Microsoft shipped emergency updates earlier today to address the Meltdown and Spectre security vulnerabilities in chips manufactured by Intel, AMD, and ARM, and now the company returns with more information on the mitigation changes implemented in Edge browser and Internet Explorer 11.

The software giant says the found vulnerabilities can be exploited with what it calls “speculative execution side-channel attacks,” explaining that JavaScript code running in the browser can eventually give malicious actors the power to steal passwords and other sensitive data.

“As part of these updates, we are making changes to the behavior of supported versions of Microsoft Edge and Internet Explorer 11 to mitigate the ability to successfully read memory through this new class of side-channel attacks,” Microsoft says.

While Microsoft Edge is only available on Windows 10, these changes are also shipped to Windows 8.1 and Windows 7 as part of the Internet Explorer 11 update, though updates need to be manually downloaded.

Tweaks for Microsoft Edge and Internet Explorer 11

The company says that one of the measures to prevent attacks is by removing support for the SharedArrayBuffer generic binary data buffer system from Microsoft Edge. This feature was added to Windows 10 with the Fall Creators Update, but this update removes it at least until a security patch from Intel addresses the vulnerability.

Then, the company is reducing the resolution of performance.now() in Microsoft Edge and Internet Explorer from 5 microseconds to 20 microseconds, which should make it more difficult to access the content of the CPU cache from a browser.

“We will continue to evaluate the impact of the CPU vulnerabilities published today, and introduce additional mitigations accordingly in future servicing releases. We will re-evaluate SharedArrayBuffer for a future release once we are confident it cannot be used as part of a successful attack,” Microsoft says.

In the meantime, Microsoft recommends all users to deploy today’s security updates and expect a busy Patch Tuesday next week when everyone’s supposed to receive fixes for the found vulnerabilities.

LEAVE A REPLY