This article will be updated as additional information becomes available. Please check back here regularly for updates and new FAQs.
Microsoft is aware of a new publicly disclosed class of vulnerabilities that are called “speculative execution side-channel attacks” and that affect many modern processors including Intel, AMD, and ARM.
Note This issue also affects other operating systems, such as Android, Chrome, iOS, and macOS. Therefore, we advise customers to seek guidance from those vendors.
Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more details.
Microsoft has not yet received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft is working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, firmware (microcode) and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software.
This article addresses the following vulnerabilities:
- CVE-2017-5715 – "Branch Target Injection"
- CVE-2017-5753 – "Bounds Check Bypass"
- CVE-2017-5754 – "Rogue Data Cache Load"
- CVE-2018-3639 – "Speculative Store Bypass"
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Customers should take the following actions to help protect against these vulnerabilities:
- Apply all available Windows operating system updates, including the monthly Windows security updates. For details about how to enable these updates, see Microsoft Knowledge Base article 4072699.
- Apply applicable firmware (microcode) updates from the device manufacturer (OEM).
- Evaluate the risk to your environment based on the information that's in Microsoft Security Advisories ADV180002 and ADV180012 and in this Knowledge Base article.
- Take action as required by using the advisories and registry key information that is provided in this Knowledge Base article.
Important Customers who install only the Windows security updates will not receive the full benefits of all known protections.
Enabling protections on Windows Server
The mitigations for CVE-2017-5753 are enabled by default on Windows Server, and there's no administrator option available to disable them. Mitigations for the other three vulnerabilities that are described in this article are disabled by default. Customers who want to obtain all available protections against these vulnerabilities must make registry key changes to enable these mitigations.
Enabling these mitigations may affect performance. The scale of the performance effects depends on multiple factors, such as the specific chipset in your physical host and the workloads that are running. We recommend that customers assess the performance effects for their environment and make any necessary adjustments.
Your server is at increased risk if it's in one of the following categories:
- Hyper-V hosts – Requires protection for VM-to-VM and VM-to-host attacks.
- Remote Desktop Services Hosts (RDSH) – Requires protection from one session to another session or from session-to-host attacks.
- Physical hosts or virtual machines that are running untrusted code, such as containers or untrusted extensions for database, untrusted web content, or workloads that run code that's from external sources. These require protection from untrusted process-to-another-process or untrusted-process-to-kernel attacks.
Use the following registry key settings to enable the mitigations on the server, and restart the system for the changes to take effect.
Enable mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To enable mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)
If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.
Restart the server for changes to take effect.
To disable mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)
Restart the server for the changes to take effect.
(You do not have to change MinVmVersionForCpuBasedMitigations.)
- Setting FeatureSettingsOverrideMask to 3 is correct for both the "enable" and "disable" settings. (See the "FAQ" section for more details about registry keys.)
- For Hyper-V hosts, live migration between updated and non-updated hosts may fail. For more information, see Protecting guest virtual machines from CVE-2017-5715 (branch target injection).
- For Windows Server 2016 Hyper-V, there's an alternative protection mechanism that is available that you can use on hosts that don't yet have updated firmware available. For more information, see Alternative protections for Windows Server 2016 Hyper-V Hosts against the speculative execution side-channel vulnerabilities.
Disable mitigation for CVE-2017-5715 (Spectre Variant 2)
While Intel tests, updates, and deploys new microcode, we are offering a new option for advanced users on affected devices to manually disable and enable the mitigation against Spectre Variant 2 (CVE-2017-5715 – "Branch Target Injection") independently through registry setting changes.
If you installed the microcode but you want to disable the CVE-2017-5715 mitigation because of unexpected restarts or system stability issues, use the following instructions.
To disable Variant 2: (CVE-2017-5715 – "Branch Target Injection") mitigation:
To enable Variant 2: (CVE-2017-5715 – "Branch Target Injection") mitigation:
Note Disabling and enabling the Variant 2 mitigation through registry setting changes requires administrative rights and a restart.
Enable Indirect Branch Prediction Barrier (IBPB) for Spectre Variant 2 on AMD processors (CPUs)
Some AMD processors (CPUs) offer an indirect branch control feature to mitigate indirect branch target injections through an Indirect Branch Prediction Barrier (IBPB) mechanism. (For more information, see FAQ #15 in ADV180002 and AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates.)
To enable using Indirect Branch Prediction Barrier (IBPB) when you switch from user context to kernel context:
Note Enabling by using Indirect Branch Prediction Barrier (IBPB) through registry setting changes requires administrative rights and a restart.
Enable mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown)
To enable mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown):
To disable mitigations for CVE-2018-3639 (Speculative Store Bypass) AND mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)
Note These registry changes require administrative rights and a restart.
Verifying that protections are enabled
To help customers verify that the appropriate protections have been enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands.
PowerShell verification by using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)
Install the PowerShell Module:
Run the PowerShell module to verify that protections are enabled:
PowerShell verification by using a download from Technet (Earlier OS versions/Earlier WMF versions)
Install the PowerShell module from Technet ScriptCenter:
Run the PowerShell module to verify that protections are enabled:
Start PowerShell, and then use the previous example to copy and run the following commands:
For a detailed explanation of the output of the PowerShell script, see Knowledge Base article 4074629.