Tag Archives: Microsoft Windows

Protecting against the Windows Adobe Type Manager (ATM) Zero Day Vulnerabilities

=======================
Update: 15th April 2020
=======================
Microsoft have now issued updates for both of the Adobe Type Manager vulnerabilities. These updates apply to Windows 10, Windows 8.1 and Windows 7 (and their Windows Server equivalents):

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020

Please install these updates when you can. Thank you.

=====================
TL;DR
A patch for these vulnerabilities is expected at the next scheduled collection of updates to be released on the 14th of April. Until then be aware of attempts to have you open unexpected or suspicious files via clicking links on websites/within emails or opening email attachments. If you are using any version of Windows earlier than Server 2016, 2019 or Windows 10 (Version 1703 or earlier), evaluate if you wish to enable the workarounds until a patch is released. This vulnerability is of critical severity for Windows 8.1 and Windows 7, please be certain your staff are security aware not to open unknown or suspicious attachments/files.

A micro-patch is now available for Windows 7 and Windows 8.1 (including their Windows Server equivalents):

https://blog.0patch.com/2020/03/micropatching-unknown-0days-in-windows.html
=====================

=====================
Update: 30th March 2020
=====================
0Patch have released a micro-patch for these vulnerabilities that is free of charge during these uncertain times (some micro-patches are usually paid for services from 0Patch).

The patch works by blocking Windows from using the common code path used by Windows Explorer, Font Viewer, and applications using Windows-integrated font support to display Adobe Type 1 PostScript fonts. The micro-patch does not protect against local attacks but does block the more important remote attack vector.

The micro-patch is available for Windows versions including Windows 7 and Windows Server 2008 R2 with ESU, Windows 8.1 and Windows Server 2012, both 32-bit and 64-bit:

https://blog.0patch.com/2020/03/micropatching-unknown-0days-in-windows.html

A YouTube video of the micro-patch in action is available from the following link:

https://youtu.be/VmL-C7Tqpac

Thank you.

=====================
Update: 28th March 2020
=====================
As detailed in Microsoft’s security advisory, these zero day (defined) vulnerabilities are of critical severity for Windows 8.1 and Windows 7. Please make certain your staff/users are security aware and strongly advise them not to open unknown or suspicious attachments/files. This is particularly severe when staff/users are likely working from home at this time and the security of systems they are using may not benefit from the firewalls/IPS and proxy servers of their primary work location. Staff/users may even be using their personal laptop/desktops to access corporate data during the current COVID-19 lockdown period.

If possible, please evaluate and implement the appropriate workarounds in Microsoft’s security advisory (which mitigate the vulnerabilities but have the least impact on your day to day work/activities) while the appropriate updates are not yet available.

Thank you.

=====================
Original Post:
=====================
I hope everyone is staying safe under the current circumstances.

Yesterday Microsoft published a security advisory describing the use of vulnerabilities within the Windows Adobe Type Manager (ATM) library by attackers to run unauthorised code on victim systems.

Why should these vulnerabilities be considered important?
If an attacker can persuade you to open a document (a document, you may have been expecting but the email it came in doesn’t look or sound quite right or by clicking a potentially useful link) they may be successful in remotely running code of their choice on your system.

According to Kaspersky a more likely scenario would be “attackers also can exploit this vulnerability through an extension to the HTTP called Web Distributed Authoring and Versioning (WebDAV), which allows users to collaborate on a document. Microsoft suggests disabling the WebClient service, which allows you to use this feature”

https://www.kaspersky.com/blog/windows-adobe-type-manager-vulnerability/34395/

For the attack to be successful you must be using a version of Windows older than Windows Server 2016 (Version 1703 or earlier), 2019 or Windows 10 (Version 1703 or earlier). If your version of Windows is newer as per Microsoft’s analysis : ”The possibility of remote code execution is negligible and elevation of privilege is not possible”.

How can I protect my organisation or myself from these vulnerabilities?
Until an update is made available, be aware and don’t open email attachments that look suspicious or click on links (from emails, while web browsing or via instant message clients) that you weren’t expecting or are suspicious.

If you are using an older version of Windows, consider implementing the workarounds provided by Microsoft in their advisory but please be aware of their potential impact to routine functionality before more widely enabling such workarounds:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006

Thank you and stay safe everyone both inside and outside of cyberspace.

