Guidance to mitigate speculative execution side-channel vulnerabilities

ADV180002
Security Advisory

Released: Jan 3, 2018

Last updated: Jun 14, 2019

Assigning CNA
Microsoft

NOTE This advisory was revised on July 10, 2018. Some content has been removed for simplicity and because it is no longer relevant. You can view the archived content for ADV180002 in the FAQ section following the Affected Products table.

Executive Summary

Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems including Intel, AMD, and ARM. Note: this issue will affect other systems such as Android, Chrome, iOS, MacOS, so we advise customers to seek out guidance from those vendors.

An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run code on the system to leverage these vulnerabilities.

Microsoft has released updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs and in some cases updates to AV software as well. In some cases, installing these updates will have a performance impact. We have also taken action to secure our cloud services.

Microsoft has no information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers.

This advisory addresses the following vulnerabilities:

  • CVE-2017-5753 - Bounds check bypass
  • CVE-2017-5715 - Branch target injection
  • CVE-2017-5754 - Rogue data cache load

Recommended Actions

  1. The best protection is to keep computers up to date. Please see Knowledge Base Article 4073757 for guidance on protecting Windows devices. Customers using Surface products should see Microsoft Knowledge Base Article 4073065.
  2. Enterprise customers are recommended to review this advisory in detail and register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
  3. Software developers should review the C++ developer guidance for speculative execution side channels at https://aka.ms/sescdevguide.
  4. Verify the status of protections for CVE-2017-5715 and CVE-2017-5754 using the PowerShell script Get-SpeculationControlSettings. For more information and to obtain the PowerShell script see: Understanding Get-SpeculationControlSettings PowerShell script output.

Potential performance impacts

In testing Microsoft has seen some performance impact with these mitigations. For most consumer devices, the impact may not be noticeable; however, the specific impact varies by hardware generation and implementation by the chip manufacturer. Microsoft values the security of its software and services and has made the decision to implement certain mitigation strategies in an effort to better secure our products. In some cases, mitigations are not enabled by default to allow users and administrators to evaluate the performance impact and risk exposure before deciding to enable the mitigations. We continue to work with hardware vendors to improve performance while maintaining a high level of security.

Advisory Details

Vulnerabilities Description

Speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and can therefore lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment. For a detailed view of affected scenarios and Microsoft’s approach to mitigating this new class of vulnerabilities, please see our Security Research Blog.

The following table summarizes the CVEs, names, and affected processors for each of these vulnerabilities:

CVE Public Vulnerability Name Other Names Processors Affected
CVE-2017-5753 Bounds check bypass Spectre, Variant 1 AMD, ARM, Intel
CVE-2017-5715 Branch target injection Spectre, Variant 2 AMD, ARM, Intel
CVE-2017-5754 Rogue data cache load Meltdown, Variant 3 ARM, Intel

The first two variants, Bounds check bypass (CVE-2017-5753) and Branch target injection (CVE-2017-5715) are collectively known as Spectre. An attacker who has successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run untrusted code on the system to leverage these vulnerabilities. In browsing scenarios, an attacker could convince a user to visit a malicious site to leverage these vulnerabilities to privileged information from the browser process such as sensitive data from other opened tabs. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site. Bounds check bypass store is an extension of Bounds check bypass.

The third variant, Rogue data cache load (CVE-2017-5754) is known as Meltdown. An attacker who has successfully exploited this vulnerability may be able to read privileged memory from an unprivileged context. The following table summarizes the relevance of these variants to the attack scenarios and trust boundaries. Each attack scenario is described in terms of the direction that information flows when performing a speculative execution side channel attack. The entries for each CVE indicate whether the speculation primitive is applicable to the corresponding attack scenario.

Attack Category Attack Scenario CVE-2017-5753 CVE-2017-5715 CVE-2017-5754
Inter-VM Hypervisor-to-guest Applicable Applicable Not applicable
Host-to-guest Applicable Applicable Not applicable
Guest-to-guest Applicable Applicable Not applicable
Intra-OS Kernel-to-user Applicable Applicable Applicable
Process-to-process Applicable Applicable Not applicable
Intra-process Applicable Applicable Not applicable
Enclave Enclave-to-any Applicable Applicable Not applicable

For a detailed view of these scenarios and our approach to mitigating this new class of vulnerabilities, please see our Security Research Blog.

