KB4073757: Protect Windows devices against silicon-based microarchitectural and speculative execution side-channel vulnerabilities

Applies To
Windows Server 2012 Windows Server 2012 R2 Windows 10 Windows 10 Education, version 1607 Windows 10 Professional version 1607 Windows 10 Enterprise, version 1607 Windows 10 Enterprise version 1607 Windows 10 Enterprise, version 1809 Windows 10 Professional Education version 1607 Windows 10 Pro Education, version 1607 Windows Server 2022 Windows 10 Home and Pro, version 21H2 Windows 10 Enterprise and Education, version 21H2 Windows 10 IoT Enterprise, version 21H2 Windows 10 Home and Pro, version 22H2 Windows 10 Enterprise Multi-Session, version 22H2 Windows 10 Enterprise and Education, version 22H2 Windows 10 IoT Enterprise, version 22H2 Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise Multi-Session, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Azure Local, version 22H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 DO_NOT_USE_Windows 11 IoT Enterprise, version 23H2 Azure Local Windows Server 2022 Windows Server 2019 Windows Server 2016
Change log
Change date Change description
August 9, 2023
  • Removed content about CVE-2022-23816 as the CVE number is unused
  • Removed a duplicated topic titled "Intel microcode updates" in the "Steps to help protect your Windows devices" section
April 9, 2024
  • Added CVE-2022-0001 | Intel Branch History Injection

Summary

This article provides information and updates for a new class of silicon-based microarchitectural and speculative execution side-channel vulnerabilities that affect many modern processors and operating systems. It also provides a comprehensive list of Windows client and server resources to help keep your devices protected at home, at work, and across your enterprise. This includes Intel, AMD, and ARM. Specific vulnerability details for these silicon-based issues can be found in the following security advisories and CVEs:

On January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities (known as Spectre and Meltdown) involving speculative execution side channels that affect AMD, ARM, and Intel processors to varying degrees. This class of vulnerabilities is based on a common chip architecture that was originally designed to speed up computers. You can learn more about these vulnerabilities at Google Project Zero.

On May 21, 2018, Google Project Zero (GPZ), Microsoft, and Intel disclosed two new chip vulnerabilities that are related to the Spectre and Meltdown issues and are known as Speculative Store Bypass (SSB) and Rogue System Registry Read. The customer risk from both disclosures is low⁠.⁠*

For more information about these vulnerabilities, see the resources that are listed under May 2018 Windows operating system updates, and refer to the following Security Advisories:

On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. For more information about this vulnerability and recommended actions, see the following Security Advisory:

On August 14, 2018, L1 Terminal Fault (L1TF), a new speculative execution side channel vulnerability was announced that has multiple CVEs. L1TF affects Intel® Core® processors and Intel® Xeon® processors. For more information about L1TF and recommended actions, see our Security Advisory:

Note: We recommend that you install all of the latest updates from Windows Update before you install any microcode updates.

On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling. They have been assigned the following CVEs:

Important: These issues will affect other systems such as Android, Chrome, iOS, and MacOS. We advise customers seek guidance from their respective vendors.

Microsoft has released updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services.

Note: We recommend that you install all the latest updates from Windows Update before you install microcode updates.

For more information about these issues and recommended actions, see the following Security Advisory:

On August 6, 2019 Intel released details about a Windows kernel information disclosure vulnerability. This vulnerability is a variant of the Spectre Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.

Microsoft released a security update for the Windows operating system on July 9, 2019 to help mitigate this issue. Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. Note that this vulnerability does not require a microcode update from your device manufacturer (OEM).

For more information about this vulnerability and applicable updates, see CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability in the Microsoft Security Update Guide.

On June 14, 2022, Intel published information about a new subclass of speculative execution memory-mapped I/O (MMIO) side channel vulnerabilities that are listed in the advisory:

Steps to help protect your Windows devices

What steps should I take to help protect my devices?

You may have to update both your firmware (microcode) and your software to address these vulnerabilities. Please refer to the Microsoft Security Advisories for recommended actions. This includes applicable firmware (microcode) updates from device manufacturers and, in some cases, updates to your antivirus software. We encourage you to keep your devices up-to-date by installing the monthly security updates.

To receive all available protections, follow these steps to get the latest updates for both software and hardware.

Note

Before you begin, make sure that your antivirus (AV) software is up-to-date and compatible. Check your antivirus software manufacturer's website for their latest compatibility information.

  1. Keep your Windows device up-to-date by turning on automatic updates.

  2. Check that you’ve installed the latest Windows operating system security update from Microsoft. If automatic updates are turned on, the updates should be automatically delivered to you. However, you should still verify that they’re installed. For instructions, see Windows Update: FAQ

  3. Install available firmware (microcode) updates from your device manufacturer. All customers will have to check with their device manufacturer to download and install their device specific hardware update. See the "Additional resources" section for a list of device manufacturer websites.

