Microsoft details efforts to protect Edge and IE from Meltdown and Spectre

The tech world has been abuzz with news of a new set of critical exploits, dubbed Meltdown and Spectre, that, between them, impact nearly every modern processor in some manner. Following the disclosure of the exploits, Microsoft was quick to launch an emergency patch for Windows users and its cloud services. Now, Microsoft has explained how it has also worked to counter this class of attacks in Internet Explorer and Microsoft Edge.

The vulnerabilities, Microsoft says, can be exploited by techniques known as speculative execution side-channel attacks (opens in new tab). Through these techniques, attackers can use JavaScript code in a browser to potentially read memory on a user's machine. To mitigate the attacks in its browsers, Microsoft is has made a couple of changes to both Edge and Internet Explorer:

Initially, we are removing support for SharedArrayBuffer from Microsoft Edge (originally introduced in the Windows 10 Fall Creators Update), and reducing the resolution of performance.now() in Microsoft Edge and Internet Explorer from 5 microseconds to 20 microseconds, with variable jitter of up to an additional 20 microseconds. These two changes substantially increase the difficulty of successfully inferring the content of the CPU cache from a browser process.

These fixes are part of security updates (opens in new tab) Microsoft has already issued in response to the exploits' disclosure. Microsoft says that it will continue to keep an eye on the impact of these vulnerabilities and launch more mitigations it deems necessary.

