News

Microsoft Security Advisory Targets 'Lazy Floating Point' Processor Flaw

• By Kurt Mackie
• 06/28/2018

A Microsoft security advisory addresses the recently disclosed "lazy floating point state restore" security problem (CVE-2018-3665) that's leaving Intel Core and Windows processors vulnerable.

Microsoft quietly issued its advisory on Wednesday, June 13, a day after its June "update Tuesday" patch release announcement. This June 25 TechNet blog post briefly mentioned the lazy floating point state restore issue.

The lazy floating point state save/restore issue is yet another problem unearthed by researchers examining the security implications of the normal "speculative execution" functioning of processors. Speculative execution speeds up processor operations by anticipating the next steps to be taken. Unfortunately, as researchers explained back in January it's possible for malware on a machine to exploit these processes and steal information from the operating system's kernel using "side-channel" analysis methods.

The researchers described two kinds of speculative execution side-channel attack methods back in January, namely "Meltdown" and "Spectre." Four variants of those attack methods have been identified:

• Variant 1: Bounds Check Bypass (CVE-2017-5753)
• Variant 2: Branch Target Injection (CVE-2017-5715)
• Variant 3: Rogue Data Cache Load (CVE-2017-5754)
• Variant 3a: Rogue System Register Read (CVE-2018-3640)
• Variant 4: Speculative Store Bypass (CVE-2018-3639)

Intel, in a June 19 e-mail from a spokesperson, explained that the lazy floating point state restore problem falls into the Variant 3a category. Also, the Intel spokesperson implied that operating system makers have been addressing this issue "for many years."

Here's the full statement from the Intel spokesperson:

This issue, known as Lazy FP state restore, is similar to Variant 3a. It has already been addressed for many years by operating system and hypervisor software used in many client and data center products. Our industry partners are working on software updates to address this issue for the remaining impacted environments and we expect these updates to be available in the coming weeks. We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well.

Apparently, the lazy floating point state restore issue is possible because of an implementation chosen by the operating system maker, and presumably any future fix for the issue would come from the OS maker, rather than from Intel. Microsoft's advisory didn't provide much information about it. Microsoft had no information to share in response to reporter questions.

The gist of Microsoft's advisory is that the lazy floating point state restore setting is "enabled by default in Windows and cannot be disabled." Information about the affected Windows versions wasn't listed by Microsoft at press time. Microsoft considers lazy floating point state restore to be a medium security issue, and it does not affect customers using Microsoft Azure virtual machines.

Here's Microsoft's assessment of the lazy floating point state restore issue:

An attacker must be able to execute code locally on a system in order to exploit this vulnerability, similar to the other speculative execution vulnerabilities. The information that could be disclosed in the register state depends on the code executing on a system and whether any code stores sensitive information in FP register state.

Microsoft recommends that organizations subscribe to its technical security notifications to get apprised of any changes to its advisory, which is known as "ADV180016." Oddly, this advisory does not appear in this year's list of security advisories. It's possible that Microsoft did not send out a notification about ADV180016 earlier, even to notification subscribers.