    Note

    Customers should install the latest Windows operating system security updates from Microsoft to take advantage of available protections. Antivirus software updates should be installed first. Operating system and firmware updates should follow. We encourage you to keep your devices up-to-date by installing the monthly security updates.

Who is affected?

Affected chips include those that are manufactured by Intel, AMD, and ARM. This means that all devices that are running Windows operating systems are potentially vulnerable. This includes desktops, laptops, cloud servers, and smartphones. Devices that are running other operating systems, such as Android, Chrome, iOS, and macOS, are also affected. We advise customers who are running these operating systems to seek guidance from those vendors.

At the time of publication, we had not received any information to indicate that these vulnerabilities have been used to attack customers.

Protections we’ve provided to date

Starting in January 2018, Microsoft released updates for Windows operating systems and the Internet Explorer and Edge web browsers to help mitigate these vulnerabilities and help to protect customers. We also released updates to secure our cloud services.  We continue working closely with industry partners, including chip makers, hardware OEMs, and app vendors, to protect customers against this class of vulnerability.

We encourage you to always install the monthly updates to keep your devices up-to-date and secure.

We will update this documentation when new mitigations become available, and we recommend you check back here regularly.

July 2019 Windows operating system updates

Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125)

On August 6, 2019, Intel disclosed details for security vulnerability CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability. Security updates for this vulnerability were released as part of the July monthly update release on July 9, 2019.

Microsoft released a security update for the Windows operating system on July 9, 2019 to help mitigate this issue. We held back documenting this mitigation publicly until the coordinated industry disclosure on Tuesday, August 6, 2019.

Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. Note that this vulnerability does not require a microcode update from your device manufacturer (OEM).

May 2019 Windows operating system updates

New speculative execution side-channel vulnerability disclosure (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130)

On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling and were assigned the following CVEs:

For more information about this issue, see the following Security Advisory and use scenario-based guidance outlined in the Windows guidance for Clients and Server articles to determine actions necessary to mitigate the threat:

Windows 64-bit OS protections to mitigate Microarchitectural Data Sampling (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2018-11091)

Microsoft has released protections against a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling for 64-Bit (x64) versions of Windows (CVE-2018-11091,CVE-2018-12126, CVE-2018-12127, CVE-2018-12130).

Use the registry settings as described in the Windows Client (KB4073119) and Windows Server (KB4457951) articles. These registry settings are enabled by default for Windows Client OS editions and Windows Server OS editions.

We recommend that you install all of the latest updates from Windows Update first, before you install any microcode updates.

For more information about this issue and recommended actions, see the following Security Advisory:

Intel microcode updates to mitigate Microarchitectural Data Sampling (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130)

Intel has released a microcode update for recent CPU platforms to help mitigate CVE-2018-11091,CVE-2018-12126, CVE-2018-12127, CVE-2018-12130. The May 14, 2019 Windows KB 4093836 lists specific Knowledge Base articles by Windows OS version.  The article also contains links to the available Intel microcode updates by CPU. These updates are available via the Microsoft Catalog.

Note: We recommend that you install all of the latest updates from Windows Update before you install any microcode updates.

Retpoline mitigations for Spectre, variant 2 enabled by default on Windows 10, version 1809 devices.

We’re happy to announce that the Retpoline is enabled by default on Windows 10, version 1809 devices (for client and server) if Spectre Variant 2 (CVE-2017-5715) is enabled. By enabling Retpoline on the latest version of Windows 10, via the May 14, 2019 update (KB 4494441), we anticipate enhanced performance, particularly on older processors.

Customers should ensure previous OS protections against the Spectre Variant 2 vulnerability are enabled using the registry settings described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions but disabled by default for Windows Server OS editions). For more information about “Retpoline”, see Mitigating Spectre variant 2 with Retpoline on Windows.

November 2018 Windows operating system updates

Window OS protections for Speculative Store Bypass for AMD processors

Microsoft has released operating system protections for Speculative Store Bypass (CVE-2018-3639) for AMD processors (CPUs).

Window OS protections for Speculative Store Bypass for ARM64 devices

Microsoft has released additional operating system protections for customers using 64-bit ARM processors. Please check with your device OEM manufacturer for firmware support because ARM64 operating system protections that mitigate CVE-2018-3639, Speculative Store Bypass, require the latest firmware update from your device OEM.

September 2018 Windows operating system updates

Additional protections against L1 Terminal Fault for Windows Server 2008 SP2

On September 11, 2018, Microsoft released Windows Server 2008 SP2 Monthly Rollup 4458010 and Security Only 4457984 for Windows Server 2008 that provide protections against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) affecting Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646).

This release completes the additional protections on all supported Windows system versions through Windows Update. For more information and a list of affected products, please see ADV180018 | Microsoft Guidance to mitigate L1TF variant.

