Change date |
Change description |
---|---|
August 9, 2023 |
|
April 9, 2024 |
|
Summary
This article provides information and updates for a new class of silicon-based microarchitectural and speculative execution side-channel vulnerabilities that affect many modern processors and operating systems. It also provides a comprehensive list of Windows client and server resources to help keep your devices protected at home, at work, and across your enterprise. This includes Intel, AMD, and ARM. Specific vulnerability details for these silicon-based issues can be found in the following security advisories and CVEs:
-
ADV180002 - Guidance to mitigate speculative execution side-channel vulnerabilities
-
ADV180013 - Microsoft Guidance for Rogue System Register Read
-
ADV190013 - Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities
-
ADV220002 - Microsoft Guidance on Intel Processor MMIO Stale Data Vulnerabilities
On January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities (known as Spectre and Meltdown) involving speculative execution side channels that affect AMD, ARM, and Intel processors to varying degrees. This class of vulnerabilities is based on a common chip architecture that was originally designed to speed up computers. You can learn more about these vulnerabilities at Google Project Zero.
On May 21, 2018, Google Project Zero (GPZ), Microsoft, and Intel disclosed two new chip vulnerabilities that are related to the Spectre and Meltdown issues and are known as Speculative Store Bypass (SSB) and Rogue System Registry Read. The customer risk from both disclosures is low.
For more information about these vulnerabilities, see the resources that are listed under May 2018 Windows operating system updates, and refer to the following Security Advisories:
On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. For more information about this vulnerability and recommended actions, see the following Security Advisory:
On August 14, 2018, L1 Terminal Fault (L1TF), a new speculative execution side channel vulnerability was announced that has multiple CVEs. L1TF affects Intel® Core® processors and Intel® Xeon® processors. For more information about L1TF and recommended actions, see our Security Advisory:
Note: We recommend that you install all of the latest updates from Windows Update before you install any microcode updates.
On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling. They have been assigned the following CVEs:
-
CVE-2018-11091 – “Microarchitectural Data Sampling Uncacheable Memory (MDSUM)”
-
CVE-2018-12126 – “Microarchitectural Store Buffer Data Sampling (MSBDS)”
-
CVE-2018-12127 – “Microarchitectural Fill Buffer Data Sampling (MFBDS)”
-
CVE-2018-12130 – “Microarchitectural Load Port Data Sampling (MLPDS)”
Important: These issues will affect other systems such as Android, Chrome, iOS, and MacOS. We advise customers seek guidance from their respective vendors.
Microsoft has released updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services.
Note: We recommend that you install all the latest updates from Windows Update before you install microcode updates.
For more information about these issues and recommended actions, see the following Security Advisory:
On August 6, 2019 Intel released details about a Windows kernel information disclosure vulnerability. This vulnerability is a variant of the Spectre Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.
Microsoft released a security update for the Windows operating system on July 9, 2019 to help mitigate this issue. Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. Note that this vulnerability does not require a microcode update from your device manufacturer (OEM).
For more information about this vulnerability and applicable updates, see CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability in the Microsoft Security Update Guide.
On June 14, 2022, Intel published information about a new subclass of speculative execution memory-mapped I/O (MMIO) side channel vulnerabilities that are listed in the advisory:
Steps to help protect your Windows devices
You may have to update both your firmware (microcode) and your software to address these vulnerabilities. Please refer to the Microsoft Security Advisories for recommended actions. This includes applicable firmware (microcode) updates from device manufacturers and, in some cases, updates to your antivirus software. We encourage you to keep your devices up-to-date by installing the monthly security updates.
To receive all available protections, follow these steps to get the latest updates for both software and hardware.
Note: Before you begin, make sure that your antivirus (AV) software is up-to-date and compatible. Check your antivirus software manufacturer's website for their latest compatibility information.
-
Keep your Windows device up-to-date by turning on automatic updates.
-
Check that you’ve installed the latest Windows operating system security update from Microsoft. If automatic updates are turned on, the updates should be automatically delivered to you. However, you should still verify that they’re installed. For instructions, see Windows Update: FAQ
-
Install available firmware (microcode) updates from your device manufacturer. All customers will have to check with their device manufacturer to download and install their device specific hardware update. See the "Additional resources" section for a list of device manufacturer websites.