Responding to the recent ZombieLand 2 TSX Vulnerabilities

====================
[TL DR]
====================
These vulnerabilities can only be exploited by attackers who have already compromised a system. Practice standard security precautions and install updates from hardware vendors and for your software (links provided below) when they become available. Resolution for vendors that offer cloud computing will have a more involved decision making process to consider (see below).

Early last week, security researchers disclosed security researchers disclosed further vulnerabilities within Intel’s processors.

How severe are these vulnerabilities?
These vulnerabilities ca be classed as medium severity. An attacker must already have compromised your system in order to exploit these vulnerabilities. This most recent set of vulnerabilities collectively known as ZombieLoad 2 or Transactional Synchronization Extensions (TSX) Asynchronous Abort affect Intel processors produced in the last approx. 2.5 years (August 2017 onwards).

For full technical details of these vulnerabilities, please see this page from Intel and this page from the security researchers. In summary these vulnerabilities according to the researchers allow “a malicious program to exploit internal CPU buffers to get hold of secrets currently processed by other running programs” leading to “these secrets such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys” being used by other running programs.

Of particular note are the performance implications for protecting virtual machines. If your organisation is running potentially untrusted code within virtual machines, protecting that environment will incur a performance penalty. You may need to carry out a risk assessment to determine if enabling these performance reducing mitigations outweigh the risk of putting your virtual machines at risk. Nested virtual machines will be most affected by the performance penalty.

How can I protect my organisation and myself from these vulnerabilities?
These most recent vulnerabilities can be mitigated by updating the firmware (defined) of your system. This is sometimes referred to as the UEFI / BIOS (defined) of your system.

They will be made available separately by the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard (defined) manufacturer for any custom-built systems you may have. You will have to determine from the updates those vendors issue if they are available for the products that you own.

In addition, operating system vendors and virtualisation software vendors have made patches available (links provided below).

Thank you.

====================

HP Enterprise:
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03968en_us

Fedora (referring to the Xen virtual machine (see also below):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/

Red Hat:
https://access.redhat.com/articles/11258

https://access.redhat.com/errata/RHSA-2019:3838

https://access.redhat.com/errata/RHSA-2019:3839

https://access.redhat.com/errata/RHSA-2019:3840

https://access.redhat.com/errata/RHSA-2019:3841

https://access.redhat.com/errata/RHSA-2019:3842

https://access.redhat.com/errata/RHSA-2019:3843

https://access.redhat.com/errata/RHSA-2019:3844

SUSE:
https://www.suse.com/support/update/announcement/2019/suse-su-201914217-1/

https://www.suse.com/support/update/announcement/2019/suse-su-201914218-1/

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/TAA_MCEPSC_i915

Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-11135

Xen:
https://xenbits.xen.org/xsa/advisory-305.html

Performance impact to Xen:
https://xenbits.xen.org/xsa/advisory-297.html

VMware:
Security advisory:
https://www.vmware.com/security/advisories/VMSA-2019-0020.html

Further information:
https://kb.vmware.com/s/article/59139

VMware Performance Impact Statement addressing mitigations for Machine Check Exception on Page Size Change (MCEPSC) CVE-2018-12207:
https://kb.vmware.com/s/article/76050

Mitigating August’s Remote Desktop Services (RDS) Vulnerabilities

Earlier last week Microsoft released security updates for Remote Desktop Services (RDS).

====================
TL DR:
If you use  Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions, please install the security updates for August 2019 which include fixes to these vulnerabilities: CVE-2019-1181 and CVE-2019-1182
====================

Why should these vulnerabilities be considered important?
The following two vulnerabilities CVE-2019-1181 and CVE-2019-1182 have received a CVSS 3 base score (defined) of 9.8 and have the potential to be used by network worms to rapidly spread without the need for assistance from computer users. There is the potential for a repeat of an attack very similar to the WannaCry ransomware outbreak of May 2017.

How can I protect my organisation or myself from these vulnerabilities?
The most effective means of defence is to install the updates released by Microsoft available via Windows Update (this link provides guidance on doing so) or manually from the above links.