Note: Windows Server 2008 SP2 now follows the standard Windows servicing rollup model. For more information about these changes, please see our blog Windows Server 2008 SP2 servicing changes. Customers running Windows Server 2008 should install either 4458010 or 4457984 in addition to Security Update 4341832, which was released on August 14, 2018. Customers should also ensure previous OS protections against Spectre Variant 2 and Meltdown vulnerabilities are enabled using the registry settings outlined in the Windows Client and Windows Server guidance KB articles. These registry settings are enabled by default for Windows Client OS editions but is disabled by default for Windows Server OS editions.

Windows OS protections around Spectre Variant 2 for ARM64 devices

Microsoft has released additional operating system protections for customers using 64-bit ARM processors. Please check with your device OEM manufacturer for firmware support because ARM64 operating system protections that mitigate CVE-2017-5715 - Branch target injection (Spectre, Variant 2) require the latest firmware update from your device OEMs to take effect.

August 2018 Windows operating system updates

New speculative execution side-channel vulnerability disclosure (L1 Terminal Fault - CVE-2018-3615 - CVE-2018-3620 - CVE-2018-3640)

On August 14, 2018, L1 Terminal Fault (L1TF) was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, can lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.

For more information about L1TF and a detailed view of affected scenarios, including Microsoft’s approach to mitigating L1TF please see the following resources:

July 2018 Windows operating system updates

We are pleased to announce that Microsoft has completed releasing additional protections on all supported Windows system versions through Windows Update for the following vulnerabilities:

  • Spectre Variant 2 for AMD processors
  • Speculative Store Bypass for Intel processors
New side-channel speculative execution vulnerability disclosure (Lazy FP State Restore - CVE-2018-3665)

On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. There are no configuration (registry) settings needed for Lazy Restore FP Restore.

For more information about this vulnerability, affected products, and recommended actions, see the following Security Advisory:

Announcing Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors

On June 12, Microsoft announced Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors. The updates require corresponding firmware (microcode) and registry updates for functionality. For information about the updates and the steps to apply to turn on SSBD, see the "Recommended actions" section in ADV180012 | Microsoft Guidance for Speculative Store Bypass.

May 2018 Windows operating system updates

New speculative execution side-channel vulnerability disclosure (Speculative Store Bypass - CVE-2018-3639 and Rogue System Register Read - CVE-2018-3640)

In January 2018, Microsoft released information about a newly discovered class of hardware vulnerabilities (known as Spectre and Meltdown) that involve speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21, 2018 Google Project Zero (GPZ), Microsoft, and Intel disclosed two new chip vulnerabilities that are related to the Spectre and Meltdown issues that are known as Speculative Store Bypass (SSB) and Rogue System Registry Read.

The customer risk from both disclosures is low.

For more information about these vulnerabilities, see the following resources:

Enable use of Indirect Branch Prediction Barrier (IBPB) for Spectre Variant 2 for AMD processors (CPUs)

Applies to: Windows 10, version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation), and Windows Server, version 1709 (Server Core installation)

We have provided support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs) for mitigating CVE-2017-5715, Spectre Variant 2 when you switch from user context to kernel context. (For more information, see AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates).

Customers who are running Windows 10, version 1607,  Windows Server 2016, Windows Server 2016 (Server Core installation), and Windows Server, version 1709 (Server Core installation) must install security update 4103723 for additional mitigations for AMD processors for CVE-2017-5715, Branch Target Injection. This update is also available through Windows Update.

Follow the instructions that are outlined in KB 4073119 for Windows Client (IT Pro) guidance and KB 4072698 for Windows Server guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when you switch from user context to kernel context.

Intel microcode updates for Windows 10, version 1803 and Windows Server, version 1803

Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 “Branch Target Injection**”**). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).

The microcode update is also available directly from Catalog if it was not installed on the device prior to upgrading the OS. Intel microcode is available through Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see KB 4100347.

We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.

Enable usage of Indirect Branch Prediction Barrier (IBPB) for Spectre Variant 2 for AMD processors (CPUs)

Applies to: Windows 10, version 1709

We have provided support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs) for mitigating CVE-2017-5715, Spectre Variant 2 when you switch from user context to kernel context. (For more information, see AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates).

Follow the instructions outlined in KB 4073119 for Windows Client (IT Pro) guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when you switch from user context to kernel context.

Intel microcode updates

Microsoft is making available Intel validated microcode updates around Spectre Variant 2  (CVE-2017-5715 "Branch Target Injection"). KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the latest available Intel microcode updates by CPU.

We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.