Microsoft Windows client customers

Customers using Windows client operating systems need to apply both firmware (microcode) and software updates. See Microsoft Knowledge Base Article 4073119 for additional information. Customers using AMD processors should review FAQ #15 in this advisory for additional action you need to take. Microsoft is making available Intel-validated microcode updates for Windows 10 operating systems. Please see Microsoft Knowledge Base Article 4093836 for the current Intel microcode updates.

Microsoft Windows Server customers

Customers using Windows server operating systems listed in the Affected Products table need to apply firmware (microcode) and software updates as well as to configure protections. See Microsoft Knowledge Base Article 4072698 for additional information, including workarounds.

Microsoft Azure has taken steps to address the security vulnerabilities at the hypervisor level to protect Windows Server VMs running in Azure. More information can be found here.

Microsoft Surface customers

Customers using Microsoft Surface and Surface Book products need to apply both firmware (microcode) and software updates. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. See Microsoft Knowledge Base Article 4073065 for more information.

Microsoft cloud customers

Microsoft has already deployed mitigations across our cloud services. More information is available here.

Microsoft SQL Server customers

In scenarios running Microsoft SQL Server, customers should follow the guidance outlined in Microsoft Knowledge Base Article 4073225.

Microsoft HoloLens customers

Updates to Windows 10 for HoloLens are available to HoloLens customers through Windows Update.

After applying the February 2018 Windows Security Update HoloLens customers do not need to take any additional action to update their device firmware. These mitigations will also be included in all future releases of Windows 10 for HoloLens.

Updated FAQ

Several of these FAQs have been updated or archived for simplicity. Please refer to the FAQ section following the Affected Products table for the archived FAQ content.

1. What systems are at risk from these vulnerabilities?

These vulnerabilities affect both client and server operating systems. Systems and services configured to allow execution of untrusted code are primarily at risk from these vulnerabilities. Additionally, client systems used in browser scenarios such as workstations or terminal servers are at increased risk of these vulnerabilities.

2. What are the associated CVEs for these vulnerabilities?

3. Have there been any active attacks detected?

No. At the time of publication, Microsoft has no information to indicate that these vulnerabilities have been used to attack customers.

4. Removed for simplicity (previously the FAQ addressed the date of disclosure).

5. I have not been offered the Windows security updates released on January 3, 2018. What should I do?

To help avoid adversely affecting customer devices, the Windows security updates released on January 3rd, 2018 were only offered to devices running compatible antivirus software. Please see Microsoft Knowledge Base Article 4072699 for more information about how to get the updates.

6. Removed for simplicity (previously the FAQ addressed availability of updates for Windows Server 2008 and Windows Server 2012 – see the Affected Products table for the updates)

7. Removed for simplicity (previously the FAQ addressed availability of updates for 32-bit versions of Windows (x86) – see the Affected Products table for the updates)

8. Removed for simplicity (previously the FAQ addressed the scope of the vulnerabilities – see the Vulnerabilities Description section of this advisory for this information)

9. Is my device protected after I’ve applied the Windows security updates?

No. Additional action may be required. Please refer to the following table:

CVE Windows Changes Requires microcode? Requires additional action?
CVE-2017-5753 Compiler change; recompiled binaries now part of Windows Updates, and Edge & IE11 hardened to prevent exploit from JavaScript No No
CVE-2017-5715 Calling new CPU instructions to eliminate branch speculation in risky situations Yes 1. Requires update to microcode 2. On Windows Server, the mitigation must be enabled. See KB 4072698 for more information. 3. If you are using an AMD processor, please see FAQ #15 for additional action. 4. If you are using an ARM processor, please see FAQ #19 & #20 for additional action.
CVE-2017-5754 Isolate kernel and user mode page tables No 1. On Windows Server 2019 the mitigation is enabled by default. 2. On Windows Server 2016 and earlier, the mitigation must be enabled. See KB 4072698 for more information.

10. Removed for simplicity (previous FAQ addressed availability of updates for some systems using older AMD processors – see The Affected Products table for the updates)

11. Removed for simplicity (previous FAQ addressed reboot issues with Intel microcode on some older processors. See KB 4093836 for available microcode updates.

12. If I am on the Security Only branch, what Security Only updates do I need to install to be protected from the vulnerabilities described in this advisory?

