Spectre, Meltdown researchers unveil 7 more speculative execution attacks

Systemic analysis reveals a range of new issues and a need for new mitigations.

Spectre, Meltdown researchers unveil 7 more speculative execution attacks

Enlarge (credit: Aurich Lawson / Getty Images)

Back at the start of the year, a set of attacks that leveraged the speculative execution capabilities of modern high-performance processors was revealed. The attacks were named Meltdown and Spectre. Since then, numerous variants of these attacks have been devised. In tandem, a range of mitigation techniques has been created to enable at-risk software, operating systems, and hypervisor platforms to protect against these attacks.

A research team—including many of the original researchers behind Meltdown, Spectre, and the related Foreshadow and BranchScope attacks—has published a new paper disclosing yet more attacks in the Spectre and Meltdown families. The result? Seven new possible attacks. Some are mitigated by known mitigation techniques, but others are not. That means further work is required to safeguard vulnerable systems.

The previous investigations into these attacks has been a little ad hoc in nature; examining particular features of interest to provide, for example, a Spectre attack that can be performed remotely over a network, or Meltdown-esque attack to break into SGX enclaves. The new research is more systematic, looking at the underlying mechanisms behind both Meltdown and Spectre and running through all the different ways the speculative execution can be misdirected.

Read 14 remaining paragraphs | Comments

Microsoft Releases November 2018 Security Updates

Original release date: November 13, 2018

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.NCCIC encourag…

Original release date: November 13, 2018

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review Microsoft’s November 2018 Security Update Summary and Deployment Information and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Windows 10 October 2018 Update is back, this time without deleting your data

Microsoft is opening up about some of its testing procedures, too.

This message, shown during Windows upgrades, is going to be salt in the wound.

Enlarge / This message, shown during Windows upgrades, is going to be salt in the wound.

Just over a month since its initial release, Microsoft is making the Windows 10 October 2018 Update widely available today. The update was withdrawn shortly after its initial release due to the discovery of a bug causing data loss.

New Windows 10 feature updates use a staggered, ramping rollout, and this (re)release is no different. Initially, it'll be offered only to two groups of people: those who manually tell their system to check for updates (and that have no known blocking issues due to, for example, incompatible anti-virus software), and those who use the media-creation tool to download the installer. If all goes well, Microsoft will offer the update to an ever-wider range of Windows 10 users over the coming weeks.

For the sake of support windows, Microsoft is treating last month's release as if it never happened; this release will receive 30 months of support and updates, with the clock starting today. The same is true for related products; Windows Server 2019 and Windows Server, version 1809, are both effectively released today.

Read 8 remaining paragraphs | Comments

Adobe Releases Security Updates

Original release date: November 13, 2018

Adobe has released security updates to address vulnerabilities in Flash Player, Adobe Acrobat and Reader, and Adobe Photoshop CC. An attacker could exploit these vulnerabilities to obtain access to sensit…

Original release date: November 13, 2018

Adobe has released security updates to address vulnerabilities in Flash Player, Adobe Acrobat and Reader, and Adobe Photoshop CC. An attacker could exploit these vulnerabilities to obtain access to sensitive information.

NCCIC encourages users and administrators to review Adobe Security Bulletins APSB18-39, APSB18-40, and APSB18-43 and apply the necessary updates.

 


This product is provided subject to this Notification and this Privacy & Use policy.