Note: Customers should install the latest Windows operating system security updates from Microsoft to take advantage of available protections. Antivirus software updates should be installed first. Operating system and firmware updates should follow. We encourage you to keep your devices up-to-date by installing the monthly security updates.
Affected chips include those that are manufactured by Intel, AMD, and ARM. This means that all devices that are running Windows operating systems are potentially vulnerable. This includes desktops, laptops, cloud servers, and smartphones. Devices that are running other operating systems, such as Android, Chrome, iOS, and macOS, are also affected. We advise customers who are running these operating systems to seek guidance from those vendors.
At the time of publication, we had not received any information to indicate that these vulnerabilities have been used to attack customers.
Starting in January 2018, Microsoft released updates for Windows operating systems and the Internet Explorer and Edge web browsers to help mitigate these vulnerabilities and help to protect customers. We also released updates to secure our cloud services. We continue working closely with industry partners, including chip makers, hardware OEMs, and app vendors, to protect customers against this class of vulnerability.
We encourage you to always install the monthly updates to keep your devices up-to-date and secure.
We will update this documentation when new mitigations become available, and we recommend you check back here regularly.
July 2019 Windows operating system updates
On August 6, 2019, Intel disclosed details for security vulnerability CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability. Security updates for this vulnerability were released as part of the July monthly update release on July 9, 2019.
Microsoft released a security update for the Windows operating system on July 9, 2019 to help mitigate this issue. We held back documenting this mitigation publicly until the coordinated industry disclosure on Tuesday, August 6, 2019.
Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. Note that this vulnerability does not require a microcode update from your device manufacturer (OEM).
May 2019 Windows operating system updates
On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling and were assigned the following CVEs:
-
CVE-2018-11091 – “Microarchitectural Data Sampling Uncacheable Memory (MDSUM)”
-
CVE-2018-12126 – “Microarchitectural Store Buffer Data Sampling (MSBDS)”
-
CVE-2018-12127 – “Microarchitectural Fill Buffer Data Sampling (MFBDS)”
-
CVE-2018-12130 – “Microarchitectural Load Port Data Sampling (MLPDS)”
For more information about this issue, see the following Security Advisory and use scenario-based guidance outlined in the Windows guidance for Clients and Server articles to determine actions necessary to mitigate the threat:
Microsoft has released protections against a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling for 64-Bit (x64) versions of Windows (CVE-2018-11091,CVE-2018-12126, CVE-2018-12127, CVE-2018-12130).
Use the registry settings as described in the Windows Client (KB4073119) and Windows Server (KB4457951) articles. These registry settings are enabled by default for Windows Client OS editions and Windows Server OS editions.
We recommend that you install all of the latest updates from Windows Update first, before you install any microcode updates.
For more information about this issue and recommended actions, see the following Security Advisory:
Intel has released a microcode update for recent CPU platforms to help mitigate CVE-2018-11091,CVE-2018-12126, CVE-2018-12127, CVE-2018-12130. The May 14, 2019 Windows KB 4093836 lists specific Knowledge Base articles by Windows OS version. The article also contains links to the available Intel microcode updates by CPU. These updates are available via the Microsoft Catalog.
Note: We recommend that you install all of the latest updates from Windows Update before you install any microcode updates.
We’re happy to announce that the Retpoline is enabled by default on Windows 10, version 1809 devices (for client and server) if Spectre Variant 2 (CVE-2017-5715) is enabled. By enabling Retpoline on the latest version of Windows 10, via the May 14, 2019 update (KB 4494441), we anticipate enhanced performance, particularly on older processors.
Customers should ensure previous OS protections against the Spectre Variant 2 vulnerability are enabled using the registry settings described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions but disabled by default for Windows Server OS editions). For more information about “Retpoline”, see Mitigating Spectre variant 2 with Retpoline on Windows.
November 2018 Windows operating system updates
Microsoft has released operating system protections for Speculative Store Bypass (CVE-2018-3639) for AMD processors (CPUs).
Microsoft has released additional operating system protections for customers using 64-bit ARM processors. Please check with your device OEM manufacturer for firmware support because ARM64 operating system protections that mitigate CVE-2018-3639, Speculative Store Bypass, require the latest firmware update from your device OEM.