Security Only updates are not cumulative. Depending on the operating system version you are using and the processor on the computer, you may need to install several security updates for full protection. In general, customers will need to install the January, February, March, and April updates. Systems based on AMD processors need an additional update as shown in the following table:

Operating System version Security Update
Windows 8.1, Windows Server 2012 R2 4338815 - Monthly Rollup
4338824 - Security Only
Windows 7 SP1, Windows Server 2008 R2 SP1, or Windows Server 2008 R2 SP1 (Server Core installation) 4284826 - Monthly Roll-up
4284867 - Security Only
Windows Server 2008 SP2 4340583 - Security Update

Microsoft recommends installing these Security Only updates in the order of release.

13. If I apply any of the applicable February security updates, will they disable the protections for CVE-2017-5715 like security update 4078130 did?

No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and/or unexpected reboots after installation of microcode. Applying the February security updates on Windows client operating systems enables all three mitigations. On Windows server operating systems, you still need to enable the mitigations after proper testing is performed. See Microsoft Knowledge Base Article 4072698 for more information.

14. I understand that Intel has released microcode updates. Where can I find and install these updates for my system?

Microsoft is providing Intel microcode updates for Windows operating systems as they become available. Please see Microsoft Knowledge Base Article 4093836 for the current Intel microcode updates.

15. What are the mitigations for AMD processors for CVE 2017-5715, Branch Target Injection?

The following table summarizes the attack scenarios that are protected against when the Windows Branch Target Injection mitigation is enabled and required hardware support is present on AMD CPUs:

Scenario Mitigation
Process-to-process scenarios where a malicious user-mode application could use CVE-2017-5715 to disclose the contents of memory used by other applications. Enabled by default
User-to-kernel scenarios where a malicious user-mode application could use CVE-2017-5715 to disclose the contents of kernel memory. Disabled by default
Virtualization scenarios where a compromised virtual machine could use CVE-2017-5715 to read the contents of privileged memory allocated to the host, hypervisor, or other guest virtual machine. Enabled by default

By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD CPUs. Customers must enable the mitigation to receive additional protections for CVE-2017-5715. Enabling this mitigation may affect performance. The actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running. For details on how to enable this protection, see Microsoft Knowledge Base Article 4073119 for Windows Client operating systems.

For AMD CPUs that support SMT, further protection against attacks from sibling hardware threads is provided by STIBP enablement or turning off SMT. For additional details and AMD recommended mitigations please see AMD Security Updates and AMD Architecture Guidelines around Indirect Branch Control

16. I understand that AMD has released microcode updates. Where can I find and install these updates for my system?

AMD recently announced they have started to release microcode for newer CPU platforms around Spectre variant 2 (CVE 2017-5715 Branch Target Injection). For more information refer to the AMD Security Updates and AMD White Paper: Architecture Guidelines around Indirect Branch Control.

Microsoft will inform customers of AMD microcode updates for Windows operating systems as they become available. Please check back to this FAQ for updates.

17. I heard that CVE-2018-3693 (Bounds Check Bypass Store) is related to Spectre. Will Microsoft release mitigations for it?

Bounds Check Bypass Store (BCBS) was disclosed on July 10, 2018 and assigned CVE-2018-3693. We consider BCBS to belong to the same class of vulnerabilities as Bounds Check Bypass (Variant 1). We are not currently aware of any instances of BCBS in our software, but we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required. We continue to encourage researchers to submit any relevant findings to Microsoft’s Speculative Execution Side Channel bounty program, including any exploitable instances of BCBS. Software developers should review the developer guidance that has been updated for BCBS at https://aka.ms/sescdevguide.

18. I have an AMD-based device and I am experiencing high CPU utilization after installing the June or July Windows security updates or after installing a BIOS update for my device. Is this expected?

There have been reports of high CPU utilization resulting in performance degradation on some systems with Family 15h & 16h AMD processors after installing June 2018 or July 2018 Windows updates from Microsoft and updated AMD microcode that addresses Spectre Variant 2 (CVE-2017-5715 - Branch Target Injection). AMD and Microsoft have investigated this issue, and Microsoft has released a solution in the August 18, 2018 Windows security updates for the following operating systems:

  • Windows 10 version 1607
  • Windows 10 version 1709
  • Windows 10 version 1803
  • Windows 7 Service Pack 1
  • Windows Server 2016
  • Windows Server, version 1709 (Server Core Installation)
  • Windows Server, version 1803 (Server Core Installation)
  • Windows Server 2008 R2 Service Pack 1

AMD and Microsoft have investigated this issue, and Microsoft has released a solution in the November 13, 2018 Windows security updates for the following operating systems:

  • Windows 8.1
  • Windows Server 2008
  • Windows Server 2012
  • Windows Server 2012 R2

Remediation Guidance

Customers who wish to remediate the performance impact caused by this issue may wish to consider temporarily disable Spectre Variant 2 mitigations via registry settings for Windows until a solution for this issue is released. When a solution is released for this issue, customers will need to re-enable the registry settings.

