CHERI Architecture 💭Microsoft think to reduce Patches count

Microsoft has just completed a study of an experimental architecture that it now thinks would have mitigated about two-thirds of the memory-safety vulnerabilities fixed in 2019. 70% of the bugs are of memory safety bugs happened when software access the memory

The abundance of memory-safety bugs is one reason Microsoft is exploring the Rust programming language as a potential replacement for some Windows components written in C++.

Rewriting old code in another language like Rust is one option. Another option in Microsoft’s “quest to mitigate memory-corruption vulnerabilities” is CHERI or Capability Hardware Enhanced RISC (reduced instruction set computer) Instructions.

CHERI provides memory-protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits.

The group assessed the “theoretical impact” of CHERI on all the memory-safety vulnerabilities that Microsoft received in 2019 and concluded that it would have “deterministically mitigated” at least two-thirds of all those issues.

Its memory-protection features allow historically memory-unsafe programming languages such as C and C++ to be adapted for protection against widely exploited vulnerabilities.

CHERI ISA has the potential to save Microsoft a lot of money in delivering security patches in each month’s Patch Tuesday update, which regularly exceed 100 patches a month.

With additional mitigations recommended in its research paper, Microsoft also estimates the CHERI protections could have deterministically mitigated nearly half the vulnerabilities the MSRC addressed through a security update in 2019.

Patch Tuesday Preview September 2020

There were some reported issues on the Windows 10 version 1903, 1909, and 2004 updates. Applying the updates for KB 4565351 or KB 4566782 resulted in a failure for many users on automatic updates with return codes/explanations that were not very helpful. Mitigation to these issues will be released

Reminder for the EOL of Windows Embedded Standard 7 coming up on October Patch Tuesday. Microsoft will offer continued support for critical and important security updates just like they did for Windows 7 and Server 2008.

These updates will be available for three years through October 2023. Microsoft also provided an update on the ‘sunset’ of the legacy Edge browser in March 2021.

Microsoft 365 apps and services will no longer support IE 11 starting in August 2021. They made it clear IE 11 is not going away anytime soon, but the new Edge is required for a modern browser experience.

September 2020 Patch Tuesday forecast

  • Standard operating system updates, with the large Office and individual application updates release last month expect both smaller and more limited set this time.
  • Service stack updates (SSUs) are hit or miss each month. The last required update was released in May. Expect to see a few in the mix once again.
  • Google Chrome 85 was released earlier week, but we may see a security release if they have any last-minute fixes for us.
  • Mozilla security update for Firefox and Thunderbird. The last security release was back on August 25.

Remote security management of both company-provided and user-attached systems provides many challenges. With a projected light set of updates this month, hopefully tying up valuable bandwidth isn’t one of those challenges.