March 2018 and later Windows operating system updates

March 23, TechNet Security Research & Defense: KVA Shadow: Mitigating Meltdown on Windows

March 14, Security Tech Center: Speculative Execution Side Channel Bounty Program Terms

March 13, blog: March 2018 Windows Security Update – Expanding Our Efforts to Protect Customers

March 1, blog: Update on Spectre and Meltdown security updates for Windows devices

Windows operating system updates for 32-bit (x86) systems

Starting in March 2018, Microsoft released security updates to provide mitigations for devices running the following x86-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related Knowledge Base article for technical details and the "FAQ" section.

Product update released Status Release date Release channel KB
Windows 8.1 & Windows Server 2012 R2 - Security Only Update Released 13-Mar WSUS, Catalog, KB4088879
Windows 7 SP1 & Windows Server 2008 R2 SP1 - Security Only Update Released 13-Mar WSUS, Catalog KB4088878
Windows Server 2012 - Security Only Update
Windows 8 Embedded Standard Edition - Security Only Update
Released 13-Mar WSUS, Catalog KB4088877
Windows 8.1 & Windows Server 2012 R2 - Monthly Rollup Released 13-Mar WU, WSUS, Catalog KB4088876
Windows 7 SP1 & Windows Server 2008 R2 SP1 - Monthly Rollup Released 13-Mar WU, WSUS, Catalog KB4088875
Windows Server 2012 - Monthly Rollup
Windows 8 Embedded Standard Edition - Monthly Rollup
Released 13-Mar WU, WSUS, Catalog KB4088877
Windows Server 2008 SP2 Released 13-Mar WU, WSUS, Catalog KB4090450
Windows operating system updates for 64-bit (x64) systems

Starting in March 2018, Microsoft released security updates to provide mitigations for devices running the following x64-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related knowledge base article for technical details and the "FAQ" section.

Product update released Status Release date Release channel KB
Windows Server 2012 - Security Only Update
Windows 8 Embedded Standard Edition - Security Only Update
Released 13-Mar WSUS, Catalog KB4088877
Windows Server 2012 - Monthly Rollup
Windows 8 Embedded Standard Edition - Monthly Rollup
Released 13-Mar WU, WSUS, Catalog KB4088877
Windows Server 2008 SP2 Released 13-Mar WU, WSUS, Catalog KB4090450
Windows kernel update for CVE-2018-1038

This update addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows. This vulnerability is documented in CVE-2018-1038. Users must apply this update to be fully protected against this vulnerability if their computers were updated on or after January 2018 by applying any of the updates that are listed in the following Knowledge Base article:

Windows kernel update for CVE-2018-1038

Cumulative security update for Internet Explorer

This security update resolves several reported vulnerabilities in Internet Explorer. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures.

Product update released Status Release date Release channel KB
Internet Explorer 10 - Cumulative Update for Windows 8 Embedded Standard Edition Released 13-Mar WU, WSUS, Catalog KB4089187

February 2018 Windows operating system updates

Blog: Windows Analytics now helps assess Spectre and Meltdown protections

Windows operating system updates for 32-bit (x86) systems

The following security updates provide additional protections for devices running 32-bit (x86) Windows operating  systems. Microsoft recommends customers install the update as soon as available. We continue to work to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates.

Note Windows 10 monthly security updates are cumulative month over month and will be downloaded and installed automatically from Windows Update. If you have installed earlier updates, only the new portions will be downloaded and installed on your device. For more information, see the related Knowledge Base article for technical details and the "FAQ" section.

Product update released Status Release date Release channel KB
Windows 10 - Version 1709 / Windows Server 2016 (1709) / IoT Core - Quality Update Released 31-Jan WU, Catalog KB4058258
Windows Server 2016 (1709) - Server container Released 13-Feb Docker Hub KB4074588
Windows 10 - Version 1703 / IoT Core - Quality Update Released 13-Feb WU, WSUS, Catalog KB4074592
Windows 10 - Version 1607 / Windows Server 2016 / IoT Core - Quality Update Released 13-Feb WU, WSUS, Catalog KB4074590
Windows 10 HoloLens - OS and Firmware Updates Released 13-Feb WU, Catalog KB4074590
Windows Server 2016 (1607) - Container Images Released 13-Feb Docker Hub KB4074590
Windows 10 - Version 1511 / IoT Core - Quality Update Released 13-Feb WU, WSUS, Catalog KB4074591
Windows 10 - Version RTM - Quality Update Released 13-Feb WU, WSUS, Catalog KB4074596

January 2018 Windows operating system updates

Blog: Understanding the Performance Impact of Spectre and Meltdown Mitigations on Windows Systems

Windows operating system updates for 64-bit (x64) systems

Starting in January 2018, Microsoft released security updates to provide mitigations for devices running the following x64-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related Knowledge Base article for technical details and the "FAQ" section.