Customers who disabled Spectre Variant 2 mitigations via registry settings for Windows will need to re-enable the registry settings.

Note: We do not recommend that customers uninstall the June or July security updates for Windows because the June and July updates provide numerous other critical security fixes.

Changing Registry Settings

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see [Microsoft Knowledge Base article 322756[(https://support.microsoft.com/en-us/help/322756).

Note Enabling or disabling the Spectre Variant 2 mitigation through registry setting changes requires administrative rights and a restart.

To disable Spectre Variant 2 mitigations:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f  
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

When the solution is available for your operating system, the registry keys will need to be re-enabled.

To enable Spectre Variant 2 mitigations:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

19. Where can I find and install ARM64 firmware that mitigate CVE-2017-5715 - Branch target injection (Spectre, Variant 2)?

Customers using 64-bit ARM processors should check with the device OEM for firmware support because ARM64 operating system protections that mitigate CVE-2017-5715 - Branch target injection (Spectre, Variant 2) require the latest firmware update from device OEMs to take effect.

20. What are the mitigations for ARM CPUs for CVE 2017-5715, Branch Target Injection?

The following table summarizes the attack scenarios that are protected against when the Windows Branch Target Injection mitigation is enabled and required hardware support is present on ARM CPUs:

Scenario Mitigation
Process-to-process scenarios where a malicious user-mode application could use CVE-2017-5715 to disclose the contents of memory used by other applications. Enabled by default
User-to-kernel scenarios where a malicious user-mode application could use CVE-2017-5715 to disclose the contents of kernel memory. Disabled by default
Virtualization scenarios where a compromised virtual machine could use CVE-2017-5715 to read the contents of privileged memory allocated to the host, hypervisor, or other guest virtual machine. Enabled by default

By default, user-to-kernel protection for CVE-2017-5715 is disabled for ARM CPUs. Customers must enable the mitigation to receive additional protections for CVE-2017-5715. Enabling this mitigation may affect performance. The actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running. For details on how to enable this protection, see Microsoft Knowledge Base Article 4073119 for Windows Client operating systems.

Additional suggested actions

  • Protect your PC We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates, and installing antivirus software. For more information, see Microsoft Safety & Security Center.

  • Keep Microsoft software updated Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Exploitability

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly disclosed
No
Exploited
No
Exploitability assessment
Exploitation Less Likely

FAQ

NOTE: ADV180002 has been revised as of July 10, 2018. The following content is the original, archived version of ADV180002. Please refer to the top of this page for the most recent information concerning the speculative side-channel vulnerabilities discussed in this advisory.

Executive Summary

Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems including Intel, AMD, and ARM. Note: this issue will affect other systems such as Android, Chrome, iOS, MacOS, so we advise customers to seek out guidance from those vendors.

Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See below for more details.

Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues working closely with industry partners including chip makers, hardware OEMs and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This may include microcode from device OEMs and in some cases updates to AV software as well.

This advisory addresses the following vulnerabilities:

  • CVE-2017-5753 - Bounds check bypass
  • CVE-2017-5715 - Branch target injection
  • CVE-2017-5754 - Rogue data cache load

Recommended Actions

For consumers, the best protection is to keep your computers up to date. You can do this by taking advantage of automatic update. Learn how to turn on automatic updates here. In addition to installing the January 2018 Windows security updates, you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates.

If automatic updates are enabled, the January 2018 Windows security update will be offered to the devices running supported anti-virus (AV) applications. Updates can be installed in any order.

  1. If you have automatic updating enabled and configured to provide updates for Windows, the updates are delivered to you when they are released, if your device and software are compatible. We recommend you verify these updates are installed. If automatic update is not enabled, manually check for and install the January 2018 Windows operating system security update.
  2. Install applicable firmware update provided by your OEM device manufacturer.

