Full Report
Microsoft is seeking further information from customers who reported failure and data corruption issues affecting their solid-state drives (SSDs) and hard disk drives (HDDs) after installing the August 2025 security update. [...]
Analysis Summary
This incident summary interprets the provided text, treating the software update issue as a security/reliability incident causing data loss, as would be analyzed in an incident response context focused on system integrity.
# Incident Report: Windows Update Causing SSD/HDD Data Corruption
## Executive Summary
Microsoft is investigating reports of data corruption and failure affecting Solid State Drives (SSDs) and Hard Disk Drives (HDDs) following the installation of the August 2025 cumulative security update (KB5063878) and the preview update (KB5062660). The suspected attack vector is flawed update code leading to catastrophic disk write failures, resulting in data loss on drives over 60% capacity. Response actions include seeking customer feedback and collaborating with hardware partners (like Phison) to reproduce and resolve the instability.
## Incident Details
- Discovery Date: Last week (prior to Aug 21, 2025) - *Reported by Japanese PC builder.*
- Incident Date: Following installation of KB5063878 and KB5062660 updates.
- Affected Organization: Microsoft/End Users running Windows 11 24H2.
- Sector: Software/Technology.
- Geography: Industry-wide, initial report from Japan.
## Timeline of Events
### Initial Access
- Date/Time: Not applicable (Internal software deployment issue).
- Vector: Deployment of Windows 11 Cumulative Updates (KB5063878, KB5062660).
- Details: Installation of the patch appears to trigger instability during heavy write operations to storage devices that are >60% full.
### Lateral Movement
- Not applicable (This is a reliability/integrity issue, not a traditional breach).
### Data Exfiltration/Impact
- Impact: Data corruption and failure of multiple SSD/HDD models (including Corsair MP600, Kioxia Exceria Plus G4, etc.) when performing large file writes or unpacking large compressed archives.
### Detection & Response
- Detection: External reporting by a PC builder and subsequent user confirmation across various forums.
- Response Actions: Microsoft acknowledged reports, stated internal testing and telemetry did not show an increase in failures, and requested impacted users contact Support for Business or use the Feedback Hub. Active collaboration with storage device partners (e.g., Phison) is underway.
## Attack Methodology
- Initial Access: Flawed update code introduced instability into disk write operations.
- Persistence: Not applicable.
- Privilege Escalation: Not applicable.
- Defense Evasion: Not applicable.
- Credential Access: Not applicable.
- Discovery: Not applicable.
- Lateral Movement: Not applicable.
- Collection: Not applicable.
- Exfiltration: Not applicable.
- Impact: System instability leading to data corruption/failure of storage hardware under specific write load conditions.
## Impact Assessment
- Financial: Not quantified, but involves costs related to data recovery, replacement hardware, and support overhead for Microsoft.
- Data Breach: Data corruption/loss occurred on affected user drives. Scope affects multiple SSD/HDD models utilizing Phison and InnoGrit controllers.
- Operational: Business disruption for users attempting large file transfers or system backups after patching. A key constraint is currently avoiding writing large files or numerous files simultaneously.
- Reputational: Negative impact on user trust regarding Windows update reliability.
## Indicators of Compromise
- Network indicators: Not applicable.
- File indicators: Not applicable.
- Behavioral indicators: Disk disappearing from the OS during heavy write operations; SSD/HDD failure reported; corruption noted when writing large files or extracting many small files simultaneously (especially on drives >60% full).
## Response Actions
- Containment measures: Users advised to avoid writing large files (tens of gigabytes) or extracting large compressed files in single steps.
- Eradication steps: Ongoing collaboration with component manufacturers (Phison, etc.) for root cause analysis.
- Recovery actions: A fix is pending release; customers urged to file reports with Microsoft Support.
## Lessons Learned
- Key takeaways: Updates that interact deeply with hardware drivers/firmware (storage stacks) require exhaustive real-world testing across diverse hardware configurations before broad deployment, especially under high-load scenarios.
- What could have been done better: Broader telemetry monitoring or pre-release hardware testing should have flagged the write operation instability, especially concerning drives above a certain utilization threshold.
## Recommendations
- Prevention measures for similar incidents: Implement mandatory stress testing of critical hardware interaction layers (like storage and networking stacks) using high-utilization disk write scenarios before releasing cumulative updates. Temporarily block updates for users running specific flagged hardware/firmware combinations until compatibility is verified.