September 2018 Windows operating system updates
On September 11, 2018, Microsoft released Windows Server 2008 SP2 Monthly Rollup 4458010 and Security Only 4457984 for Windows Server 2008 that provide protections against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) affecting Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646).
This release completes the additional protections on all supported Windows system versions through Windows Update. For more information and a list of affected products, please see ADV180018 | Microsoft Guidance to mitigate L1TF variant.
Note: Windows Server 2008 SP2 now follows the standard Windows servicing rollup model. For more information about these changes, please see our blog Windows Server 2008 SP2 servicing changes. Customers running Windows Server 2008 should install either 4458010 or 4457984 in addition to Security Update 4341832, which was released on August 14, 2018. Customers should also ensure previous OS protections against Spectre Variant 2 and Meltdown vulnerabilities are enabled using the registry settings outlined in the Windows Client and Windows Server guidance KB articles. These registry settings are enabled by default for Windows Client OS editions but is disabled by default for Windows Server OS editions.
Microsoft has released additional operating system protections for customers using 64-bit ARM processors. Please check with your device OEM manufacturer for firmware support because ARM64 operating system protections that mitigate CVE-2017-5715 - Branch target injection (Spectre, Variant 2) require the latest firmware update from your device OEMs to take effect.
August 2018 Windows operating system updates
On August 14, 2018, L1 Terminal Fault (L1TF)was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, can lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.
For more information about L1TF and a detailed view of affected scenarios, including Microsoft’s approach to mitigating L1TF please see the following resources:
July 2018 Windows operating system updates
We are pleased to announce that Microsoft has completed releasing additional protections on all supported Windows system versions through Windows Update for the following vulnerabilities:
-
Spectre Variant 2 for AMD processors
-
Speculative Store Bypass for Intel processors
On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. There are no configuration (registry) settings needed for Lazy Restore FP Restore.
For more information about this vulnerability, affected products, and recommended actions, see the following Security Advisory:
On June 12, Microsoft announced Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors. The updates require corresponding firmware (microcode) and registry updates for functionality. For information about the updates and the steps to apply to turn on SSBD, see the "Recommended actions" section in ADV180012 | Microsoft Guidance for Speculative Store Bypass.
May 2018 Windows operating system updates
In January 2018, Microsoft released information about a newly discovered class of hardware vulnerabilities (known as Spectre and Meltdown) that involve speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21, 2018 Google Project Zero (GPZ), Microsoft, and Intel disclosed two new chip vulnerabilities that are related to the Spectre and Meltdown issues that are known as Speculative Store Bypass (SSB) and Rogue System Registry Read.
The customer risk from both disclosures is low.
For more information about these vulnerabilities, see the following resources:
-
Microsoft Security Advisory for Speculative Store Bypass: MSRC ADV180012 and CVE-2018-3639
-
Microsoft Security Advisory for Rogue System Register Read: MSRC ADV180013and CVE-2018-3640
-
Security Research and Defense: Analysis and mitigation of speculative store bypass (CVE-2018-3639)
Applies to: Windows 10, version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation), and Windows Server, version 1709 (Server Core installation)
We have provided support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs) for mitigating CVE-2017-5715, Spectre Variant 2 when you switch from user context to kernel context. (For more information, see AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates).
Customers who are running Windows 10, version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation), and Windows Server, version 1709 (Server Core installation) must install security update 4103723 for additional mitigations for AMD processors for CVE-2017-5715, Branch Target Injection. This update is also available through Windows Update.
Follow the instructions that are outlined in KB 4073119 for Windows Client (IT Pro) guidance and KB 4072698 for Windows Server guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when you switch from user context to kernel context.
Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 “Branch Target Injection”). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).
The microcode update is also available directly from Catalog if it was not installed on the device prior to upgrading the OS. Intel microcode is available through Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see KB 4100347.
We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.
Applies to: Windows 10, version 1709
We have provided support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs) for mitigating CVE-2017-5715, Spectre Variant 2 when you switch from user context to kernel context. (For more information, see AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates). Follow the instructions outlined in KB 4073119 for Windows Client (IT Pro) guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when you switch from user context to kernel context.
Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection"). KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the latest available Intel microcode updates by CPU.
We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.