Customers using Surface products need to apply both firmware and software updates. See Microsoft Knowledge Base Article 4073065 article for more information.  

Potential performance impacts

In testing Microsoft has seen some performance impact with these mitigations. For most consumer devices, the impact may not be noticeable, however, the specific impact varies by hardware generation and implementation by the chip manufacturer. Microsoft values the security of its software and services and has made the decision to implement certain mitigation strategies in an effort to better secure our products. We continue to work with hardware vendors to improve performance while maintaining a high level of security.

Advisory Details

Vulnerabilities Description

Speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and can therefore lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment.

Microsoft has been working with hardware and software makers to jointly develop mitigations to protect customers across Microsoft’s products and services. These mitigations prevent attackers from triggering a weakness in the CPU which could allow the contents of memory to be disclosed.

Microsoft Windows client customers

In client scenarios, a malicious user mode application could be used to disclose the contents of kernel memory.

Customers using Windows client operating systems including Windows 7 Service Pack 1, Windows 8.1, and Windows 10 need to apply both firmware and software updates. See Microsoft Knowledge Base Article 4073119 for additional information.

Customers using Microsoft Surface and Surface Book products need to apply both firmware and software updates. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically.

Microsoft will continue to work closely with industry partners to improve mitigations against this class of vulnerabilities.

Microsoft Windows Server customers

In server scenarios, a malicious user-mode application could be used to disclose the contents of kernel memory. In other multi-tenant hosting environments, a virtual machine could read the memory of the host operating system or the memory of other guest operating systems running on the same physical machine.

Customers using Windows server operating systems including Windows Server 2008 R2 Service Pack 1, Windows Server 2012 R2, and Windows Server 2016 need to apply firmware and software updates as well as configure protections. See Microsoft Knowledge Base Article 4072698 for additional information, including workarounds.

Microsoft Azure has taken steps to address the security vulnerabilities at the hypervisor level to protect Windows Server VMs running in Azure. More information can be found here.

Microsoft will continue to work closely with industry partners to improve mitigations against this class of vulnerabilities.

Microsoft cloud customers

Microsoft has already deployed mitigations across the majority of our cloud services and is accelerating efforts to complete the remainder.  More information is available here.

Microsoft SQL Server customers

In scenarios running Microsoft SQL Server, customers should follow the guidance outlined in Microsoft Knowledge Base Article 4073225.

Microsoft HoloLens customers

Updates to Windows 10 for HoloLens are available to HoloLens customers through Windows Update.

After applying the February 2018 Windows Security Update HoloLens customers do not need to take any additional action to update their device firmware. These mitigations will also be included in all future releases of Windows 10 for HoloLens.

FAQ

1. What systems are at risk from these vulnerabilities?

These vulnerabilities affect both client and server operating systems; systems and services configured to allow execution of untrusted code are primarily at risk from these vulnerabilities. Additionally, client systems used in browser scenarios such as workstations or terminal servers are at increased risk of these vulnerabilities.

2. What are the associated CVEs for these vulnerabilities?

3. Have there been any active attacks detected?

No. When this security advisory was issued, Microsoft had not received any information to indicate that these vulnerabilities had been used to attack customers.

4. Have these vulnerabilities been publicly disclosed?

Yes. The vulnerabilities were disclosed on January 3, 2018 at https://bugs.chromium.org/p/project-zero/issues/detail?id=1272

5. I was not offered the Windows security updates released on January 3, 2018. What should I do?

To help avoid adversely affecting customer devices, the Windows security updates released on January 3rd, 2018 have only been offered to devices running compatible antivirus software. Please see Microsoft Knowledge Base Article 4072699 for more information about how to get the updates.

6. Why aren't Windows Server 2008 and Windows Server 2012 platforms getting an update? When can customers expect the fix?

Addressing a hardware vulnerability with a software update presents significant challenges with some operating systems requiring extensive architectural changes. Microsoft continues to work with affected chip manufacturers and investigate the best way to provide mitigations.

Update March 13, 2018: Microsoft has released the following security updates for Windows Server 2008 and Windows Server 2012 to provide mitigations against the vulnerabilities discussed in this advisory. See the Affected Products table for links to download and install the updates. Note that these updates are also available via Windows Update.