While the BlueKeep vulnerability has not yet been exploited, there are indications (here and here) it may be soon. These more recent vulnerabilities will likely receive similar or more interest since they are present in more versions of Windows (8.1 and 10 alongside their Server based equivalents) than BlueKeep.

If for any reason this is not possible, the mitigations listed in this Microsoft blog post will be useful. Thank you.

Mitigating the Intel SWAPGS Vulnerability

====================
TL DR
This is medium severity information disclosure vulnerability. An attacker must already have compromised a system to exploit it. Patches from Red Hat, Google and Microsoft are available. Apple hardware does not appear to be affected.
====================

If we look back 2 weeks we saw the disclosure of a vulnerability relating to VideoLAN VLC being performed incorrectly. This week there is an example of how responsible disclosure should be carried out and demonstrates it can work very well.

Red Hat Linux, Google and Microsoft have all issued patches for a newly discovered variant of the original Spectre v1 vulnerability (initially disclosed in January 2018).

The performance impact of the updates is described in the Red Hat advisory in more detail:

====================
The fix for this CVE has shown to cause a minimal performance impact. The impact will be felt more in applications with high rates of user-kernel-user space transitions. For example, in system calls, NMIs, and kernel interrupts.

Early benchmarks for this mitigation show approximately 1% performance penalty:

https://www.phoronix.com/scan.php?page=article&item=swapgs-spectre-impact&num=1
====================

How does this vulnerability work?
When building a memory address to access computer make use of segment registers (CS, DS, SS, ES, FS, GS). The FS and GS registers are used when the CPU (defined) is in 64-bit mode. The SWAPGS instruction is used on 64-bit entry into kernel code to swap the current user space value of GS with the value intended to be used during kernel operations. GS is used to access kernel data, but it does not validate the values it uses. There are checks during instruction execution to check if a swap to kernel mode is necessary. It is possible for the speculative execution process (attempting to look ahead to improve performance) to mis-judge if a swap is necessary  resulting in a small window of time where the wrong GS is used for memory access leading to disclosure of privileged information.

How can I protect my organisation and myself from this vulnerability?
Earlier this week Red Hat and Google released updates to resolve this vulnerability. Microsoft issued their update silently on 9th July:

Red Hat Linux
https://access.redhat.com/articles/4329821

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=18ec54fdd6d18d92025af097cd042a75cf0ea24c

Google Chrome OS
https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1739575

Microsoft Windows
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1125

Thank you.

Microsoft re-issues warning to patch BlueKeep Vulnerability

====================
Update: 12th November 2019
====================
Exploitation of the BlueKeep vulnerability has recently began. Please make certain your systems are updated. More details are available in my follow up post.

Thank you.

=======================
Update: 11th September 2019
=======================
Late last week Metasploit released a public exploit for the BlueKeep vulnerability. While this is a significant development in easing its use for a more widespread audience it was deliberately created with a safeguard of “The exploit does not currently support automatic targeting; it requires the user to manually specify target details before it will attempt further exploitation”

This means that the exploit cannot propagate on a large scale upon successfully exploiting a system within a wider network. The exploit was only created with the intention of identifying the affected operating system and whether that system is likely to be vulnerable.

How can I protect my organisation or myself from this vulnerability?
The BinaryEdge team is currently detecting more than 1 million un-patched systems on the internet. As per previous advice below, please make certain your Windows based servers and client/workstation systems are up to date (download links are provided in the original post below).

Thank you.

=======================
Update: 19th August 2019
=======================
In late July the Watchbog malware incorporated a scanning module to detect the presence of the BlueKeep vulnerability. In addition, an exploit for the vulnerability was added to a high value commercial penetration (pen) testing tool.

These indications continue to keep BlueKeep in the spotlight continuing to emphasise the need to patch or mitigate it as soon as possible. Advice for scanning a corporate network for the presence of this vulnerability is available from this SANS forum thread.

Thank you.

=======================
Update: 30th June 2019
=======================
A Microsoft employee (Raviv Tamir, Group Program Manager, Microsoft Threat Protection) has provided an update on the global status of patching the BlueKeep vulnerability. The most recent update is from 20th June; at 83.4% coverage an increase from 72.4% on 5th June and 57% on May 30th.