Product update released Status Release date Release channel KB
Windows 10 - Version 1709 / Windows Server 2016 (1709) / IoT Core - Quality Update Released 3-Jan WU, WSUS, Catalog, Azure Image Gallery KB4056892
Windows Server 2016 (1709) - Server container Released 5-Jan Docker Hub KB4056892
Windows 10 - Version 1703 / IoT Core - Quality Update Released 3-Jan WU, WSUS, Catalog KB4056891
Windows 10 - Version 1607 / Windows Server 2016 / IoT Core- Quality Update Released 3-Jan WU, WSUS, Catalog KB4056890
Windows Server 2016 (1607) - Container Images Released 4-Jan Docker Hub KB4056890
Windows 10 - Version 1511 / IoT Core - Quality Update Released 3-Jan WU, WSUS, Catalog KB4056888
Windows 10 - Version RTM - Quality Update Released 3-Jan WU, WSUS, Catalog KB4056893
Windows 10 Mobile (OS Build 15254.192) - ARM Released 5-Jan WU, Catalog KB4073117
Windows 10 Mobile (OS Build 15063.850) Released 5-Jan WU, Catalog KB4056891
Windows 10 Mobile (OS Build 14393.2007) Released 5-Jan WU, Catalog KB4056890
Windows 10 HoloLens Released 5-Jan WU, Catalog KB4056890
Windows 8.1 / Windows Server 2012 R2 - Security Only Update Released 3-Jan WSUS, Catalog KB4056898
Windows Embedded 8.1 Industry Enterprise Released 3-Jan WSUS, Catalog KB4056898
Windows Embedded 8.1 Industry Pro Released 3-Jan WSUS, Catalog KB4056898
Windows Embedded 8.1 Pro Released 3-Jan WSUS, Catalog KB4056898
Windows 8.1 / Windows Server 2012 R2 Monthly Rollup Released 8-Jan WU, WSUS, Catalog KB4056895
Windows Embedded 8.1 Industry Enterprise Released 8-Jan WU, WSUS, Catalog KB4056895
Windows Embedded 8.1 Industry Pro Released 8-Jan WU, WSUS, Catalog KB4056895
Windows Embedded 8.1 Pro Released 8-Jan WU, WSUS, Catalog KB4056895
Windows Server 2012 Security Only Released WSUS, Catalog
Windows Server 2008 SP2 Released WU, WSUS, Catalog
Windows Server 2012 Monthly Rollup Released WU, WSUS, Catalog
Windows Embedded 8 Standard Released WU, WSUS, Catalog
Windows 7 SP1 / Windows Server 2008 R2 SP1 - Security Only Update Released 3-Jan WSUS, Catalog KB4056897
Windows Embedded Standard 7 Released 3-Jan WSUS, Catalog KB4056897
Windows Embedded POSReady 7 Released 3-Jan WSUS, Catalog KB4056897
Windows Thin PC Released 3-Jan WSUS, Catalog KB4056897
Windows 7 SP1 / Windows Server 2008 R2 SP1 Monthly Rollup Released 4-Jan WU, WSUS, Catalog KB4056894
Windows Embedded Standard 7 Released 4-Jan WU, WSUS, Catalog KB4056894
Windows Embedded POSReady 7 Released 4-Jan WU, WSUS, Catalog KB4056894
Windows Thin PC Released 4-Jan WU, WSUS, Catalog KB4056894
Internet Explorer 11-Cumulative Update for Windows 7 SP1 and Windows 8.1 Released 3-Jan WU, WSUS, Catalog KB4056568
Enable the mitigation for CVE-2022-0001 on Intel processors

On April 9, 2024 we published CVE-2022-0001 | Intel Branch History Injection which describes Branch History Injection (BHI) which is a specific form of intra-mode BTI. This vulnerability occurs when an attacker may manipulate branch history before transitioning from user to supervisor mode (or from VMX non-root/guest to root mode). This manipulation could cause an indirect branch predictor to select a specific predictor entry for an indirect branch, and a disclosure gadget at the predicted target will transiently execute. This may be possible because the relevant branch history may contain branches taken in previous security contexts, and in particular, other predictor modes.

Follow the instructions that are outlined in KB4073119 for Windows Client (IT Pro) guidance and KB4072698 for Windows Server guidance to mitigate the vulnerabilities described in CVE-2022-0001 | Intel Branch History Injection.

Resources and technical guidance

Depending on your role, the following support articles can help you identify and mitigate client and server environments that are affected by the Spectre and Meltdown vulnerabilities.

