14 DAY TRIAL // Intel has just confirmed another vulnerability in its chips, this time called Lazy FP State Restore, and vendors are now rushing to release security updates in order to keep customers protected.
Microsoft is one of the companies that offered guidance for Lazy FP State Restore, explaining in an advisory that security updates are already in the works and they should be released soon.
By the looks of things, Microsoft won’t be rolling out the new patches when they’re ready, but instead wait for the next Patch Tuesday cycle to ship the updates. As per Microsoft’s typical schedule, the next Patch Tuesday is scheduled for July 10.
All Intel chips affected
The Redmond-based software giant says that Lazy restore is enabled by default in Windows and cannot be disabled, adding that virtual machines, the kernel, and processes are affected by the vulnerability. On the other hand, customers running virtual machines in Azure are fully secure.
“An attacker, via a local process, could cause information stored in FP (Floating Point), MMX, and SSE register state to be disclosed across security boundaries on Intel Core family CPUs through speculative execution,” Microsoft explains in its advisory.
“An attacker must be able to execute code locally on a system in order to exploit this vulnerability, similar to the other speculative execution vulnerabilities. The information that could be disclosed in the register state depends on the code executing on a system and whether any code stores sensitive information in FP register state.”
For now, it appears that exploiting this newly-found vulnerability isn’t as easy as it was in the case of previous speculative execution bugs, and carrying out attacks from a browser isn’t possible. This means that even if updates aren’t available at this point, customers are still secure, though it goes without saying that the sooner they land, the better for everyone.
All Intel processors are affected by the security flaw, and regardless of the platform, security updates are required to block a potential exploit.