Microsoft Releases Intel Microcode Patches for Foreshadow Flaws
23.8.18 securityweek
Vulnerebility

Microsoft this week made available another round of microcode updates created by Intel for mitigating the recently disclosed speculative execution vulnerabilities tracked as Foreshadow and L1 Terminal Fault (L1TF).

The Foreshadow/L1TF vulnerabilities are CVE-18-3615, which impacts Intelís Software Guard Extensions (SGX); CVE-18-3620, which impacts operating systems and System Management Mode (SMM); and CVE-18-3646, which affects virtualization software and Virtual Machine Monitors (VMM).

A piece of malware installed on a vulnerable system can exploit the flaws to gain access to potentially sensitive data stored in supposedly protected memory. The security holes affect Intelís Xeon and Core processors.

Intel and other major tech firms have released mitigations which, in combination with the patches released previously for Meltdown, Spectre and other speculative execution vulnerabilities, should prevent attacks.

Microsoft this week released five new updates: KB4346084, KB4346085, KB4346086, KB4346087 and KB4346088. They deliver Intelís microcode patches for Windows 10 Release To Market (RTM), Windows 10 version 1709 (Fall Creators Update), Windows Server 2016 version 1709 (Server Core), Windows 10 Version 1703 (Creators Update), Windows 10 version 1607 (Anniversary Update), Windows Server 2016, Windows 10 version 1803 (April 18 Update), and Windows Server version 1803 (Server Core).

The microcode updates are for devices with Skylake, Kaby Lake and Coffee Lake processors, and they resolve Spectre Variant 3a (CVE-18-3640), Spectre Variant 4 (CVE-18-3639), and the Foreshadow flaws (CVE-18-3615, CVE-18-3620, CVE-18-3646).

The mitigations for the Foreshadow vulnerabilities should not have a noticeable performance impact on consumer PCs, but performance degradation may be seen on some data center workloads.

According to Microsoft, patching the Foreshadow vulnerabilities may require both software and firmware (microcode) updates, depending on how the system is configured. However, the company says most devices running Windows client operating systems will only need software updates for protection.