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

27 Comments

Something interesting I just found out about this: Google's security group were the ones who discovered this problem. According to articles, Intel was informed of this problem on June 1, 2017. That is 180 days ago, and we just found out about it. In the past, when Google discovered a security flaw in Microsoft products, Google decided that Microsoft was not fixing problems fast enough - even when the fix was a couple days away, and so they released details of the flaw to the public. Google has had security flaws in their own products that they have refused to release patches for, leaving their own products and users vulnerable even if that version of the product was the previous point release. Why is it that Google did not release information about this flaw to push manufacturers to fix the problem? This is the usual Google trying to gain customers through sleazy tactics. Google was vulnerable, too, so they kept it quiet. But if this were a Windows only problem, you know they would have been announcing it back in June of last year. And this is why I do not trust Google with anything. They will use customers (or potential customers) as pawns, and only care about security when they can gain from it.
google knows jack **** about fixing things fast than relying on others to set an example for them first so they can follow, even tho they claim others have ''flaws'' in their eyes. Google is basically apple light. claim credit for the things they didn't do first. this is me saying that i am NOT a fan of google.
@ nohone . That's what most people don't get and Google gets a free pass along with Apple. Apple was hit a several lawsuits in regards to the slow down and there wasn't much coverage, Now if Microsoft did anything remotely similiar... you can imagine the entire technosphere would be awash with article after article lambasting Microsoft. It's been blatantly obvious Apple has been slowing down phones for years after all their bread and butter is phone sales.
@TechFreak1 "Apple was hit a several lawsuits in regards to the slow down and there wasn't much coverage" There was a lot of coverage, but it was in the "this is Apple, don't you dare accuse them of slowing things down to sell more phones" kind of way. In fact, Apple said "we would not slow down phones to push people to buy new phones" and the media went along with it, accusing those who questioned Apple of trying to destroy Apple's untarnished reputation. Meanwhile, those same sites demanded investigations into Microsoft's claim that Edge gave portable devices better batter life. After years of playing a video on repeat and using the results to promote Apple as having better battery life than their competitors, now we need a better way of gauging battery life because we can't simply accept that Apple may lose. And, of course, there were the claims that Microsoft rigged the results to make themselves look bad.
Microsoft probably should be slowing down phones, the 950 is a good example. I would prefer my phone be a bit slow when the battery was failing instead of being unstable. The sleazy thing about Apple was hiding it. Obviously they wanted you to buy a new phone, not just a new battery. Why else hide it?
@Bleached, if code is optimised there are no slow down's required and if the battery is failing, then get a new battery.
You can always count on bleached for a good bit of fiction to0 try to distract, to do all he/she/it can do to protect Apple while creating FUD around Microsoft. 1) The problem with Apple's device is that they used a sub-standard battery and charged a premium price for it. The battery wore out, and Apple tried to cover it up by nerfing the processor. If the phone is repeatedly crashing, then people may not buy their device again because it seems unreliable. If it is slower, then people will buy because it is expected that over time a device will slow. The Lumia 950 is a year younger than the iPhone 6, and has not had the battery degredation that the iPhone has had. 2) The Lumia 950 was well designed with a replacable battery. If the 950 were to have battery problems, you pull off the back, pull out the old battery, put a new one in, close it up. You are done. For the Apple device, you need to schedule an appointment, go to an Apple Moron, er, I mean Genius, have some emo kid tell you if the battery qualifies for a replacement, schedule another appointment for a couple weeks, go to the Apple store again, wait in line, be told that they don't have any more batteries in stock (repeating what people have been reporting at macrumors, here), go home, schedule another appointment, go to the store, wait in line, wait an hour for the hipster to pry appart your phone, find the new battery, put it in the device, close it all up, wait for the kid to figure out how to use the register, wait for the kid to figure out how to give you the discount for the battery replacement, and then go home. I can see why you would be OK with Apple slowing your phone. I can replace the battery in my 950 in a few seconds. I know which I would prefer. Of course, it has nothing to do with what the article is about, and is one of your usual distraction methods. Getting back on track, why hasn't Apple released a fix for these security vulnerabilities on the iPhone yet? And when they do, will you be OK with the perf hit you will take then? Imagine, two levels of slow downs. You must really love and be devoted to Apple to be OK with them screwing you over that much.
yes but 950/950xl become epically unstable. (although a silent slow down isn't good either). I think phones should slow down if batt gonna cause crashes but also tell customer the slow down is active and battery needs checked. Big issue is though. MS did make batteries replaceable but MS doesn't sell replacements. According to forums most avail in UK are not up to job and often crashes/problems continue but ones you can get from China seem a bit better at fixing the issue. So the new battery is a lottery at best. Why the hell can't there just be an official battery supplier? You know? Whoever manufactured them in first place?
Hey, we have official battery from service centre in Thailand. I contacted them, transferred the cash, and they shipped me an official battery. That's it!
I can buy one for you but I do not know whether it is allowed to ship a battery by plane or not.
Yet the battery on the 950, and 950XL for that matter, are user replaceable anyway so Microsoft wouldn't need to be slowing them down.
“It’s been blatantly obvious that Apple has been slowing down phones for years......” Except that Apple has NOT been slowing down phones for years. The code to do this was only released last January, and it only kicks in if the battery is failing. I realize it’s fun to create kooky conspiracy theories against Big Evil Corporations, but this one has zero basis in reality.
That is not how it works, Can you imagine the chaos around the world if this was released prior to an imminent fix? It took them 180 days because its a very complex issue, they had a release date already set, Google would have released this information next week regardless, someone else was about to release this so they acted earlier, all the security personnel and researchers have signed an NDA, I don't like Google, however, in this case they have done nothing wrong, the blame lies squarely at the feet of Intel. Its probably a good idea to buy shares in Intel as they will bounce back in due course :)
