Updates published as part of the Patch Tuesday schedule

Jul 11, 2018 07:10 GMT  ·  By

Microsoft has finally released security updates for the Lazy FP State Restore bug hitting chipsets on devices running its Windows operating system.

Revealed in mid-June, Lazy FP State Restore is a new processor vulnerability that involves side channel speculative execution similar to the Meltdown and Spectre hardware flaws disclosed in early January.

Microsoft announced last month that Lazy Restore was enabled by default in Windows and couldn’t be disabled by the user or the PC administrator, promising updates that would eventually resolve the flaw.

The patches are now available for all impacted Windows versions, namely Windows 10, Windows 8.1, Windows Server 2008 R2 Service Pack 1, Windows Server 2012, and Windows Server 2012 R2. The flaw has been flagged with an important severity rating on all these Windows releases.

Windows 8.1, Windows 10 getting patches

Microsoft explained in the original advisory that customers who were running virtual machines in Azure weren’t exposed to Lazy FP State Restore.

“An attacker, via a local process, could cause information stored in FP (Floating Point), MMX, and SSE register state to be disclosed across security boundaries on Intel Core family CPUs through speculative execution,” the software giant noted.

“An attacker must be able to execute code locally on a system in order to exploit this vulnerability, similar to the other speculative execution vulnerabilities. The information that could be disclosed in the register state depends on the code executing on a system and whether any code stores sensitive information in FP register state.”

Users are obviously recommended to download the patches and install them as soon as possible. Windows 10 systems are getting the fixes as part of the cumulative updates shipped this Patch Tuesday, while Windows 8.1 computers are provided with the same mitigations bundled into the monthly rollups published earlier today. Additional information on these updates and the security-only patches are available in the advisory linked above.