4.7 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
65.8%
On January 3, 2018, Microsoft released an advisory and security updates related to a newly discovered class of hardware vulnerabilities (known as Spectre and Meltdown) involving speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21, 2018, Intel announced the Rogue System Registry Read vulnerability and assigned CVE-2018-3640.
An attacker who has successfully exploited this vulnerability could then bypass Kernel Address Space Layout Randomization (KASLR) protections. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The mitigation for this vulnerability is exclusively through a microcode/firmware update, and there is no additional Microsoft Windows operating system update.
To protect your system from this vulnerability, Microsoft recommends that you take the following actions:
See the following links for further information related to CVE-2018-3640:
1. When will the firmware updates be available?
If you have a non-Microsoft device, we suggest contacting your OEM for ths information. For Microsoft devices, we will amend this advisory when microcode/firmware updates become available. Additionally, we will notify customers via security notification service email. To sign up for this notification email see Microsoft Technical Security Notifications.
2. Will there be updates for Windows operating systems?
There is no software mitigation needed. The mitigation for this issue is exclusively a processor microcode/firmware update. Affected users should contact their hardware vendor for these updates.
3. Where can I find information regarding the Speculative Store Bypass (SSB) vulnerability CVE-2018-3639?
For information about CVE-2018-3639, see ADV180012 | Microsoft Guidance for Speculative Store Bypass.
4. Where can I finder further information on Microsoft guidance for Spectre and Meltdown vulnerabilities?
See ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities.
4.7 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
65.8%