Microsoft Pauses Windows Security Updates to AMD Devices
Endpoint Security
,
Technology
Security Update Leaves Some Devices Unbootable; Microsoft Blames AMD
Microsoft has paused issuing security updates to some Windows PCs with AMD chipsets after reports emerged that the updates were leaving the systems unbootable (see Warning: Microsoft Fix Freezes Some PCs With AMD Chips).
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
On Monday, Microsoft confirmed to Information Security Media Group that it was investigating the reports, which had been documented in long discussion threads on Microsoft’s support forum starting on Thursday, that its KB4056892 security update for Windows, designed in part to mitigate the Meltdown and Spectre vulnerabilities, was leaving some systems unbootable.
Users vented their frustration over attempting to recover their systems after the failed updates installed, oftentimes automatically. “I understand that making the machine unbootable is the best protection from remote exploitation, but I would rather have the OS working,” AMD PC user Jaroslav Škarvada said in a forum posting.
On Tuesday, Microsoft said it was pausing security updates to systems that have an affected AMD chipset. Microsoft blamed the problem on AMD failing to properly document its firmware. The chipmaker didn’t immediately respond to a request for comment.
Based on users’ reports, the problem appears to affect some older CPUs built by AMD, including Athlon and Sempron, although so far there’s been no official summary of what all has been affected. Many Intel chips and at least some chips built by ARM also have Meltdown and Spectre flaws. But to date there appear to have been no reports suggesting that KB4056892 was leaving systems with those chips unbootable.
Microsoft Blames AMD
“After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown,” Microsoft says in its security alert. “To prevent AMD customers from getting into an unbootable state, Microsoft will temporarily pause … Windows operating system updates to devices with impacted AMD processors at this time.”
Microsoft has said that to receive any future security updates on any Windows system, KB4056892 must be installed. Hence until the security update gets fixed for Windows PCs with affected AMD chips, they cannot be updated to receive the latest protections.
There’s no timeline yet for when the problem might get resolved and working updates for affected AMD systems released. “Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible,” Microsoft says.
The problem was no doubt exacerbated by vendors rushing to ship even basic mitigations for the Meltdown and Spectre flaws (see Meltdown and Spectre: Patches and Workarounds Appear).
Google’s Project Zero says it developed proof-of-concept exploits for the chipset flaws and reported them to Intel, AMD and ARM on June 1, 2017. As part of a coordinated vulnerability program, all involved researchers and notified organizations agreed to not publicly announce the flaw until Jan. 9, at which point many planned to issue patches. But Google publicly confirmed the flaws on Wednesday after outside researchers began independently unearthing the flaws.
Paused: 9 Updates for Some AMD Systems
Microsoft says nine security updates are being temporarily withheld from affected systems, pending a fix:
Potential Recovery Options
For anyone with an AMD Windows PC that’s been left unbootable, Microsoft has pointed to three resources that might help:
Expect Fresh Security Update
On Tuesday, Microsoft released its regularly scheduled monthly batch of Windows patches. But Liverpool, England-based security researcher Kevin Beaumont, who’s been tracking patches that are being issued to mitigate Meltdown and Spectre, says it’s likely that Microsoft will issue another monthly patch release once it resolve the AMD problem.
Not official yet, but I’ve heard January 2018 Microsoft security cumulative package may be reissued. If you’re rushing to patch you may want to hold fire.
— Kevin Beaumont (@GossiTheDog) January 9, 2018
Any organizations preparing to issue the January cumulative patch from Microsoft may prefer to wait until they get one that doesn’t leave some AMD systems unbootable.