Microsoft released an emergency security updates for the “Memory Mapped I/O Stale Data (MMIO)” information disclosure vulnerabilities in Intel processors.
Mapped I/O side-channel security vulnerabilities were originally revealed by Intel on June 14, 2022, warning that they could allow processes running in a virtual machine access data from another virtual machine.
This class of vulnerabilities is tracked with the following CVEs:
CVE-2022-21123 – Shared Buffer Data Read (SBDR)
CVE-2022-21125 – Shared Buffer Data Sampling (SBDS)
CVE-2022-21127 – Update special register cache data sampling (SRBDS Update)
CVE-2022-21166 – Device Registration Partial Record (DRPW)
According to Microsoft, no security updates have been released for these vulnerabilities other than a few fixes implemented for Windows Server & Hosting 2019 and Windows Server 2022.
Today Microsoft released a somewhat confusing set of security updates for Windows 10, Windows 11, and Windows Server that address these vulnerabilities.
From the bulletins supports, it is unclear if these are new updates from Intel or other mitigations that will be applied to the devices.
These updates are released as manual updates in the Microsoft Update Catalog:
- KB5019180 – Windows 10, version 20H2, 21H2, and 22H2
- KB5019177 – Windows 11, version 21H2
- KB5019178 – Windows 11, version 22H2
- KB5019182 - Windows Server 2016
- KB5019181 - Windows Server 2019
- KB5019106 - Windows Server 2022
The above updates may be released as optional, with manual updates, but vulnerabilities may cause performance issues. Security vulnerabilities may not be fully resolved without disabling Intel Hyper-Threading Technology (Intel HT Technology) in some cases.
Therefore, it is recommended that you read the advice from both Intel and Microsoft before applying the updates.
