Microsoft Releases Mitigation Notes for Windows Downfall Vulnerability

At the onset of this month, security researchers under Google’s aegis revealed a new transient execution vulnerability in Intel processors, formerly dubbed speculative execution vulnerability. Intel has since unveiled the corresponding microcode updates; however, much like its predecessors, this flaw cannot be completely rectified but merely mitigated.

In a similar vein, the new CVE-2022-40982, or “Downfall“, poses a profound threat to virtualization, servers, and data centers. This is due to its potential to allow adversaries to pilfer data across security boundaries, encompassing user kernel data, processes, virtualizations, and trusted execution environments.

Given the profound security ramifications of such vulnerabilities, Microsoft has rolled out support documentation for Windows 10/11, spanning versions like Windows 10/11, Windows Server from the same branch, and Windows LTS.

For domestic users, the most salient consequence is that activating the mitigation strategy might inflict an adverse impact on CPU performance. This has been a hallmark of the Spectre-Meltdown series of vulnerabilities, leading Microsoft to even suggest disabling the mitigation, should its implications become overly burdensome.

However, for corporate entities, forsaking mitigation purely for the sake of CPU performance is inadvisable. Especially for sprawling corporations, this could precipitate compliance conundrums, making it imperative for enterprise IT custodians to earnestly deploy the mitigation solutions.

Below are some salient directives:

1. Enterprise IT overseers should implement the Intel Platform Update 23.3 microcode patch to alleviate this vulnerability. This update is customarily proffered by the device’s Original Equipment Manufacturer (OEM). Microsoft encourages enterprises to liaise with their manufacturer for pertinent details, while Intel has cataloged a list of various OEM drivers and software support on their website. A word of caution: It cannot be ascertained that all OEMs have rolled out their updates.

2. By default, post the installation of the Windows update, the mitigation strategy is auto-enabled. Under typical circumstances, it is not recommended to disable this mitigation. However, Microsoft does allude to the possibility of disabling it if the vulnerability isn’t part of one’s threat model. In essence, if a corporation remains unaffected by this kind of threat, disabling is an option. While Microsoft hasn’t reiterated this, it’s widely recognized that deactivation aids in maximizing CPU performance.

3. Disabling is only permissible post the installation of the following updates:

Windows 10/11: Updates post August 22, 2023, are currently optional, with a stable B-class update slated for September 12.

Windows Server: Updates post September 12, 2023; at the time of this directive’s publication, such updates remain pending.

4. The mitigation strategy can be disabled through the administrator mode of CMD using the provided command:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 33554432 /f

Alternatively, one might navigate the aforementioned registry path to add or modify values to achieve the same end.

5. Upon successful configuration and subsequent system reboot, the mitigation strategy will become inoperative. To reactivate, one simply needs to expunge the DWORD key value.

Windows administrators may run the following command from an elevated command prompt window to disable the mitigation on Windows client and server devices:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 33554432 /f

Administrators who prefer to set the appropriate flag manually may do so as well.

  1. Open the Registry Editor on the Windows machine, e.g., by opening Start, typing regedit, and select Registry Editor.
  2. Confirm the UAC prompt that is displayed.
  3. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management. If a key does not exist, right-click on the previous key, select New > Key, and name it accordingly to create the path.
  4. Right-click on Memory Management and select New > Dword (32-bit) Value.
  5. Name the Dword FeatureSettingsOverride.
  6. Double-click on the newly created Dword and set its value to 2000000 as Hex.
  7. Restart the system.

Via: ghacks