Microsoft Patches Windows Bug That Neutralized Spectre And Meltdown Fixes On Intel CPUs
You might not have even been aware of this, but last month's Patch Tuesday update for Windows contained a long overdue mitigation for a security flaw in Intel processors. Left upatched, the flaw essentially allows an attacker to bypass fixes that had previously been rolled out to deal with Spectre and Meltdown, the names given to serious side-channel vulnerabilities that were disclosed last year.
Security researchers at Bitdefender discovered the flaw and reported it to Intel a year ago. Even though it affected every Intel processor dating back to Ivy Bridge (introduced in 2012), and potentially earlier ones as well, Intel shrugged it off, saying it already knew about the vulnerability and was not planning to fix it.
"Bitdefender researchers worked with Intel for more than a year before public disclosure of this new attack. Bitdefender has also worked closely with Microsoft, which developed and published a patch. Other vendors in the ecosystem have also been involved," Bitdefender stated in a paper on the topic.
Bitdefender spent eight months trying to convince Intel that the flaw was serious enough to warrant a fix. Intel finally relented, saying in early April that a mitigation would come from fixes in operating systems like Windows.
"We're aware of this industry-wide issue and have been working closely with affected chip manufacturers and industry partners to develop and test mitigations to protect our customers. We released security updates in July, and customers who have Windows Update enabled and applied the security updates are protected automatically," Microsoft said.
What's at issue is a flaw in a kernel-level system instruction in 64-bit versions of Windows, called SWAPGS. According to Bitdefender, this circumvents all known mitigation techniques deployed against previous side-channel attacks on vulnerabilities in speculative execution.
"Since the attack leverages the SWAPGS instruction when engaged speculatively, applying patches for operating systems that may use SWAPGS speculatively is highly recommended," Bitdefender says.
The bottom line is this: if you are running an Intel CPU and have not yet applied the latest security updates for Windows, you should probably go ahead and do that sooner than later.