Microsoft blogs that discuss speculative execution side-channel vulnerabilities

Microsoft Security Advisory for L1 Terminal Fault (L1TF):MSRC ADV180018, CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646

Security Research and Defense:Analysis and mitigation of speculative store bypass (CVE-2018-3639)

Microsoft Security Advisory forSpeculative Store Bypass:MSRC ADV180012 and CVE-2018-3639

Microsoft Security Advisory for Rogue System Register Read | Security Update Guide for Surface: MSRC ADV180013 and CVE-2018-3640

Security Research and Defense:Analysis and mitigation of speculative store bypass (CVE-2018-3639)

TechNet Security Research & Defense:KVA Shadow: Mitigating Meltdown on Windows

Security Tech Center:Speculative Execution Side Channel Bounty Program Terms

Microsoft Experience blog:Update on Spectre and Meltdown security updates for Windows devices

Windows for Business blog: Windows Analytics now helps assess Spectre and Meltdown protections

Microsoft Secure blog: Understanding the Performance Impact of Spectre and Meltdown Mitigations on Windows Systems

Edge Developer Blog: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer

Azure Blog: Securing Azure customers from CPU vulnerability

SCCM guidance: Additional guidance to mitigate speculative execution side-channel vulnerabilities

List of technical resources and customer guidance

Microsoft Advisories:

Intel: Security Advisory

ARM: Security Advisory

AMD: Security Advisory

NVIDIA:Security Advisory

Consumer Guidance: Protecting your device against chip-related security vulnerabilities

Antivirus Guidance: Windows security updates released January 3, 2018, and antivirus software

Guidance for AMD Windows OS security update block: KB4073707: Windows operating system security update block for some AMD based devices

Update to Disable Mitigation against Spectre, Variant 2: KB4078130: Intel has identified reboot issues with microcode on some older processors

Surface Guidance: Surface Guidance to protect against speculative execution side-channel vulnerabilities

Verify the status of speculative execution side channel mitigations: Understanding Get-SpeculationControlSettings PowerShell script output

IT Pro Guidance: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Server Guidance: Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Server Guidance for L1 Terminal Fault: Windows Server guidance to protect against L1 terminal fault

Developer guidance: Developer Guidance for Speculative Store Bypass

Server Hyper-V Guidance

Azure KB: KB4073235: Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities

Azure Stack guidance: KB4073418: Azure stack guidance to protect against the speculative execution side-channel vulnerabilities

Azure reliabilityAzure Reliability Portal

SQL Server guidance: KB4073225: SQL Server Guidance to protect against speculative execution side-channel vulnerabilities

Links to OEM and Server device manufacturers for updates to protect against Spectre and Meltdown vulnerabilities

To help address these vulnerabilities, you must update both your hardware and software. Use the following links to check with your device manufacturer for applicable firmware (microcode) updates.

List of OEM and Server device manufacturers

Use the following links to check with your device manufacturer for firmware (microcode) updates. You will have to install both operating system and firmware (microcode) updates for all available protections.

OEM Device Manufacturers Link to microcode availability
Acer Meltdown and Spectre security vulnerabilities
Asus ASUS Update on Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
Dell Meltdown and Spectre Vulnerabilities
Epson CPU vulnerabilities (side channel attacks)
Fujitsu CPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
HP SUPPORT COMMUNICATION- SECURITY BULLETIN
Lenovo Reading Privileged Memory with a Side Channel
LG Get Product Help & Support
NEC On the response to the processor's vulnerability (meltdown, spectrum) in our products
Panasonic Security information of vulnerability by Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
Samsung Intel CPUs Software Update Announcement
Surface Surface Guidance to protect against speculative execution side-channel vulnerabilities
Toshiba Intel, AMD & Microsoft Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method Security Vulnerabilities (2017)
Vaio On the vulnerability support for side channel analysis
Server OEM Manufacturers Link to microcode availability
Dell Meltdown and Spectre Vulnerabilities
Fujitsu CPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
HPE Hewlett Packard Enterprise Product Security Vulnerability Alerts
Huawei Security Notice - Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design
Lenovo Reading Privileged Memory with a Side Channel

Frequently asked questions

My OEM device manufacturer is not listed. What do I do?

You will have to check with your device manufacturer for firmware (microcode) updates. If your device manufacturer is not listed in the table, contact your OEM directly.

Where can I find Surface firmware (microcode) updates?

Updates for Microsoft Surface devices are available to customers through Windows Update. For a list of available Surface device firmware (microcode) updates, see KB 4073065.

If your device is not from Microsoft, apply firmware updates from the device manufacturer. Contact your device manufacturerfor more information.

My operating system (OS) is not listed. When can I expect a fix to be released?

Addressing a hardware vulnerability by using a software update presents significant challenges and mitigations for older operating systems and can require extensive architectural changes. We are continuing to work with affected chip manufacturers to investigate the best way to provide mitigations. This may be provided in a future update. Replacing older devices that are running these older operating systems and also updating antivirus software should address the remaining risk.