March 2018 and later Windows operating system updates
March 23, TechNet Security Research & Defense: KVA Shadow: Mitigating Meltdown on Windows
March 14, Security Tech Center: Speculative Execution Side Channel Bounty Program Terms
March 13, blog: March 2018 Windows Security Update – Expanding Our Efforts to Protect Customers
March 1, blog: Update on Spectre and Meltdown security updates for Windows devices
Starting in March 2018, Microsoft released security updates to provide mitigations for devices running the following x86-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related Knowledge Base article for technical details and the "FAQ" section.
Product update released |
Status |
Release date |
Release channel |
KB |
Windows 8.1 & Windows Server 2012 R2 - Security Only Update |
Released |
13-Mar |
WSUS, Catalog, |
|
Windows 7 SP1 & Windows Server 2008 R2 SP1 - Security Only Update |
Released |
13-Mar |
WSUS, Catalog |
|
Windows Server 2012 - Security Only Update Windows 8 Embedded Standard Edition - Security Only Update |
Released |
13-Mar |
WSUS, Catalog |
|
Windows 8.1 & Windows Server 2012 R2 - Monthly Rollup |
Released |
13-Mar |
WU, WSUS, Catalog |
|
Windows 7 SP1 & Windows Server 2008 R2 SP1 - Monthly Rollup |
Released |
13-Mar |
WU, WSUS, Catalog |
|
Windows Server 2012 - Monthly Rollup Windows 8 Embedded Standard Edition - Monthly Rollup |
Released |
13-Mar |
WU, WSUS, Catalog |
|
Windows Server 2008 SP2 |
Released |
13-Mar |
WU, WSUS, Catalog |
Starting in March 2018, Microsoft released security updates to provide mitigations for devices running the following x64-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related knowledge base article for technical details and the "FAQ" section.
Product update released |
Status |
Release date |
Release channel |
KB |
Windows Server 2012 - Security Only Update Windows 8 Embedded Standard Edition - Security Only Update |
Released |
13-Mar |
WSUS, Catalog |
|
Windows Server 2012 - Monthly Rollup Windows 8 Embedded Standard Edition - Monthly Rollup |
Released |
13-Mar |
WU, WSUS, Catalog |
|
Windows Server 2008 SP2 |
Released |
13-Mar |
WU, WSUS, Catalog |
This update addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows. This vulnerability is documented in CVE-2018-1038. Users must apply this update to be fully protected against this vulnerability if their computers were updated on or after January 2018 by applying any of the updates that are listed in the following Knowledge Base article:
This security update resolves several reported vulnerabilities in Internet Explorer. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures.
Product update released |
Status |
Release date |
Release channel |
KB |
Internet Explorer 10 - Cumulative Update for Windows 8 Embedded Standard Edition |
Released |
13-Mar |
WU, WSUS, Catalog |
February 2018 Windows operating system updates
Blog: Windows Analytics now helps assess Spectre and Meltdown protections
The following security updates provide additional protections for devices running 32-bit (x86) Windows operating systems. Microsoft recommends customers install the update as soon as available. We continue to work to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates.
Note Windows 10 monthly security updates are cumulative month over month and will be downloaded and installed automatically from Windows Update. If you have installed earlier updates, only the new portions will be downloaded and installed on your device. For more information, see the related Knowledge Base article for technical details and the "FAQ" section.
Product update released |
Status |
Release date |
Release channel |
KB |
Windows 10 - Version 1709 / Windows Server 2016 (1709) / IoT Core - Quality Update |
Released |
31-Jan |
WU, Catalog |
|
Windows Server 2016 (1709) - Server container |
Released |
13-Feb |
Docker Hub |
|
Windows 10 - Version 1703 / IoT Core - Quality Update |
Released |
13-Feb |
WU, WSUS, Catalog |
|
Windows 10 - Version 1607 / Windows Server 2016 / IoT Core - Quality Update |
Released |
13-Feb |
WU, WSUS, Catalog |
|
Windows 10 HoloLens - OS and Firmware Updates |
Released |
13-Feb |
WU, Catalog |
|
Windows Server 2016 (1607) - Container Images |
Released |
13-Feb |
Docker Hub |
|
Windows 10 - Version 1511 / IoT Core - Quality Update |
Released |
13-Feb |
WU, WSUS, Catalog |
|
Windows 10 - Version RTM - Quality Update |
Released |
13-Feb |
WU, WSUS, Catalog |
January 2018 Windows operating system updates
Blog: Understanding the Performance Impact of Spectre and Meltdown Mitigations on Windows Systems
Starting in January 2018, Microsoft released security updates to provide mitigations for devices running the following x64-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related Knowledge Base article for technical details and the "FAQ" section.
