Summary
Spectre is a new class of hardware vulnerabilities that involve speculative execution side channels that may be used to disclose information about the program being attacked. For more information, see this Visual C++ Team Blog article and security advisory 180002.
If you are a developer whose code operates on data that crosses a trust boundary, you should consider installing these updates and recompiling your code by having the /Qspectre switch enabled, and then linking to the Spectre-mitigated libraries that are provided. /Qspectre and the libraries provide mitigation assistance for Spectre Variant 1 - CVE-2017-5753.
How to get this update
Tool set update
For all architectures |
Spectre-mitigated VC++ libraries
For all supported x86-based systems |
|
For all supported x64-based systems |
|
For all supported ARM-based systems |
Prerequisites
To apply this update, you must have Update 3 for Visual Studio 2015 installed.
Restart information
You may have to restart the computer after you apply this update.
Replacement information
This update does not replace any previously released update.
More information about this update
When you install the tool set update, you can enable /Qspectre manually from the C/C++ command-line options.
You should also install the Spectre-mitigated VC++ libraries (one update per architecture), and then manually link to them.
The paths are as follows:
x86: C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib\spectre
x64: C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib\spectre\amd64
ARM: C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib\spectre\arm
We are providing static linking support and application local deployment only. The contents of the Visual C++ 2015 Runtime Libraries Redistributable were not modified. Application local deployment means that you link to the new Spectre libraries by using the Multithreaded DLL (/MD or /MDd) option, and then, when you deploy your new program, you include the mitigated runtimes in the same directory as the .exe file that loads them. The centrally deployed version of the runtime (the one in C:\Windows\System32 or C:\Windows\SysWOW64) is the non-mitgated version. If the executable file is not in the same directory, it picks up the centrally deployed version of the runtime.
For ease of use, we are also providing copies of most libraries in the Spectre library directories. However, they are not all Spectre-mitigated. The following table specifies which libraries are mitigated. Note also that the files that have Spectre mitigations should be consistent across all architectures, if the technology is supported for that architecture.
-
binmode.obj
-
chkstk.obj
-
commode.obj
-
comsupp.lib
-
comsuppw.lib
-
concrt.lib
-
delayimp.lib
-
invalidcontinue.obj
-
iso_stdio_wide_specifiers.lib
-
legacy_stdio_definitions.lib
-
legacy_stdio_wide_specifiers.lib
-
libcmt.lib
-
libconcrt.lib
-
libconcrt1.lib
-
libcpmt.lib
-
libcpmt1.lib
-
libvcruntime.lib
-
loosefpmath.obj
-
msvcmrt.lib
-
msvcprt.lib
-
msvcrt.lib
-
newmode.obj
-
noarg.obj
-
noenv.obj
-
notelemetry.obj
-
nothrownew.obj
-
oldnames.lib
-
ptrustm.lib
-
setargv.obj
-
threadlocale.obj
-
vcamp.lib
-
vccorlib.lib
-
vcomp.lib
-
vcruntime.lib
-
wsetargv.obj
-
onecore\iso_stdio_wide_specifiers.lib
-
onecore\legacy_stdio_definitions.lib
-
onecore\legacy_stdio_wide_specifiers.lib
-
onecore\libcmt.lib
-
onecore\libcpmt.lib
-
onecore\libcpmt1.lib
-
onecore\libvcruntime.lib
-
onecore\msvcprt.lib
-
onecore\msvcrt.lib
-
onecore\oldnames.lib
-
onecore\vccorlib.lib
-
onecore\vcomp.lib
-
onecore\vcruntime.lib
-
concrt140.dll
-
mfc140chs.dll
-
mfc140cht.dll
-
mfc140deu.dll
-
mfc140enu.dll
-
mfc140esn.dll
-
mfc140fra.dll
-
mfc140ita.dll
-
mfc140jpn.dll
-
mfc140kor.dll
-
mfc140rus.dll
-
mfc140u.dll
-
mfcm140u.dll
-
Microsoft.VisualC.STLCLR.dll
-
msvcp140.dll
-
vcamp140.dll
-
vccorlib140.dll
-
vcruntime140.dll
-
onecore\concrt140.dll
-
onecore\msvcp140.dll
-
onecore\vccorlib140.dll
-
onecore\vcruntime140.dll