘Variant 4’ Attack
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
- Apple Patches Exploited iOS Vulnerability in Old iPhones
- FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