Keep up the great work. Thank you.

=======================
Update: 21st June 2019
=======================
The current situation with the BlueKeep vulnerability continues to increase in scope with Windows 2000 and it’s server variants (Windows 2000 Server, Advanced Server and Datacentre Server) now confirmed as vulnerable after the Department of Homeland Security (DHS) created a working BlueKeep exploit. Given that Windows Server 2003 and XP share much of their codebase with Windows 2000; this announcement isn’t entirely surprising. Microsoft separately confirmed there are no plans to issue updates for Windows 2000.

For any business or consumer still using Windows 2000; they have much more than just this vulnerability to be concerned about given that there have been no security updates since July 2010. The advice is as always to upgrade to supported version of Windows:

Thank you.

=======================
A BlueKeep short story:
=======================
Separately; last weekend I had the opportunity to “practice what I preach” when a friend came to me with a Windows XP laptop dating back to 2008. Surprisingly it was in almost new condition and was remarkably fast to use given it’s age. It had an Intel Core Solo CPU and 2 GB of RAM.

He no longer uses it online preferring an iPad Pro instead but needs to keep it online within his home network to administer his security single CCTV camera using an application (strangely the camera isn’t administered via a web browser). He had heard about BlueKeep and wondered could I patch it for him?

The laptop was connected via Ethernet to his router. I had asked him to send me a photo of the installed programs on the computer to see what I was going to deal with. I found the system had Windows XP SP3 (but no further updates), Office 2007, Adobe Reader 10 and VLC 1.1.5.

The Windows firewall was enabled and set to default settings. I verified using Nmap that port 3389 and other commonly exploitable ports like 445 (SMB) and Telnet (23); weren’t open.

Installed almost 150 updates for Windows XP using Microsoft Update (http://update.microsoft.com) , installed SP3 for Office 2007 and a further 37 updates for it after SP3.

Next, I installed Adobe Reader 11.0.10 and VLC 3.0.7.1. I also installed the 13 updates from Microsoft for Windows XP in 2017 (resolving DoublePulsar and EternalBlue; among others) and finally the BlueKeep security update. In less than 2 hours of me just reviewing the results of update checks and some very quick update installs his system was patched and continued to work perfectly.

From past experience of manually removing malware from really old systems this laptop was far better than expected. All of the updates installed quickly and with no errors. I estimate more than 1000 CVEs were resolved by the updates I installed.

He easily committed to continue not using it for website or email access since his iPad Pro fulfills that role and is faster. He was impressed that the laptop continues to work perfectly despite the vast number of updates it received.

Finally; yes I realize I should suggest upgrading from Windows XP but he doesn’t use the system for online use; just inside his network. His router is adequately protecting his network with it’s settings and most recent firmware updates installed. Given this use case and surrounding infrastructure; I see the risk as minimal. Plus he also told the system doesn’t have important data on it; he just wanted it patched in order to keep using it uninterrupted.

A really good outcome; case closed 😊

=======================
Update: 12th June 2019
=======================
TL DR:
Install the RDP patch (links below) if you have not already done so. Use the paid-for micropatch if you can’t take a system offline to reboot it. If you can’t do either of these follow Microsoft’s or the NSA’s advice to mitigate the vulnerability.
=======================

Microsoft on the 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible.

Meanwhile; multiple proof of concepts of who to exploit the vulnerability have been developed by security researchers:

This story continues with another security researcher creating a proof of concept Metasploit exploit for this vulnerability. The exploit works on Windows XP, Windows 7, Server 2008 and Server 2008 R2. Windows Server 2003 has the RDP vulnerability but the vulnerability couldn’t be exploited.

The NSA have since issued an advisory in addition to the two notifications from Microsoft linked to above.

For systems which cannot spare the down-time needed to reboot after installing the Microsoft patch, a micropatch from 0Patch is available for their Pro version subscribers:

As a proof of concept of how long it may take to patch a system; I used a VMware snapshot taken from a test Windows XP SP3 system I used back in 2012. The installation had no updates apart from SP3. After 40 minutes; all missing patches (2008 – 2014), the updates from 2017 (resolving EternalBlue; amongst others) and this year’s RDP update were installed. Patching the RDP vulnerability took less than a minute (including the restart and start-up of the system).