  • 4090450 – Windows Server 2008 for 32-bit Systems
  • 4090450 – Windows Server 2008 for x64-based Systems
  • 4090450 – Windows Server 2008 for Itanium-based Systems
  • 4088877 – (Monthly Rollup) Windows Server 2012
  • 4088880 – (Security Only) Windows Server 2012

7. I have an x86 architecture and the PowerShell Verification output indicates that I am not fully protected from these speculative execution side-channel vulnerabilities. Will Microsoft provide complete protections in the future?

Addressing a hardware vulnerability with a software update presents significant challenges and mitigations for older operating systems that require extensive architectural changes. The existing 32 bit update packages listed in this advisory fully address CVE-2017-5753 and CVE-2017-5715, but do not provide protections for CVE-2017-5754 at this time. Microsoft is continuing to work with affected chip manufacturers and investigate the best way to provide mitigations for x86 customers, which may be provided in a future update.

Update March 13, 2018: Microsoft has released the following security updates to provide additional protections for 32-bit (x86) versions of Windows related to CVE 2017-5754 (“Meltdown”). See the Affected Products table for links to download and install the updates. Note that these updates are also available via Windows Update.

  • 4088875 – (Monthly Rollup) for Windows 7 for 32-bit Systems Service Pack 1
  • 4088878 – (Security Only) for Windows 7 for 32-bit Systems Service Pack 1
  • 4088876 – (Monthly Rollup) for Windows 8.1 for 32-bit Systems
  • 4088879 – (Security Only) for Windows 8.1 for 32-bit Systems

Update February 13, 2018: Microsoft has released the following security updates to provide additional protections for 32-bit (x86) versions of Windows 10 related to CVE 2017-5754 (“Meltdown”). See the Affected Products table for links to download and install the updates from the Microsoft Update Catalog:

  • 4074596 – Windows 10 for 32-bit Systems
  • 4074591 – Windows 10 Version 1511 for 32-bit Systems
  • 4074590 – Windows 10 Version 1607 for 32-bit Systems
  • 4074592 – Windows 10 Version 1703 for 32-bit Systems

Update January 18, 2018: Microsoft has released security update 4073291 to provide additional protections for the 32-bit (x86) version of Windows 10 Version 1709 related to CVE 2017-5754 (“Meltdown”). See the Affected Products table for links to download and install the update from the Microsoft Update Catalog.

8. What is the scope of the vulnerabilities?

These vulnerabilities are information disclosure vulnerabilities. An attacker who successfully exploited these vulnerabilities could use them to leak sensitive information that could be used for further exploitation of the system. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run untrusted code on the system to leverage these vulnerabilities. In browsing scenarios, an attacker could convince a user to visit a malicious site to leverage these vulnerabilities. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site.

By themselves, these vulnerabilities do not allow arbitrary code execution.

9. Is my device protected after I’ve applied the Windows security updates Microsoft released on January 3, 2018?

To get all available protections for your device(s) against the three vulnerabilities described in this advisory, you must install the security updates for Windows and apply microcode updates provided by your hardware OEM.

If your OEM does not provide a microcode update, or if you are unable to apply it, the Windows security updates released on January 3, 2018 alone address:

  • CVE-2017-5753 - Bounds check bypass
  • CVE-2017-5754 - Rogue data cache load

To address CVE-2017-5715 - Branch target injection, you must apply a microcode update in conjunction with the Windows security update. Any questions regarding microcode updates must be directed to your OEM. Systems without updated microcode remain vulnerable to information disclosure as described in FAQ 8: What is the scope of the vulnerabilities?

10. I have an AMD-based device and compatible antivirus software, but I am not getting the January 2018 Windows Security Update. Why is that?

Microsoft worked with AMD to resolve update blocks on a small subset of older AMD processors (that were previously blocked to avoid users getting into an unbootable state after installation of recent Windows operating system security updates). As of January 18, 2018, Microsoft has resumed updating all AMD devices with the Windows operating system security update to help protect against the chipset vulnerabilities known as Spectre and Meltdown. The following Windows operating system update KBs include information on how to get the update. Note you first need to have a compatible antivirus software application before updating.

For AMD device-specific information please refer to AMD’s Security Advisory. Customers using Windows client operating systems including Windows 7 Service Pack 1, Windows 8.1, and Windows 10 see Microsoft Knowledge Base Article 4073119 for more information. Customers using Windows server operating systems including Windows Server 2008 R2 Service Pack 1, Windows Server 2012 R2, and Windows Server 2016 Microsoft Knowledge Base Article 4072698 for more information.

