Executive summary

On January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities (known as Spectre and Meltdown) involving speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21st, a new subclass of speculative execution side channel vulnerabilities known as Speculative Store Bypass (SSB) has been announced and assigned CVE-2018-3639.

An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries. Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639. However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.

At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate. Microsoft will implement the following strategy to mitigate Speculative Store Bypass:

• If a vulnerable code pattern is found, we will address it with a security update.
• Microsoft Windows and Azure will add support for Speculative Store Bypass Disable (SSBD) as documented by Intel and AMD. SSBD inhibits a Speculative Store Bypass from occurring, thus eliminating the security risk completely. For Windows on ARM devices, OEMs will provide an update that will mitigate Speculative Store Bypass automatically as documented by ARM. This mitigation will be delivered via Windows Update.
• Microsoft will continue to develop, release, and deploy defense-in-depth mitigations for speculative execution side channel vulnerabilities including Speculative Store Bypass. See the Microsoft Security Research and Defense blog for more details.
• Microsoft will continue to research speculative execution side channels, including through researcher outreach and the speculative execution bounty program. See https://technet.microsoft.com/en-us/mt846432.aspx.

Recommended actions (updated November 13, 2018)

1. Register for security notifications mailer to be alerted of content changes to this advisory.  See Microsoft Technical Security Notifications.

2. Familiarize yourself with the vulnerability details. See the References section for links to further information.

3. Microsoft recommends that developers review the updated developer guidance for Speculative Store Bypass at: https://docs.microsoft.com/en-us/cpp/security/developer-guidance-speculative-execution.

4. Apply updates as follows:

   4.1. Apply the Windows updates that provide support for SSBD. See the Security Updates table to download and install these updates.

   4.2. Hardware-specific action may be required in devices using certain processors:

   a. Intel processors: For a list of affected Intel processors see Intel's advisory here. Apply hardware/microcode updates from your device OEM for affected Intel-based systems. Note that SSBD in Intel processors is dependent upon having the corresponding microcode installed. Contact your OEM for firmware/BIOS versions that contain SSBD compatibility.

   b. AMD processors: For a list of affected AMD processor families see AMD’s advisory here. Updated microcode is not required.

   c. ARM processors: For a list of affected ARM processors, see ARM’s advisory here. An OEM provided update will be delivered via Windows Update to mitigate Speculative Store Bypass automatically (enabled by default without option to disable). Contact your OEM for availability.

   4.3. Evaluate the performance implication of turning on SSBD in your environment.

   4.4. Evaluate the Speculative Store Bypass risk to your environment, including CVSS value and exposure to vulnerable code patterns in third-party software, and decide if SSBD should be turned on.

   4.5. To turn on SSBD, use the registry settings documented here:

   • Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
   • Windows Server guidance to protect against speculative execution side-channel vulnerabilities

   4.6. To verify the status of SSBD, the Get-SpeculationControlSettings PowerShell script has been updated to detect affected processors, status of the SSBD operating system updates, and state of the processor microcode if applicable. For more information and to obtain the PowerShell script visit: Understanding Get-SpeculationControlSettings PowerShell script output.

References

• Intel: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
• AMD: https://www.amd.com/en/corporate/security-updates
• ARM: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
• Microsoft Security Research and Defense blog: https://aka.ms/sescsrdssb
• Google Project Zero: https://bugs.chromium.org/p/project-zero/issues/detail?id=1528

FAQ (updated November 13, 2018)

1. Microsoft is releasing security updates for this advisory. Does this mean that you have found vulnerable code?

No. At the time of publication, we have not discovered vulnerable code patterns in our software or cloud service infrastructure. The updates released on June 12, 2018 provide Windows support for Speculative Store Bypass Disable (SSBD) for Intel processors. See the update in the Executive Summary for more information.

2. What does "a vulnerable code pattern" mean?

A vulnerable code pattern is software code that creates the conditions that allow exploitation of Speculative Store Bypass. For greater details, please see the Speculative Store Bypass overview at: https://aka.ms/sescsrdssb.

3. When will the Windows update(s) that provide support for SSBD be available?

Devices using Intel processors: Support for SSBD was released in all supported versions of Windows by July 2018.

Devices using AMD processors: Microsoft has released support for SSBD in supported versions of Windows 10, Windows Server 2016, and Windows Server 2019 on November 13, 2018. See the Security Updates table for update information. We continue to work with AMD to enable support of SSBD in additional supported versions of Windows.

Microsoft has released support for SSBD in supported versions of Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 on January 8, 2019. See the Security Updates table for update information. We continue to work with AMD to enable support of SSBD in additional supported versions of Windows.

Devices using ARM processors: Updates will be made available by OEMs via Windows Update. Contact your OEM for availability.

See the Recommended actions section for information about the updates and the steps to apply to turn on SSBD.

4. Is there a performance implication when I install the updates that provide support for SSBD on AMD and Intel processors?

No. Installing the updates themselves will not affect the performance of your CPU.

5. Is there a performance implication when I turn on SSBD on supported AMD and Intel processors?

In testing Microsoft has seen some performance impact when SSBD is turned on. However, the actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running.

6. Where can I find information about CVE-2018-3640 that was also announced on May 21, 2018?

See ADV180013 | Microsoft Guidance for Rogue System Register Read.

7. Is the Microsoft Cloud infrastructure affected?

At the time of publication, we have not discovered vulnerable code patterns in our software or cloud service infrastructure. In addition, defense-in-depth mitigations have been deployed across the Microsoft cloud infrastructure which directly address speculative execution vulnerabilities.

8. How does Speculative Store Bypass compare to the Spectre and Meltdown vulnerabilities?

Speculative Store Bypass is a subclass of speculative execution side-channel vulnerabilities like Spectre and Meltdown.

9. Where can I find Microsoft guidance for the Spectre and Meltdown vulnerabilities?

See ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities.