Microsoft reveals how to mitigate the Downfall vulnerability affecting Intel processors running Windows 10 and Windows 11
Following on from the Meltdown flaw and other related vulnerabilities, a more recent security issue was discovered in the form of Downfall. Tracked as CVE-2022-40982, exploitation of the flaw is known as a transient execution attack and it affects Intel CPUs.
Microsoft has not only acknowledged that the problem exists, but has now provided details of mitigation techniques that can be used. In security advisory KB5029778, the company gives instructions for users of Windows 10, Windows 11 and Windows Server.
- MSI reveals workaround for UNSUPPORTED_PROCESSOR errors in Windows 11 after KB5029351 update
- Microsoft brings some of Windows 11 to Windows 10 users with the KB5029331 update
- Microsoft releases KB5029351 update for Windows 11, changing default app options, introducing optional update changes, improving search, and much more
Microsoft explains that more recent Intel chips -- such as Alder Lake, Raptor Lake and Sapphire Rapids -- are not affected by Downfall, but says that it is aware of a new transient execution attack named gather data sampling (GDS) or "Downfall".
The company adds:
This vulnerability could be used to infer data from affected CPUs across security boundaries such as user-kernel, processes, virtual machines (VMs), and trusted execution environments.
The mitigation is a simple matter of installing the Intel Platform Update (IPU) 23.3 microcode update which can be obtained from OEM. Microsoft acknowledges that not everyone will consider GDS to be part of their threat model. As such, it also provides details of how to disable the mitigation:
To disable the GDS mitigation in Windows, you must have the following installed, as appropriate for your environment:
- On supported Windows 10 and Windows 11 environments, you must have installed the Windows update dated on or after August 22, 2023.
- On supported Windows Server environments, you must have installed the Windows update dated on or after September 12, 2023.
After the appropriate Windows update is installed, you must set the following feature flag in the registry:
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Value name: FeatureSettingsOverride
Value type: REG_DWORD
Value data: 0x2000000 (hex)
If this registry value does not already exist, run the following command to disable the GDS mitigation:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 33554432 /f