@Great Deal, nohone was referring to Googles past actions when it comes to security flaws in that impact Windows, as they sometimes just sit on the information and just release it, giving Microsoft zero chance to address it. In this case, there are two flaws and Intel is the loser in this scenario (along with everyone running a intel CPU) as they have both flaws to contend with (spectre and meltdown) whereas AMD and ARM cpus / soc's have the spectre flaw. With the spectre flaw, it's Android that is the biggest loser as it impacts both Qualcomm, MediaTek and other OEM SOCs all of which are used in android devices these days. Sure there are some symbian, meego, blackberry and WM6.x devices in the wild... but in terms of relevancy Google is the biggest loser in the mobile space. However it remains to be seen if Google once again will be given a free pass, as they have been in the past where they refused to release patches and left OEM's scrambling to create their own patches.
@Great Deal - that was my entire point. A few months ago there was a flaw in Microsoft software. Google reported it, and Microsoft started working on it. They wrapped up the fix, and on Friday Microsoft said they were releasing the fix on Patch Tuesday. But Google released details on how to exploit the fix that Friday because they decided that Microsoft had enough time to release the patch. I am a little fuzzy on this point, but I believe that the 90 day waiting period had not even yet ended. However, Google has had a spotty record for fixing their own flaws. For example, there was the Dirty COW bug found and reported to Google in August of 2016. It was (partially) fixed in the Linux kernel October 2016. It was later fixed by Google in December of 2016. That is 2 months later than the 90 days that Google gives Microsoft, but that is OK. It is Google, why should Google care about security of the products in current use, when they can generate FUD over a MS product? The funny thing about Dirty COW was that Linus Torvalds discovered the problem in 2005 but decided that it was too hard to cause it to happen, so he didn't do anything about it (https://lkml.org/lkml/2016/10/19/860). Then, when they finally did fix Dirty COW, the patch was bad so they had to patch it again, which then I assume Google had to patch, again. Then there was a permissions problem in Android Nougat discovered before May 2017. That flaw allowed any app on the Play store to be malware, spyware, or worse by putting up a dialog that appeared to be from the system and allowed bypassing security permissions. There was no way to protect against it. Google's solution to the problem? They told their customers to wait until August of that year when they would release Oreo. Imagine if Microsoft admitted to a security hole, but then told users to wait 3 months (and they already knew of the flaw, so add more time to that) when they could upgrade their OS to protect against apps that Google gives permissions to be on the store. And since many Android devices cannot be upgraded, there are many people with this exact flaw. So Google has one standard for Microsoft, that if Microsoft does not release a patch on Google's terms, then they will leave users vulnerable. It does not matter if Microsoft's flaw is a "complex issue" or not, they don't even care if it will be released in 3 days as part of a regular schedule. But when Google cannot exploit user's security for their own benefit, or when it is their own products, then there is another standard. And really, everything you wrote shows that Google will pick and choose which flaws they will release to eploit consumers.
i have held intel, for many years, but just sold, i will watch, but i am thinking this won't be a quick fix.
Actually, let me make a correction to the comment I wrote. I wrote "According to articles, Intel was informed of this problem on June 1, 2017." This was wrong. According to ZDNet, Google knew about it and informed Intel about it back in April, but they didn't tell Microsoft, Apple, Linux foundation, etc. about the problem until recently. In other words, Google had this to themselves for months and still have not fixed it, while Microsoft, Apple, etc. had to hurry to fix it, and still fixed it before Google did. What was Google doing not telling other companies, waiting so that they could point the finger at Microsoft/Apple to scare people towards Google products?
CNN said they (intel and others) knew about it for more than a year.
Different organisations were invited to test the theory.
The public not knowing about these issues for months gives vendors time to fix the flaws. This is routinely done in the security communities with complex flaws. The scary part is how long did agencies such as the NSA know about the flaw? Or is it possible it was done intentionally by design as a back door, scary thought? The bad part about governments is they keep exploits in their back pockets for times of need. Public security is the last thing on their minds.
AMD does not use speculative execution and is NOT vulnerable to Meltdown.
They are vulnerable to Spectre, as are pretty much all mobile devices with ARM processors.
The spectre flaw is going to hit Android devices the most ouch... It's obvious that Microsoft worked in tandem with the information release, so they must have know for awhile now. Looks like will be use Edge for awhile until Firefox addresses this aswell as the very nature of the spectre flaw makes it hard to mitigate, but it doesn't mean steps cannot be taken through software patches.
And Google is staying quiet with products such as Google Home, Chromecast, Google Wifi, etc. stating simply "no additional user action needed" with those products. Does that mean they do not have the flaw, or does it mean that "not enough people use them so we don't care if they are vulnerable"?
Personally the way I see it's double speak, they will either fix it when they want through "firmware optimisations" or use it themselves to syphon more user data thus circumventing the very regulations in place to 'safeguard' user privacy and security.. Because this impacts so many permutations and configurations of devices running Android, thus it's either a simple case of resource economics or something dark, maligned and nefarious as after all they are information hungry. If they weren't then why would the release an AI for "free" that can map your genome?
According to https://spectreattack.com/ which appears to be similar to https://meltdownattack.com/, "Meltdown" and "Spectre" were independently discovered by members of Google Project Zero and academics groups/security analysts/etc. These links have links to academic papers describing the problems. However, the papers do not contain information about where/when they have been/are to be published -- it is possible that the papers were published in the links the last couple of days. "Independence" in discovery doesn't mean that a problem was discovered at the same time. It is also possible that, e.g., Google has held back the information from competitors while the researchers from academia have shared the information with Google's competitors. Total independence sounds like an unlikely coincidence, though. It is possible that some of these people have speculated on the possibility at some scientific meeting, and then independently gone home to test out the possibilities.
Is this update only for Win 10? I haven't received any patches for a laptop running Win 7.
Is this update only for Win 10? I haven't received any patches for a laptop running Win 7 or a tablet and phone running 8.1.
It will come on the next Patch Tuesday for Windows 7 and 8.1 desktop. I doubt the phone will get patched, since there are probably only a few hundred active 8.1 phones still in use, and 8.1 Phone has been dead for years.

Show more comments