Windows security updates against Intel silicon vulnerabilities (March 2, 2023)

[German]Microsoft has released special updates for Windows versions still in support on March 2, 2023. These are supposed to fix vulnerabilities (Speculative Execution Control and side-channel attacks) in Intel's CPUs. These vulnerabilities in Intel processors have been known since last summer. The special updates are also only available for manual download from the Microsoft Update Catalog.

Intel discloses vulnerabilities 2022

Intel disclosed a number of vulnerabilities in its document Processor MMIO Stale Data Vulnerabilities on June 14, 2022. These are Processor MMIO Stale Data Vulnerabilities, memory-mapped I/O (MMIO) vulnerabilities that can expose data. The sequences of data disclosure operations range from simple to very complex, Intel writes. Here is the list of vulnerabilities addressed at Intel:

• CVE-2022-21123 – Shared Buffer Data Read (SBDR)
• CVE-2022-21125 – Shared Buffer Data Sampling (SBDS)
• CVE-2022-21127 – Special Register Buffer Data Sampling Update (SRBDS Update)
• CVE-2022-21166 – Device Register Partial Write (DRPW)

Since most vulnerabilities require the attacker to have access to MMIO, many environments are not affected. System environments with virtualization where MMIO access is granted to untrusted guests may need to be mitigated, Intel says, and Intel® Software Guard Extensions (Intel® SGX) must be patched accordingly.

The whole thing doesn't sound particularly dramatic, but these vulnerabilities can, however, transfer stale data into core fill buffers from which the data can subsequently be derived by an attack. To fix these vulnerabilities, there is a combination of microcode updates and software changes, depending on the platform and usage model. Some of these remedies are similar to those used to mitigate Microarchitectural Data Sampling (MDS) or Special Register Buffer Data Sampling (SRBDS).

Microsoft offers updates

As of March 2, 2023, Microsoft has released KB4073119: Windows client guidance for IT Pros to protect against silicon-based microarchitectural and speculative execution side-channel vulnerabilities with information about an unscheduled update. The update is available for the following platforms:

• Windows 7 Enterprise ESU
• Windows 7 Professional ESU
• Windows 7 Ultimate ESU
• Windows 8.1
• Windows RT 8.1
• Windows 10 Windows 10 Home / Pro, Enterprise / Education, IoT, Version 20H2 – 22H2
• Windows 11

and is supposed to provide protection against vulnerabilities in the Intel silicon microarchitecture and speculative side-channel attacks. The colleagues from Bleeping Computer have compiled the following list of updates (I've added the update for Windows 10 RTM).

• KB5019180 – Windows 10 20H2, 21H2 – 22H2
• KB5019177 – Windows 11 21H2
• KB5019178 – Windows 11 22H2
• KB5019179 – Windows 10 LTSC
• KB5019182 – Windows Server 2016
• KB5019181 – Windows Server 2019
• KB5019106 – Windows Server 2022

All updates are only available in the Microsoft Update Catalog and have to be downloaded and installed separately. Currently, it is unclear to me whether one should really install these special updates. The usability is limited and in the past there were performance losses with such patches. In any case, you should read the linked descriptions from Intel and Microsoft before rolling out the updates.