In the midst of a deployment of an update that seeks to help minimize impact against a publicly reported flaw in Intel, AMD, and ARM processors, Microsoft has decided to also use the instance to deploy code that mitigates attacks against Microsoft Edge and Internet Explorer 11.
The flaw was discovered and then disclosed by Google Project Zero on Wednesday.
Microsoft has issued security updates (KB4056890) with mitigations for this class of attacks. As part of these updates, we are making changes to the behavior of supported versions of Microsoft Edge and Internet Explorer 11 to mitigate the ability to successfully read memory through this new class of side-channel attacks.
Initially, we are removing support for SharedArrayBuffer from Microsoft Edge (originally introduced in the Windows 10 Fall Creators Update), and reducing the resolution of performance.now() in Microsoft Edge and Internet Explorer from 5 microseconds to 20 microseconds, with variable jitter of up to an additional 20 microseconds. These two changes substantially increase the difficulty of successfully inferring the content of the CPU cache from a browser process.
Normally, the company would wait until its scheduled Patch Tuesday, which falls on January 9, 2018 and would have been the first for the new year. However, due to this flaw and the one contained in computer CPUs, Microsoft has decided to rollout the CU ahead of time. However, this does not mean that the regularly scheduled Patch Tuesday will be cancelled for the month. Expect additional updates to be ready to deliver next week.
Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in Dallas, Texas in 2018!