Endpoint Security , Next-Generation Technologies & Secure Development , Open XDR
Microsoft Pauses Windows Security Updates to AMD Devices
Security Update Leaves Some Devices Unbootable; Microsoft Blames AMDMicrosoft has paused issuing security updates to some Windows PCs with AMD chipsets after reports emerged that the updates were leaving the systems unbootable (see Warning: Microsoft Fix Freezes Some PCs With AMD Chips).
See Also: 2024 Trending Tips for Surviving Ransomware
On Monday, Microsoft confirmed to Information Security Media Group that it was investigating the reports, which had been documented in long discussion threads on Microsoft's support forum starting on Thursday, that its KB4056892 security update for Windows, designed in part to mitigate the Meltdown and Spectre vulnerabilities, was leaving some systems unbootable.
Users vented their frustration over attempting to recover their systems after the failed updates installed, often automatically. "I understand that making the machine unbootable is the best protection from remote exploitation, but I would rather have the OS working," AMD PC user Jaroslav Škarvada said in a forum posting.
On Tuesday, Microsoft said it was pausing security updates to systems that have an affected AMD chipset. Microsoft blamed the problem on AMD failing to properly document its firmware.
A spokesman declined to comment on that assertion, but did confirm the Windows update problem. "AMD is aware of an issue with some older generation processors following installation of a Microsoft security update that was published over the weekend," the spokesman tells Information Security Media Group. "AMD and Microsoft have been working on an update to resolve the issue and expect it to begin rolling out again for those impacted shortly."
Based on users' reports, the problem appears to affect some older CPUs built by AMD, including Athlon and Sempron, although so far there's been no official summary of what all has been affected. Many Intel chips and at least some chips built by ARM also have Meltdown and Spectre flaws. But to date there appear to have been no reports suggesting that KB4056892 was leaving systems with those chips unbootable.
Microsoft Blames AMD
"After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown," Microsoft says in its security alert. "To prevent AMD customers from getting into an unbootable state, Microsoft will temporarily pause ... Windows operating system updates to devices with impacted AMD processors at this time."
Microsoft has said that to receive any future security updates on any Windows system, KB4056892 must be installed. Hence until the security update gets fixed for Windows PCs with affected AMD chips, they cannot be updated to receive the latest protections.
There's no timeline yet for when the problem might get resolved and working updates for affected AMD systems released. "Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible," Microsoft says.
The problem was no doubt exacerbated by vendors rushing to ship even basic mitigations for the Meltdown and Spectre flaws (see Meltdown and Spectre: Patches and Workarounds Appear).
Google's Project Zero says it developed proof-of-concept exploits for the chipset flaws and reported them to Intel, AMD and ARM on June 1, 2017. As part of a coordinated vulnerability program, all involved researchers and notified organizations agreed to not publicly announce the flaw until Jan. 9, at which point many planned to issue patches. But Google publicly confirmed the flaws on Wednesday after outside researchers began independently unearthing the flaws.
Paused: 9 Updates for Some AMD Systems
Microsoft says nine security updates are being temporarily withheld from affected systems, pending a fix:
- January 3, 2018 - KB4056897 (Security-only update)
- January 9, 2018 - KB4056894 (Monthly Rollup)
- January 3, 2018 - KB4056888 (OS Build 10586.1356)
- January 3, 2018 - KB4056892 (OS Build 16299.192)
- January 3, 2018 - KB4056891 (OS Build 15063.850)
- January 3, 2018 - KB4056890 (OS Build 14393.2007)
- January 3, 2018 - KB4056898 (Security-only update)
- January 3, 2018 - KB4056893 (OS Build 10240.17735)
- January 9, 2018 - KB4056895 (Monthly Rollup)
Potential Recovery Options
For anyone with an AMD Windows PC that's been left unbootable, Microsoft has pointed to three resources that might help:
- Troubleshoot blue screen errors in Windows 10;
- Resolving Blue Screen errors in Windows 8.1;
- Resolving stop (blue screen) errors in Windows 7.
Expect Fresh Security Update
On Tuesday, Microsoft released its regularly scheduled monthly batch of Windows patches. But Liverpool, England-based security researcher Kevin Beaumont, who's been tracking patches that are being issued to mitigate Meltdown and Spectre, says it's likely that Microsoft will issue another monthly patch release once it resolve the AMD problem.
Not official yet, but I've heard January 2018 Microsoft security cumulative package may be reissued. If you're rushing to patch you may want to hold fire.
— Kevin Beaumont (@GossiTheDog) January 9, 2018
Any organizations preparing to issue the January cumulative patch from Microsoft may prefer to wait until they get one that doesn't leave some AMD systems unbootable.
Update (Jan. 11): AMD says the patch incompatibilities affected "some older AMD processors (AMD Opteron, Athlon and AMD Turion X2 Ultra families)" and that it expects the problem to be resolved and Microsoft to begin reissuing security updates by next week (see Spectre Reversal: AMD Confirms Chips Have Flaws).