11. Intel has identified reboot issues with microcode on some older processors. What should I do?

Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection) – specifically Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and then noted that situations like this may result in “data loss or corruption.” Our own experience is that system instability can in some circumstances cause data loss or corruption. On January 22nd Intel recommended that customers stop deploying the current microcode version on impacted processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.

While Intel tests, updates, and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE 2017-5715 - Branch Target Injection vulnerability. In our testing this update has been found to prevent the behavior described. For the full list of devices, see Intel’s microcode revision guidance. This update covers Windows 7 Service Pack 1, Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog. Application of this payload specifically disables only the mitigation against CVE 2017-5715 - Branch Target Injection vulnerability.

As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715) has been used to attack customers. We recommend Windows customers, when appropriate, re-enable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.

Update April 24, 2018:

Microsoft has released stand-alone security update 4078407 that by default enables the mitigation against Spectre variant 2 (CVE 2017-5715) for all supported versions of Windows 10 and Windows 10 Servers. This update can be applied by downloading it from the Microsoft Update Catalog. For more information see Microsoft Knowledge Base Article 4078407.

12. If I have not installed the January 2018 Security Only updates or the February 2018 Security Only updates, what do I need to install to be protected from the vulnerabilities described in this advisory?

Security Only updates are not cumulative. Depending on the operating system version you are running, you would need to install the January, February, and March Security Only Updates to be protected against the vulnerabilities described in this advisory. For example, if you are running Windows 7 for 32-bit Systems on an affected Intel CPU you need to install the January, February, and March Security Only Updates. We recommend installing these Security Only updates in the order of release. Note: an earlier version of this FAQ incorrectly stated that the February Security Only update included the security fixes released in January for the issues associated with this advisory.

13. If I apply any of the applicable February security updates, will they disable the protections for CVE-2017-5715 like security update 4078130 did?

No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and/or unexpected reboots after installation of microcode. Applying the February security updates on Windows client operating systems enables all three mitigations. On Windows server operating systems, you still need to enable the mitigations after proper testing is performed. See Microsoft Knowledge Base Article 4072698 for more information.

14. I understand that Intel has released microcode updates. Where can I find and install these updates for my system?

These updates are currently available via the Microsoft Update Catalog for devices running Windows 10 Version 1709 and Windows Server, version 1709. For more information and the latest available microcode update for devices running Windows 10 Version 1709 or Windows Server, version 1709, see Microsoft Knowledge Base Article 4090007.

Update May 15, 2018:

These updates are currently available via the Microsoft Update Catalog for devices running Windows 10 Version 1803 and Windows Server, version 1803. For more information and the latest available microcode update for devices running Windows 10 Version 1803 or Windows Server, version 1803, see Microsoft Knowledge Base Article 4100347.

Update April 24, 2018:

These updates are currently available via the Microsoft Update Catalog for devices running Windows 10. For more information and the latest available microcode update for devices running Windows 10, see Microsoft Knowledge Base Article 4091666.

Update March 14, 2018:

These updates are currently available via the Microsoft Update Catalog for devices running Windows 10 Version 1703. For more information and the latest available microcode update for devices running Windows 10 Version 1703, see Microsoft Knowledge Base Article 4091663.

These updates are currently available via the Microsoft Update Catalog for devices running Windows 10 Version 1607 and Windows Server 2016. For more information and the latest available microcode update for devices running Windows 10 Version 1607 or Windows Server 2016, see Microsoft Knowledge Base Article 4091664.

Microsoft will make available Intel microcode updates for Windows operating systems as they become available. Please see Microsoft Knowledge Base Article 4093836 or check back to this FAQ for the current Intel microcode updates.

15. What are the mitigations for AMD processors for CVE 2017-5715, Branch Target Injection?

Customers running Windows 10 Version 1709 and Windows Server, version 1709 (Server Core installation) need to install security update 4093112 for additional mitigations for AMD processors for CVE 2017-5715, Branch Target Injection. See the Affected Products table for links to download and install the updates. This update is also available via Windows Update.

Update July 10, 2018

Customers running Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 R2 (Server Core installation) need to install security update 4338815 (monthly rollup) or 4338824 (security only) for additional mitigations for AMD processors for CVE 2017-5715 - Branch Target Injection. See the Affected Products table for links to download and install the updates. These updates are also available via Windows Update.