Note

  • Products that are currently out of both mainstream and extended support will not receive these system updates. We recommend customers update to a supported system version.
  • Speculative execution side-channel attacks exploit CPU behavior and functionality. CPU manufacturers must first determine which processors may be at risk, and then notify Microsoft. In many cases, corresponding operating system updates will also be required to provide customers more comprehensive protection. We recommend that security-conscious Windows CE vendors work with their chip manufacturer to understand the vulnerabilities and applicable mitigations.
  • We will not be issuing updates for the following platforms:
    • Windows operating systems that are currently out of support or those entering end of service (EOS) in 2018
    • Windows XP-based systems including WES 2009 and POSReady 2009

Although Windows XP-based systems are affected products, Microsoft is not issuing an update for them because the comprehensive architectural changes that would be required would jeopardize system stability and cause application compatibility problems. We recommend that security-conscious customers upgrade to a newer supported operating system to keep pace with the changing security threat landscape and benefit from the more robust protections that newer operating systems provide.

Where can I find Microsoft HoloLens operating system and firmware (microcode) updates?

Updates to Windows 10 for HoloLens are available to HoloLens customers through Windows Update.

After applying the February 2018 Windows Security Update, HoloLens customers do not have to take any additional action to update their device firmware. These mitigations will also be included in all future releases of Windows 10 for HoloLens.

Where can I find Windows 10 Mobile firmware (microcode) updates?

Contact your OEM for more information.

If I have installed the latest security updates released by Microsoft, do I have to do anything else?

For your device to be fully protected, you should install the latest Windows operating system security updates for your device and applicable firmware (microcode) updates from your device manufacturer. These updates should be available on your device manufacturer's website. Antivirus software updates should be installed first. Operating system and firmware updates can be installed in either order.

Am I fully protected if I install only Windows security updates?

You will have to update both your hardware and your software to address this vulnerability. You will also have to install applicable firmware (microcode) updates from your device manufacturer for more comprehensive protection. We encourage you to keep your devices up-to-date by installing the monthly security updates.

Why is it so important to update my device to the latest feature release?

In each Windows 10 feature update, we build the latest security technology deep into the operating system, providing defense-in-depth features that prevent entire classes of malware from impacting your device. Feature update releases are targeted twice a year. In each monthly quality update, we add another layer of security that tracks emerging and changing trends in malware to make up-to-date systems safer in the face of changing and evolving threats.

My antivirus software is not listed as being compatible. What should I do?

Microsoft has lifted the AV compatibility check for Windows security updates for supported versions of Windows 10, Windows 8.1 and Windows 7 SP1 devices through Windows Update. 

Recommendations:

  • Make sure that your devices are up-to-date by having the latest security updates from Microsoft and your hardware manufacturer. For more info about how to keep your device up-to-date, see Windows Update: FAQ.
  • Continue to practice sensible caution when you visit websites of unknown origin, and do not remain on sites that you do not trust. Microsoft recommends that all customers protect their devices by running a supported antivirus program. Customers can also take advantage of built-in antivirus protection: Windows Defender for Windows 10 devices, or Microsoft Security Essentials for Windows 7 devices. These solutions are compatible in cases in which customers can’t install or run antivirus software.
I wasn’t offered the Windows security updates released in January or February. What should I do?

To help avoid adversely affecting customer devices, the Windows security updates released in January or February have not been offered to all customers. For details, see the Microsoft Knowledge Base article 4072699.

Intel has identified restart issues with microcode on some older processors. What should I do?

Intel has reported issues that affect recently released microcode that is intended to address Spectre Variant 2 (CVE-2017-5715 – “Branch Target Injection”). Specifically, Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and also that situations such as this may cause “data loss or corruption.”  Our own experience is that system instability can, in some circumstances, cause data loss or corruption. On January 22, Intel recommended that customers stop deploying the current microcode version on affected processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version, and we encourage customers to review their guidance on an ongoing basis to inform their decisions.

While Intel tests, updates, and deploys new microcode, we are making available an out-of-band (OOB) update, KB 4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch Target Injection.” In our testing, this update has been found to prevent the behavior described. For the full list of devices, see Intel’s microcode revision guidance. This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715 – “Branch Target Injection.”

As of January 25, there are no known reports to indicate that this Spectre Variant 2 (CVE-2017-5715) has been used to attack customers. We recommend that, when appropriate, Windows customers re-enable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.

I have not installed any of the 2018 Security Only updates. If I install the latest 2018 Security Only updates, am I protected from the vulnerabilities described?

No. Security Only updates are not cumulative. Depending on the operating system version you are running, you must install the all released Security Only updates to be protected against these vulnerabilities. For example, if you are running Windows 7 for 32-bit Systems on an affected Intel CPU you have to install every Security Only update starting from January 2018. We recommend installing these Security Only updates in the order of release.
 
Note An earlier version of this FAQ stated incorrectly that the February Security Only update included the security fixes released in January. In fact, it does not.

If I apply any of the applicable February security updates, will they disable the protections for CVE-2017-5715 like security update 4078130 did?

No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and unexpected restarts after the installation of microcode. Applying the February security updates on Windows client operating systems enables all three mitigations. On Windows server operating systems, you still have to enable the mitigations after appropriate testing is performed. See Microsoft Knowledge Base article 4072698 for more information.

