Office 365 - Meltdown and Spectre CPU bugs

%3CLINGO-SUB%20id%3D%22lingo-sub-141735%22%20slang%3D%22en-US%22%3EOffice%20365%20-%20Meltdown%20and%20Spectre%20CPU%20bugs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141735%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20not%20the%20next%20Bond%20film%2C%20posted%20to%20the%20Office%20365%20Message%20center%26nbsp%3Btoday%20%22%3CA%20href%3D%22https%3A%2F%2Fportal.office.com%2FAdminPortal%2Fhome%3Fswitchtomodern%3Dtrue%23%2FMessageCenter%3Fid%3DMC126594%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EInformation%20about%20Today's%20Announced%20Hardware%20Vulnerability%3C%2FA%3E%22%20are%20details%20about%20the%20high%20profile%20hardware%26nbsp%3Bvulnerabilities%20named%20Meltdown%20and%20Spectre%20using%20speculative%20execution%20side-channel%20attacks%2C%20which%26nbsp%3Baffects%20all%20modern%20processors.%20Also%20there%20is%20a%20public%20web%20page%20with%20the%20same%20information%20-%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4073235%2Fcloud-protections-speculative-execution-side-channel-vulnerabilities%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Cloud%20Protections%20Against%20Speculative%20Execution%20Side-Channel%20Vulnerabilities%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20has%26nbsp%3Breassured%20customers%20that%20there%20is%20no%20indication%20that%20Office%20365%20has%20been%20affected%20and%20have%20mitigations%20in-place%20to%20protect%20customers%2C%20as%20well%20as%20detection%20capabilities%20to%20intercept%20these%20attacks.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20fixes%20that%20mitigate%20this%20problem%20from%20being%20exploited%20are%20thought%20to%20have%20a%20sizable%20hit%20on%20performance%20but%20it%20seems%20Microsoft%20has%26nbsp%3Bdone%20this%20in%20a%20way%20that%20that%20shouldn't%20be%20noticeable%20based%20on%20the%20corresponding%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fsecuring-azure-customers-from-cpu-vulnerability%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%3C%2FA%3E%20information%20-%20Microsoft%20%22are%20not%20seeing%20noticeable%20performance%20impact%20after%20the%20fix%20has%20been%20applied%22.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20lots%20of%20details%2C%20for%20anyone%20wanting%20to%20read%20up%20on%20this%20issue%2C%20in%20Microsoft's%26nbsp%3BSecurity%20Advisory%20-%20%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FADV180002%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGuidance%20to%20mitigate%20speculative%20execution%20side-channel%20vulnerabilities%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%22%3CEM%3ESpeculative%20execution%20side-channel%20vulnerabilities%20can%20be%20used%20to%20read%20the%20content%20of%20memory%20across%20a%20trusted%20boundary%20and%20can%20%3C%2FEM%3Etherefore%3CEM%3E%20lead%20to%20information%20disclosure.%20There%20are%20multiple%20vectors%20by%20which%20an%20attacker%20could%20trigger%20the%20vulnerabilities%20depending%20on%20the%20configured%20environment.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EMicrosoft%20has%20been%20working%20with%20hardware%20and%20software%20makers%20to%20jointly%20develop%20mitigations%20to%20protect%20customers%20across%20Microsoft%E2%80%99s%20products%20and%20services.%20These%20mitigations%20prevent%20attackers%20from%20triggering%20a%20weakness%20in%20the%20CPU%20which%20could%20allow%20the%20contents%20of%20memory%20to%20be%20disclosed.%3C%2FEM%3E%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt's%20important%20customers%20apply%20all%20available%20updates%20and%20follow%20the%20advice%20here%20to%20protect%20clients%20as%20well%20-%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F4073119%2Fwindows-client-guidance-for-it-pros-to-protect-against-speculative-exe%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Client%20Guidance%20for%20IT%20Pros%20to%20protect%20against%20speculative%20execution%20side-channel%20vulnerabilities%3C%2FA%3E.%20There%20is%20also%20corresponding%20guidance%20for%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F4072698%2Fwindows-server-guidance-to-protect-against-the-speculative-execution-s%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eservers%3C%2FA%3E%20as%20well.%26nbsp%3B%20Microsoft%20Edge%20and%20IE%20are%20affected%20and%20details%20on%20the%20fix%20are%20%3CA%20href%3D%22https%3A%2F%2Fblogs.windows.com%2Fmsedgedev%2F2018%2F01%2F03%2Fspeculative-execution-mitigations-microsoft-edge-internet-explorer%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-141735%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EChange%20Alerts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Trusted Contributor

No not the next Bond film, posted to the Office 365 Message center today "Information about Today's Announced Hardware Vulnerability" are details about the high profile hardware vulnerabilities named Meltdown and Spectre using speculative execution side-channel attacks, which affects all modern processors. Also there is a public web page with the same information - Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities.

 

Microsoft has reassured customers that there is no indication that Office 365 has been affected and have mitigations in-place to protect customers, as well as detection capabilities to intercept these attacks.  

 

The fixes that mitigate this problem from being exploited are thought to have a sizable hit on performance but it seems Microsoft has done this in a way that that shouldn't be noticeable based on the corresponding Azure information - Microsoft "are not seeing noticeable performance impact after the fix has been applied".

 

There are lots of details, for anyone wanting to read up on this issue, in Microsoft's Security Advisory - Guidance to mitigate speculative execution side-channel vulnerabilities.

 

"Speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and can therefore lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment.

 

Microsoft has been working with hardware and software makers to jointly develop mitigations to protect customers across Microsoft’s products and services. These mitigations prevent attackers from triggering a weakness in the CPU which could allow the contents of memory to be disclosed."

 

It's important customers apply all available updates and follow the advice here to protect clients as well -  Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabil.... There is also corresponding guidance for servers as well.  Microsoft Edge and IE are affected and details on the fix are here.

0 Replies