Customers running Windows Server 2012 or Windows Server 2012 (Server Core installation) need to install security update 4338830 (monthly rollup) or 4338820 (security only) for additional mitigations for AMD processors for CVE 2017-5715 - Branch Target Injection. See the Affected Products table for links to download and install the updates. These updates are also available via Windows Update.

Customers running Windows Server 2008 or Windows Server 2008 (Server Core installation) need to install security update 4340583 for additional mitigations for AMD processors for CVE 2017-5715 - Branch Target Injection. See the Affected Products table for links to download and install the updates. These updates are also available via Windows Update.

Update June 12, 2018

Customers running Windows 10 Version 1703 need to install security update 4284874 for additional mitigations for AMD processors for CVE 2017-5715 - Branch Target Injection. See the Affected Products table for links to download and install the updates. These updates are also available via Windows Update.

Customers running Windows 10 need to install security update 4284860 for additional mitigations for AMD processors for CVE 2017-5715 - Branch Target Injection. See the Affected Products table for links to download and install the updates. These updates are also available via Windows Update.

Customers running Windows 7, Windows Server 2008 R2, or Windows Server 2008 R2 (Server Core installation) need to install security update 4284826 (monthly rollup) or 4284867 (security only) for additional mitigations for AMD processors for CVE 2017-5715 - Branch Target Injection. See the Affected Products table for links to download and install the updates. These updates are also available via Windows Update.

Update May 8, 2018:

Customers running Windows 10 Version 1607, Windows Server 2016, and Windows Server 2016 (Server Core installation) need to install security update 4103723 for additional mitigations for AMD processors for CVE 2017-5715 - Branch Target Injection. See the Affected Products table for links to download and install the updates. These updates are also available via Windows Update.

The following table summarizes the attack scenarios that are protected against when the Windows Branch Target Injection mitigation is enabled and required hardware support is present on AMD CPUs:

Scenario Mitigation
Process-to-process scenarios where a malicious user-mode application could use CVE-2017-5715 to disclose the contents of memory used by other applications. Enabled by default
User-to-kernel scenarios where a malicious user-mode application could use CVE-2017-5715 to disclose the contents of kernel memory. Disabled by default
Virtualization scenarios where a compromised virtual machine could use CVE-2017-5715 to read the contents of privileged memory allocated to the host, hypervisor, or other guest virtual machine. Enabled by default

By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD CPUs. Customers must enable the mitigation to receive additional protections for CVE-2017-5715. Enabling this mitigation may affect performance. The actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running. For details on how to enable this protection, see Microsoft Knowledge Base Article 4073119 for Windows Client operating systems.

For AMD CPUs that support SMT, further protection against attacks from sibling hardware threads is provided by STIBP enablement or turning off SMT. For additional details and AMD recommended mitigations please see AMD Security Updates and AMD Architecture Guidelines around Indirect Branch Control

16. I understand that AMD has released microcode updates. Where can I find and install these updates for my system?

AMD recently announced they have started to release microcode for newer CPU platforms around Spectre variant 2 (CVE 2017-5715 Branch Target Injection). For more information refer to the AMD Security Updates and AMD White Paper: Architecture Guidelines around Indirect Branch Control.

Microsoft will inform customers of AMD microcode updates for Windows operating systems as they become available. Please check back to this FAQ updates.

Additional suggested actions

  • Protect your PC We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates, and installing antivirus software. For more information, see Microsoft Safety & Security Center.

  • Keep Microsoft software updated Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Acknowledgements

  • Jann Horn of Google Project Zero
  • Paul Kocher
  • Moritz Lipp from Graz University of Technology
  • Daniel Genkin from University of Pennsylvania and University of Maryland
  • Daniel Gruss from Graz University of Technology
  • Werner Haas of Cyberus Technology GmbH
  • Mike Hamburg of Rambus Security Division
  • Stefan Mangard from Graz University of Technology
  • Thomas Prescher of Cyberus Technology GmbH
  • Michael Schwarz from Graz University of Technology
  • Yuval Yarom of The University of Adelaide and Data61
  • Additional information on the Meltdown and Spectre attacks can be found at their respective web sites.
  • Anders Fogh of GDATA Advanced Analytics
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information.

Security Updates

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.

Release date Descending
All results loaded
Loaded all 87 rows

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

How satisfied are you with the MSRC Security Update Guide?