I repeated the above using the Automatic Updates feature of Windows XP. I was able to full patch the system in 30 minutes.

Systems which are better maintained than this would easily take less time (even if patched manually like I did); especially if tools such as WSUS or SCCM are used where vast number of systems can be patched very quickly.

Thank you.

=======================
Original Post: 4th June
=======================
Earlier this month Microsoft issued an update to resolve a critical vulnerability in Remote Desktop Services making use of the RDP protocol, port 3389.

TL DR: If you use Windows 7, Windows Server 2008 R2 or Windows Server 2008, if you have not done so already, please install this update. For Windows XP (all versions), Server 2003 (all versions) and Windows Vista; the necessary updates are available here.

Why should this vulnerability be considered important?
As Microsoft reminded us when issuing the patch; this vulnerability requires no authentication or user interaction. It has the potential to spread just like the WannaCry and NotPetya infections did in 2017. Windows 8.1 and Windows 10 (and their Server equivalents) are NOT vulnerable.

Robert Graham from Errata Security on the 28th of May issued a report of the scan results from a widespread scan of the internet. He found approximately 950,000 vulnerable systems.

How can I protect my organisation or myself from this vulnerability?
The easiest method is to install the update available from Microsoft.

For Windows Server 2003, Windows XP and Windows Vista; the update must be manually downloaded and installed from this link below since this update was not made available by the previous automatic mechanisms these versions of Windows had namely, Microsoft Update, Automatic Updates and Windows Update.

If you cannot install this security update; you can protect from this vulnerability by following the Workarounds listed in this link. Further explanation from Microsoft is also available from this link.

Microsoft on the 30th and 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible. Meanwhile; at least proof of concepts of who to exploit the vulnerability have been developed by at least 3 security researchers.

Thank you.

Responding to the Intel Spoiler Vulnerability

====================
Updated: 20th March 2019
====================
TL DR:
The Intel Spoiler vulnerability is not as bad as predicted. Software developers should continue to use safer code development practices.

====================
After the disclosure earlier this month of this vulnerability Intel have provided further information on how it affects their microprocessors. They have clarified that the Spoiler exploit by itself does not reveal secret data and is not a speculative execution side channel method:

Other good news is that existing mitigations such as KPTI (kernel page table isolation) reduce the risk of leaking data across privilege levels. They again confirmed that side channel safe software development practices such as “ensuring execution time and control flows are identical regardless of secret data” will mitigate classic side channel methods enabled by the Spoiler exploit. Furthermore, they confirmed memory modules which are already mitigated against Rowhammer attacks remain protected against the Spoiler exploit.

Lastly AMD provided formal confirmation that their microprocessors are not vulnerable after preliminary findings suggested they weren’t vulnerable. AMD’s statement is available from this link.

Thank you.

====================
Original Post:
====================
Earlier this month a new vulnerability was disclosed in a research paper titled “Spoiler: Speculative load hazards boost Rowhammer and cache attacks”.

TL DR: Mitigating this newly disclosed vulnerability is the job of software developers to work around using safer code development practices. Mitigating this issue in hardware will take longer since current measures cause too much of a performance penalty.

Why should this vulnerability be considered important?
Using this new method; attackers are likely to find existing cache and memory Rowhammer attacks easier to carry out. In addition, JavaScript (defined) attacks which can take long periods of time may be shortened to mere seconds. The paper contains a cache prime and probe technique to leak sensitive data using JavaScript.

This Spoiler vulnerability can be used by attackers (who MUST have already compromised your system) to extract sensitive information from the systems memory (RAM). An attack does not require elevated privileges.

What CPUs (microprocessors / computer chips) are affected?
This vulnerability affects Intel processors only; first generation Intel Core (from early 2006) and later are affected. ARM and AMD processors are not affected. Any system with an Intel Core processor is affected regardless of the operating they are using namely Linux, Unix, Apple macOS and Windows can be all affected.

How does this vulnerability achieve the above results?
The security researchers who authored the paper found a vulnerability in the memory order buffer that can be used to gradually reveal information about the mappings of physical memory to non-privileged software processes (in other words; applications). This technique also affects virtual machine (VM) and sandboxed (defined) environments.