I've heard that AMD has released microcode updates. Where can I find and install these updates for my system?

AMD recently announced they have started to release microcode for newer CPU platforms around Spectre Variant 2  (CVE-2017-5715 "Branch Target Injection"). For more information refer to the AMD Security Updates and AMD Whitepaper: Architecture Guidelines around Indirect Branch Control. These are available from the OEM firmware channel.

I've heard Intel has released microcode updates. Where can I find them?

Intel recently announced they have completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel validated microcode updates around Spectre Variant 2  (CVE-2017-5715 "Branch Target Injection"). KB 4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the available Intel microcode updates by CPU.

I upgraded my device to Windows 10 April 2018 Update (version 1803). Is there Intel microcode available for my device?

Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 “Branch Target Injection**”**). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).

The microcode update is also available directly from the Update Catalog if it was not installed on the device prior to upgrading the system. Intel microcode is available through Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see KB 4100347.

Where can I find information about the new speculative execution side-channel vulnerabilities (Speculative Store Bypass - CVE-2018-3639 and Rogue System Register Read - CVE-2018-3640)?

For more information, see the following resources:

Where can I find more information about Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors?

For details, see the “Recommended actions” and “FAQ” sections in ADV180012 | Microsoft Guidance for Speculative Store Bypass.

How do I determine whether SSBD is enabled or disabled?

To verify the status of SSBD, the Get-SpeculationControlSettings PowerShell script has been updated to detect affected processors, status of the SSBD operating system updates, and state of the processor microcode if applicable. For more information and to obtain the PowerShell script, see KB4074629.

I've heard that Lazy FP State Restore (CVE-2018-3665) was announced. Will Microsoft release mitigations for it?

On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. There are no configuration (registry) settings needed for Lazy Restore FP Restore.

For more information about this vulnerability and recommended actions, please refer to the Security Advisory: ADV180016 | Microsoft Guidance for Lazy FP State Restore

Note There are no configuration (registry) settings needed for Lazy Restore FP Restore.

I've heard that Bounds Check Bypass Store (CVE-2018-3693) is related to Spectre. Will Microsoft release mitigations for it?

Bounds Check Bypass Store (BCBS) was disclosed on July 10, 2018 and assigned CVE-2018-3693. We consider BCBS to belong to the same class of vulnerabilities as Bounds Check Bypass (Variant 1). We are not currently aware of any instances of BCBS in our software, but we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required. We continue to encourage researchers to submit any relevant findings to Microsoft’s Speculative Execution Side Channel bounty program, including any exploitable instances of BCBS. Software developers should review the developer guidance that has been updated for BCBS at https:⁠//aka.ms/sescdevguide.

I've heard that L1 Terminal Fault (L1TF) was disclosed. Where can I find more information about it and Windows support for it?

On August 14, 2018, L1 Terminal Fault (L1TF) was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, can lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.

For more information about this vulnerability and a detailed view of affected scenarios, including Microsoft’s approach to mitigating L1TF please see the following resources:

Microsoft Surface customers: Customers using Microsoft Surface and Surface Book products need to follow the guidance for Windows Client outlined in the Security Advisory: ADV180018 | Microsoft Guidance to mitigate L1TF variant. See also Microsoft Knowledge Base Article 4073065 for more information about affected Surface products and availability of the microcode updates.

Microsoft Hololens customers: Microsoft HoloLens is unaffected by L1TF because it does not use an affected Intel processor.

How do I disable Hyper-Threading for L1TF on my device?

The steps that are necessary to disable Hyper-Threading will differ from OEM to OEM but are generally part of the BIOS or firmware setup and configuration tools.

Where can I find and install ARM64 firmware that mitigate CVE-2017-5715 - Branch target injection (Spectre Variant 2)?

Customers using 64-bit ARM processors should check with the device OEM for firmware support because ARM64 operating system protections that mitigate CVE-2017-5715 - Branch target injection (Spectre, Variant 2) require the latest firmware update from device OEMs to take effect.

I've heard there is a variant of the Spectre Variant 1 speculative execution side channel vulnerability. Where can I learn more?

For details about this vulnerability, see the Microsoft Security Guide: CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability.

Does CVE-2019-1125 \| Windows Kernel Information Disclosure Vulnerability affect Microsoft’s cloud services?

We’re not aware of any instance of this information disclosure vulnerability affecting our cloud service infrastructure.

If updates for CVE-2019-1125 \| Windows Kernel Information Disclosure Vulnerability were released on July 9, 2019, why were the details published on August 6, 2019?

As soon as we became aware of this issue, we worked quickly to address it and release an update. We strongly believe in close partnerships with both researchers and industry partners to make customers more secure, and did not publish details until Tuesday, August 6, consistent with coordinated vulnerability disclosure practices.

References

Third-party contact disclaimer

Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.