Product update released |
Status |
Release date |
Release channel |
KB |
Windows 10 - Version 1709 / Windows Server 2016 (1709) / IoT Core - Quality Update |
Released |
3-Jan |
WU, WSUS, Catalog, Azure Image Gallery |
|
Windows Server 2016 (1709) - Server container |
Released |
5-Jan |
Docker Hub |
|
Windows 10 - Version 1703 / IoT Core - Quality Update |
Released |
3-Jan |
WU, WSUS, Catalog |
|
Windows 10 - Version 1607 / Windows Server 2016 / IoT Core- Quality Update |
Released |
3-Jan |
WU, WSUS, Catalog |
|
Windows Server 2016 (1607) - Container Images |
Released |
4-Jan |
Docker Hub |
|
Windows 10 - Version 1511 / IoT Core - Quality Update |
Released |
3-Jan |
WU, WSUS, Catalog |
|
Windows 10 - Version RTM - Quality Update |
Released |
3-Jan |
WU, WSUS, Catalog |
|
Windows 10 Mobile (OS Build 15254.192) - ARM |
Released |
5-Jan |
WU, Catalog |
|
Windows 10 Mobile (OS Build 15063.850) |
Released |
5-Jan |
WU, Catalog |
|
Windows 10 Mobile (OS Build 14393.2007) |
Released |
5-Jan |
WU, Catalog |
|
Windows 10 HoloLens |
Released |
5-Jan |
WU, Catalog |
|
Windows 8.1 / Windows Server 2012 R2 - Security Only Update |
Released |
3-Jan |
WSUS, Catalog |
|
Windows Embedded 8.1 Industry Enterprise |
Released |
3-Jan |
WSUS, Catalog |
|
Windows Embedded 8.1 Industry Pro |
Released |
3-Jan |
WSUS, Catalog |
|
Windows Embedded 8.1 Pro |
Released |
3-Jan |
WSUS, Catalog |
|
Windows 8.1 / Windows Server 2012 R2 Monthly Rollup |
Released |
8-Jan |
WU, WSUS, Catalog |
|
Windows Embedded 8.1 Industry Enterprise |
Released |
8-Jan |
WU, WSUS, Catalog |
|
Windows Embedded 8.1 Industry Pro |
Released |
8-Jan |
WU, WSUS, Catalog |
|
Windows Embedded 8.1 Pro |
Released |
8-Jan |
WU, WSUS, Catalog |
|
Windows Server 2012 Security Only |
Released |
WSUS, Catalog |
||
Windows Server 2008 SP2 |
Released |
WU, WSUS, Catalog |
||
Windows Server 2012 Monthly Rollup |
Released |
WU, WSUS, Catalog |
||
Windows Embedded 8 Standard |
Released |
WU, WSUS, Catalog |
||
Windows 7 SP1 / Windows Server 2008 R2 SP1 - Security Only Update |
Released |
3-Jan |
WSUS, Catalog |
|
Windows Embedded Standard 7 |
Released |
3-Jan |
WSUS, Catalog |
|
Windows Embedded POSReady 7 |
Released |
3-Jan |
WSUS, Catalog |
|
Windows Thin PC |
Released |
3-Jan |
WSUS, Catalog |
|
Windows 7 SP1 / Windows Server 2008 R2 SP1 Monthly Rollup |
Released |
4-Jan |
WU, WSUS, Catalog |
|
Windows Embedded Standard 7 |
Released |
4-Jan |
WU, WSUS, Catalog |
|
Windows Embedded POSReady 7 |
Released |
4-Jan |
WU, WSUS, Catalog |
|
Windows Thin PC |
Released |
4-Jan |
WU, WSUS, Catalog |
|
Internet Explorer 11-Cumulative Update for Windows 7 SP1 and Windows 8.1 |
Released |
3-Jan |
WU, WSUS, Catalog |
On April 9, 2024 we published CVE-2022-0001 | Intel Branch History Injection which describes Branch History Injection (BHI) which is a specific form of intra-mode BTI. This vulnerability occurs when an attacker may manipulate branch history before transitioning from user to supervisor mode (or from VMX non-root/guest to root mode). This manipulation could cause an indirect branch predictor to select a specific predictor entry for an indirect branch, and a disclosure gadget at the predicted target will transiently execute. This may be possible because the relevant branch history may contain branches taken in previous security contexts, and in particular, other predictor modes.