The technique works by understanding the relationship between virtual and physical memory by timing the speculative load and store operations to these areas while looking out for discrepancies which disclose the memory layout to you. With this information an attacker knows where to focus their efforts.

Intel’s proprietary implementation of the memory subsystem (memory disambiguation) is the root cause of the vulnerability. When a physical address conflict (the address/area is already in use) occurs, the algorithm leaks the access timings. The algorithm in the researcher’s words works as follows “Our algorithm, fills up the store buffer within the processors with addresses that have the same offset but they are in different virtual pages. Then, we issue a memory load that has the same offset similarly but from a different memory page and measure the time of the load. By iterating over a good number of virtual pages, the timing reveals information about the dependency resolution failures in multiple stages.”

How can this vulnerability be mitigated/patched?
This vulnerability lies within the memory disambiguation algorithm which won’t be trivial to resolve anytime soon. Since this vulnerability is not related to last years Spectre vulnerability; mitigations for that vulnerability don’t help here. Current Spoiler mitigations have too much of performance penalty. At this time, Intel has issued the following statement:

“Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.”

The side channel safe development practices are linked to below:

Software Guidance for Security Advisories

Addressing Hardware Vulnerabilities

Thank you.

Linux and Windows Address Page Cache Vulnerabilities

In early January security researchers located further vulnerabilities in how Windows and Linux operating systems use a memory page cache.

How severe are these vulnerabilities and what is their impact?
One of the co-authors of the academic paper disclosing these vulnerabilities described the work as mostly “a matter of academic interest” meaning that attackers are less likely to take advantage of these vulnerabilities.

Local attacks:
For the localised rather than remote variant of utilizing these vulnerabilities; the attacker must already have gained access to the victim system to read the target memory page. The attacker could do this by “[having a] malicious process on the operating system or when processes run in sandboxes that have shared files”.

Other actions an attacker could potentially carry out are:

• Cloning an open window and replacing the legitimate application window
• Gathering the root (Linux) or administrator (Windows) password

Remote attack:
To exploit the vulnerabilities remotely; the researchers leveraged “timing differences between memory and disk access, measured on a remote system, as a proxy for the required local information”. This was achieved by measuring the times when soft page faults (the page is erroneously mapped, with the help of a process that runs on a remote server) occurred. The researchers were successful in sending data covertly from an unprivileged malicious process within the victim system to a remote server fulfilling the role of a web server. They used a technique from previous research namely the NetSpectre attack to distinguish cache hits and misses over a network connection. This was successful on systems with mechanical hard drives (HDDs) and solid-state disks (SSDs). SSDs were more complex since the timing differences were smaller but the researchers compensated by using larger files to distinguish between cache hits and misses.

How can I protect my organization/myself from these vulnerabilities?
Since these vulnerabilities are more academic in nature; attackers are less likely to exploit them. Linus Torvalds has explained that the code to resolve this vulnerability has been checked in and is undergoing testing before being more widely rolled out. For Windows; Build 18305 of the upcoming Windows 19H1 (otherwise known as Version 1903) due for release in April 2019 contains fixes for these vulnerabilities. It is anticipated Microsoft will back-port this patch to earlier Windows versions.

In addition; the mitigations for the Spectre vulnerabilities from last year should address the remote attack vector using the NetSpectre attack method.

Why are there so many timing attacks being disclosed lately?
Since modern systems rely on timing for almost every component e.g. the CPU (internal caches and registers respond in nanoseconds (ns)), the memory/RAM (e.g. CAS latency), HDDs (measured in milliseconds (ms) e.g. 8.9 ms), SSDs (e.g. 0.05 ms , much faster) we are likely to continue to see further vulnerabilities disclosed as further scrutiny is applied to devices and architectures that have been in use for many years.

E.g. the affected code from Linux was timestamped in 2000 and stated that further revision should be carried out when more information was known. 19 years later we know more and are revising that code. It’s a similar situation with Windows where the revised code works to ensure low privilege processes can no longer access page cache information or shared cache information. As The Register points out; “something complex that’s just working can remain untouched for a very long time, lest someone breaks it” and is more likely to contain vulnerabilities since nobody has taken the time to look for what has been there for years.

Thank you.