Microsoft Issues Advisory on Lazy Floating Point State Restore Security Issue

Microsoft earlier this month issued an advisory for the "lazy floating point state restore" security problem (CVE-2018-3665) that potentially could affect users of Windows and Intel Core processors.

Microsoft's Wednesday June 13 advisory missed by a day being announced alongside its "update Tuesday" patch release announcement for June. Little publicity attended its publication. This June 25 TechNet blog post briefly mentioned the lazy floating point state restore issue.

The lazy floating point state save/restore issue is yet another problem unearthed by researchers examining the security implications of the normal "speculative execution" functioning of processors. Speculative execution speeds up processor operations by anticipating the next steps to be taken. Unfortunately, as researchers explained back in January it's possible for malware on a machine to exploit these processes and steal information from the operating system's kernel using "side-channel" analysis methods.

The researchers described two kinds of speculative execution side-channel attack methods back in January, namely "Meltdown" and "Spectre." Four variants of those attack methods have been identified, namely:

Intel, in a June 19 e-mail from a spokesperson, explained that the lazy floating point state restore problem falls into the Variant 3a category. Also, the Intel spokesperson implied that operating system makers have been addressing this issue "for many years."

Here's the full statement from the Intel spokesperson:

This issue, known as Lazy FP state restore, is similar to Variant 3a. It has already been addressed for many years by operating system and hypervisor software used in many client and data center products. Our industry partners are working on software updates to address this issue for the remaining impacted environments and we expect these updates to be available in the coming weeks. We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well.

Apparently, the lazy floating point state restore issue is possible because of an implementation chosen by the operating system maker, and presumably any future fix for the issue would come from the OS maker, rather than from Intel. Microsoft's advisory didn't provide much information about it. Microsoft had no information to share in response to reporter questions.

The gist of Microsoft's advisory is that the lazy floating point state restore setting is "enabled by default in Windows and cannot be disabled." Information about the affected Windows versions wasn't listed by Microsoft at press time. Microsoft considers lazy floating point state restore to be a medium security issue, and it does not affect customers using Microsoft Azure virtual machines.

Here's Microsoft's assessment of the lazy floating point state restore issue:

An attacker must be able to execute code locally on a system in order to exploit this vulnerability, similar to the other speculative execution vulnerabilities. The information that could be disclosed in the register state depends on the code executing on a system and whether any code stores sensitive information in FP register state.

Microsoft recommends that organizations subscribe to its technical security notifications to get apprised of any changes to its advisory, which is known as "ADV180016." Oddly, this advisory does not appear in this year's list of security advisories. It's possible that Microsoft did not send out a notification about ADV180016 earlier, even to notification subscribers.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

  • How To Use PowerShell Splatting

    Despite its weird name, splatting can be a really handy technique if you create a lot of PowerShell scripts.

  • New Microsoft Customer Agreement for Buying Azure Services To Start in March

    Microsoft will have a new approach for organizations buying Azure services called the "Microsoft Customer Agreement," which will be available for some customers starting as early as this March.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.