Follow the instructions that are outlined in KB4073119 for Windows Client (IT Pro) guidance and KB4072698 for Windows Server guidance to mitigate the vulnerabilities described in CVE-2022-0001 | Intel Branch History Injection.
Resources and technical guidance
Depending on your role, the following support articles can help you identify and mitigate client and server environments that are affected by the Spectre and Meltdown vulnerabilities.
Microsoft Security Advisory for L1 Terminal Fault (L1TF): MSRC ADV180018, CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646
Security Research and Defense: Analysis and mitigation of speculative store bypass (CVE-2018-3639)
Microsoft Security Advisory for Speculative Store Bypass: MSRC ADV180012 and CVE-2018-3639
Microsoft Security Advisory for Rogue System Register Read | Security Update Guide for Surface: MSRC ADV180013and CVE-2018-3640
Security Research and Defense: Analysis and mitigation of speculative store bypass (CVE-2018-3639)
TechNet Security Research & Defense: KVA Shadow: Mitigating Meltdown on Windows
Security Tech Center: Speculative Execution Side Channel Bounty Program Terms
Microsoft Experience blog: Update on Spectre and Meltdown security updates for Windows devices
Windows for Business blog: Windows Analytics now helps assess Spectre and Meltdown protections
Microsoft Secure blog: Understanding the Performance Impact of Spectre and Meltdown Mitigations on Windows Systems
Edge Developer Blog: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer
Azure Blog: Securing Azure customers from CPU vulnerability
SCCM guidance: Additional guidance to mitigate speculative execution side-channel vulnerabilities
Microsoft Advisories:
-
ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
-
ADV180013 | Microsoft Guidance for Rogue System Register Read
Intel: Security Advisory
ARM: Security Advisory
AMD: Security Advisory
NVIDIA: Security Advisory
Consumer Guidance: Protecting your device against chip-related security vulnerabilities
Antivirus Guidance: Windows security updates released January 3, 2018, and antivirus software
Guidance for AMD Windows OS security update block: KB4073707: Windows operating system security update block for some AMD based devices
Update to Disable Mitigation against Spectre, Variant 2: KB4078130: Intel has identified reboot issues with microcode on some older processors
Surface Guidance: Surface Guidance to protect against speculative execution side-channel vulnerabilities
Verify the status of speculative execution side channel mitigations: Understanding Get-SpeculationControlSettings PowerShell script output
IT Pro Guidance: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
Server Guidance: Windows Server guidance to protect against speculative execution side-channel vulnerabilities
Server Guidance for L1 Terminal Fault: Windows Server guidance to protect against L1 terminal fault
Developer guidance: Developer Guidance for Speculative Store Bypass
Server Hyper-V Guidance
Azure KB: KB4073235: Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities
Azure Stack guidance: KB4073418: Azure stack guidance to protect against the speculative execution side-channel vulnerabilities
Azure reliability: Azure Reliability Portal
SQL Server guidance: KB4073225: SQL Server Guidance to protect against speculative execution side-channel vulnerabilities
Links to OEM and Server device manufacturers for updates to protect against Spectre and Meltdown vulnerabilities
To help address these vulnerabilities, you must update both your hardware and software. Use the following links to check with your device manufacturer for applicable firmware (microcode) updates.
Use the following links to check with your device manufacturer for firmware (microcode) updates. You will have to install both operating system and firmware (microcode) updates for all available protections.
OEM Device Manufacturers |
Link to microcode availability |
Acer |
|
Asus |
ASUS Update on Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method |
Dell |
|
Epson |
|
Fujitsu |
CPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) |
HP |
|
Lenovo |
|
LG |
|
NEC |
On the response to the processor's vulnerability (meltdown, spectrum) in our products |
Panasonic |
|
Samsung |
|
Surface |
Surface Guidance to protect against speculative execution side-channel vulnerabilities |
Toshiba |
|
Vaio |
Server OEM Manufacturers |
Link to microcode availability |
Dell |
|
Fujitsu |
CPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) |
HPE |
Hewlett Packard Enterprise Product Security Vulnerability Alerts |
Huawei |
|
Lenovo |
Frequently asked questions
You will have to check with your device manufacturer for firmware (microcode) updates. If your device manufacturer is not listed in the table, contact your OEM directly.
