Microsoft has released out-of-band security updates to tackle the ‘Memory Mapped I/O Stale Data (MMIO)’ information disclosure vulnerabilities affecting Intel CPUs.
The vulnerability, initially disclosed by Intel on June 14, 2022, warned that processes running in a virtual machine could gain access to data from another virtual machine, potentially exposing sensitive information across trust boundaries. This class of vulnerabilities is monitored under four CVEs, namely:
- CVE-2022-21123 – Shared Buffer Data Read (SBDR)
- CVE-2022-21125 – Shared Buffer Data Sampling (SBDS)
- CVE-2022-21127 – Special Register Buffer Data Sampling Update (SRBDS Update)
- CVE-2022-21166 – Device Register Partial Write (DRPW)
Microsoft also released an advisory, ADV220002, detailing the scenarios that could be affected by these vulnerabilities as part of the June Patch Tuesday.
What is Microsoft doing about it?
The company stated that in shared resource environments like those in some cloud services, an attacker could improperly use the vulnerabilities to access data from another virtual machine.
On standalone systems, an attacker would require prior access or the ability to run a specifically crafted application on the targeted system to exploit the vulnerabilities. Microsoft’s advisory, however, indicates that no security updates were released, only mitigations for Windows Server 2019 and Windows Server 2022.
The company has now released a somewhat puzzling set of security updates for Windows 10, 11, and Windows Server that address the vulnerabilities.
These updates are being published as manual updates in the Microsoft Update Catalog and include
- KB5019180 – Windows 10, version 20H2, 21H2, and 22H2
- KB5019177 – Windows 11, version 21H2
- KB5019178 – Windows 11, version 22H2
- KB5019182 – Windows Server 2016
- KB5019181 – Windows Server 2019
- KB5019106 – Windows Server 2022
It is still unclear from the support bulletins whether these are new Intel microcodes or other mitigations to be applied to devices. These updates are likely being released as optional, manual updates as the mitigations for these vulnerabilities can cause performance issues, and the flaws may not be fully resolved without disabling Intel Hyper-Threading Technology (Intel HT Technology) in some scenarios.
It is essential to note that before applying these updates, it is strongly advised to carefully read both Intel’s and Microsoft’s advisories. Given the seriousness, users are strongly advised to read Intel’s and Microsoft’s advisories before applying these updates.