Updates for Microsoft Surface devices are available to customers through Windows Update. For a list of available Surface device firmware (microcode) updates, see KB 4073065.
If your device is not from Microsoft, apply firmware updates from the device manufacturer. Contact your device manufacturerfor more information.
Addressing a hardware vulnerability by using a software update presents significant challenges and mitigations for older operating systems and can require extensive architectural changes. We are continuing to work with affected chip manufacturers to investigate the best way to provide mitigations. This may be provided in a future update. Replacing older devices that are running these older operating systems and also updating antivirus software should address the remaining risk.
Notes:
-
Products that are currently out of both mainstream and extended support will not receive these system updates. We recommend customers update to a supported system version.
-
Speculative execution side-channel attacks exploit CPU behavior and functionality. CPU manufacturers must first determine which processors may be at risk, and then notify Microsoft. In many cases, corresponding operating system updates will also be required to provide customers more comprehensive protection. We recommend that security-conscious Windows CE vendors work with their chip manufacturer to understand the vulnerabilities and applicable mitigations.
-
We will not be issuing updates for the following platforms:
-
Windows operating systems that are currently out of support or those entering end of service (EOS) in 2018
-
Windows XP-based systems including WES 2009 and POSReady 2009
-
Although Windows XP-based systems are affected products, Microsoft is not issuing an update for them because the comprehensive architectural changes that would be required would jeopardize system stability and cause application compatibility problems. We recommend that security-conscious customers upgrade to a newer supported operating system to keep pace with the changing security threat landscape and benefit from the more robust protections that newer operating systems provide.
Updates to Windows 10 for HoloLens are available to HoloLens customers through Windows Update.
After applying the February 2018 Windows Security Update, HoloLens customers do not have to take any additional action to update their device firmware. These mitigations will also be included in all future releases of Windows 10 for HoloLens.
Contact your OEM for more information.
For your device to be fully protected, you should install the latest Windows operating system security updates for your device and applicable firmware (microcode) updates from your device manufacturer. These updates should be available on your device manufacturer's website. Antivirus software updates should be installed first. Operating system and firmware updates can be installed in either order.
You will have to update both your hardware and your software to address this vulnerability. You will also have to install applicable firmware (microcode) updates from your device manufacturer for more comprehensive protection. We encourage you to keep your devices up-to-date by installing the monthly security updates.
In each Windows 10 feature update, we build the latest security technology deep into the operating system, providing defense-in-depth features that prevent entire classes of malware from impacting your device. Feature update releases are targeted twice a year. In each monthly quality update, we add another layer of security that tracks emerging and changing trends in malware to make up-to-date systems safer in the face of changing and evolving threats.
Microsoft has lifted the AV compatibility check for Windows security updates for supported versions of Windows 10, Windows 8.1 and Windows 7 SP1 devices through Windows Update.
Recommendations:-
Make sure that your devices are up-to-date by having the latest security updates from Microsoft and your hardware manufacturer. For more info about how to keep your device up-to-date, see Windows Update: FAQ.
-
Continue to practice sensible caution when you visit websites of unknown origin, and do not remain on sites that you do not trust. Microsoft recommends that all customers protect their devices by running a supported antivirus program. Customers can also take advantage of built-in antivirus protection: Windows Defender for Windows 10 devices, or Microsoft Security Essentials for Windows 7 devices. These solutions are compatible in cases in which customers can’t install or run antivirus software.
To help avoid adversely affecting customer devices, the Windows security updates released in January or February have not been offered to all customers. For details, see the Microsoft Knowledge Base article 4072699.
Intel has reported issues that affect recently released microcode that is intended to address Spectre Variant 2 (CVE-2017-5715 – “Branch Target Injection”). Specifically, Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and also that situations such as this may cause “data loss or corruption.” Our own experience is that system instability can, in some circumstances, cause data loss or corruption. On January 22, Intel recommended that customers stop deploying the current microcode version on affected processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version, and we encourage customers to review their guidance on an ongoing basis to inform their decisions.
While Intel tests, updates, and deploys new microcode, we are making available an out-of-band (OOB) update, KB 4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch Target Injection.” In our testing, this update has been found to prevent the behavior described. For the full list of devices, see Intel’s microcode revision guidance. This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715 – “Branch Target Injection.”
As of January 25, there are no known reports to indicate that this Spectre Variant 2 (CVE-2017-5715) has been used to attack customers. We recommend that, when appropriate, Windows customers re-enable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.
No. Security Only updates are not cumulative. Depending on the operating system version you are running, you must install the all released Security Only updates to be protected against these vulnerabilities. For example, if you are running Windows 7 for 32-bit Systems on an affected Intel CPU you have to install every Security Only update starting from January 2018. We recommend installing these Security Only updates in the order of release.
Note An earlier version of this FAQ stated incorrectly that the February Security Only update included the security fixes released in January. In fact, it does not.No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and unexpected restarts after the installation of microcode. Applying the February security updates on Windows client operating systems enables all three mitigations. On Windows server operating systems, you still have to enable the mitigations after appropriate testing is performed. See Microsoft Knowledge Base article 4072698 for more information.
AMD recently announced they have started to release microcode for newer CPU platforms around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection"). For more information refer to the AMD Security Updates and AMD Whitepaper: Architecture Guidelines around Indirect Branch Control. These are available from the OEM firmware channel.
Intel recently announced they have completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection"). KB 4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the available Intel microcode updates by CPU.
Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 “Branch Target Injection”). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).
The microcode update is also available directly from the Update Catalog if it was not installed on the device prior to upgrading the system. Intel microcode is available through Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see KB 4100347.
For more information, see the following resources:
For details, see the “Recommended actions” and “FAQ” sections in ADV180012 | Microsoft Guidance for Speculative Store Bypass.
To verify the status of SSBD, the Get-SpeculationControlSettings PowerShell script has been updated to detect affected processors, status of the SSBD operating system updates, and state of the processor microcode if applicable. For more information and to obtain the PowerShell script, see KB4074629.
On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. There are no configuration (registry) settings needed for Lazy Restore FP Restore.
For more information about this vulnerability and recommended actions, please refer to the Security Advisory: ADV180016 | Microsoft Guidance for Lazy FP State Restore
Note There are no configuration (registry) settings needed for Lazy Restore FP Restore.
Bounds Check Bypass Store (BCBS) was disclosed on July 10, 2018 and assigned CVE-2018-3693. We consider BCBS to belong to the same class of vulnerabilities as Bounds Check Bypass (Variant 1). We are not currently aware of any instances of BCBS in our software, but we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required. We continue to encourage researchers to submit any relevant findings to Microsoft’s Speculative Execution Side Channel bounty program, including any exploitable instances of BCBS. Software developers should review the developer guidance that has been updated for BCBS at https://aka.ms/sescdevguide.
On August 14, 2018, L1 Terminal Fault (L1TF) was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, can lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.
For more information about this vulnerability and a detailed view of affected scenarios, including Microsoft’s approach to mitigating L1TF please see the following resources:
Microsoft Surface customers: Customers using Microsoft Surface and Surface Book products need to follow the guidance for Windows Client outlined in the Security Advisory: ADV180018 | Microsoft Guidance to mitigate L1TF variant. See also Microsoft Knowledge Base Article 4073065 for more information about affected Surface products and availability of the microcode updates.
Microsoft Hololens customers: Microsoft HoloLens is unaffected by L1TF because it does not use an affected Intel processor.
The steps that are necessary to disable Hyper-Threading will differ from OEM to OEM but are generally part of the BIOS or firmware setup and configuration tools.
Customers using 64-bit ARM processors should check with the device OEM for firmware support because ARM64 operating system protections that mitigate CVE-2017-5715 - Branch target injection (Spectre, Variant 2) require the latest firmware update from device OEMs to take effect.
For details about this vulnerability, see the Microsoft Security Guide: CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability.
We’re not aware of any instance of this information disclosure vulnerability affecting our cloud service infrastructure.
As soon as we became aware of this issue, we worked quickly to address it and release an update. We strongly believe in close partnerships with both researchers and industry partners to make customers more secure, and did not publish details until Tuesday, August 6, consistent with coordinated vulnerability disclosure practices.
References
Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.