Microsoft is aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM.
Note This issue also affects other systems, such as Android, Chrome, iOS, and MacOS. Therefore, we advise customers to seek guidance from those vendors.
Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more information.
Microsoft has not yet received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware or firmware updates and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software.
This advisory addresses the following vulnerabilities:
- CVE-2017-5715 (branch target injection)
- CVE-2017-5753 (bounds check bypass)
- CVE-2017-5754 (rogue data cache load)
To learn more about this class of vulnerabilities, see ADV180002.
The following sections will help you identify, mitigate, and remedy Windows Server environments that are affected by the vulnerabilities that are identified in Microsoft Security Advisory ADV180002. The advisory also explains how to enable the update for your systems.
To address these issues, Microsoft is working together with the hardware industry to develop mitigations and guidance.
Customers should take the following actions to help protect against the vulnerabilities:
- Apply all available Windows operating system updates, including the monthly Windows security updates. For details about how to enable this update, see Microsoft Knowledge Base article 4072699.
- Make necessary configuration changes to enable protection.
- Apply an applicable firmware update from the OEM device manufacturer.
Important Customers who install only the Windows security updates will not receive the benefit of all known protections.
Windows Server-based machines (physical or virtual) should install the January and February 2018 Windows security updates available from Windows Update. The following updates are available:
Operating system version
Update KB (x64)
Windows Server, version 1709 (Server Core Installation)
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
See FAQ Q3
Windows Server 2008 R2
Windows Server 2008
See FAQ Q3
In addition to installing the latest Winodws security updates, a processor microcode update is required. This should be available through your OEM.
Enabling protections on the server
Customers have to enable mitigations to receive all available protections against speculative execution side-channel vulnerabilities.
Enabling these mitigations may affect performance. The actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running. Microsoft recommends that customers assess the performance impact for their environment and make necessary adjustments.
Your server is at increased risk if it is in one of the following categories:
- Hyper-V hosts – Requires protection for VM to VM and VM to host attacks.
- Remote Desktop Services Hosts (RDSH) – Requires protection from one session to another session or from session to host attacks.
- For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources – Requires protection from untrusted process to another process or from untrusted process to kernel attacks.
Use these registry keys to enable the mitigations on the server and make sure that the system is restarted for the changes to take effect:
Switch | Registry Settings
To enable the fix
If this is a Hyper-V host and the firmware updates have been applied: fully shutdown all Virtual Machines (to enable the firmware related mitigation for VMs you have to have the firmware update applied on the host before the VM starts).
Restart the server for changes to take effect.
To disable this fix
Restart the server for the changes to take effect.
(There is no need to change MinVmVersionForCpuBasedMitigations.)
Note Setting FeatureSettingsOverrideMask to 3 is accurate for both enable/disable settings (see the FAQ for more details on registry keys).
Note For Hyper-V hosts, live migration between patched and unpatched hosts may fail: See https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms for more information.
Note For Windows Server 2016 Hyper-V there is an alternative protection mechanism that you can use on hosts that do not yet have updated firmware available. For more information, see Alternative protections for Windows Server 2016 Hyper-V Hosts against the speculative execution side-channel vulnerabilities.
Disable mitigation against Spectre Variant 2
While Intel tests, updates, and deploys new microcode, we are offering a new option for advanced users on impacted devices to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently via registry setting changes.
If you have installed the microcode, but want to disable CVE-2017-5715 - Branch target injection mitigation due to unexpected reboots and/or system stability issues, use the following instructions.
To disable Variant 2: CVE 2017-5715"Branch Target Injection":
To enable Variant 2: CVE 2017-5715 "Branch Target Injection":
Note disabling and enabling the Variant 2 via registry setting changes will require a reboot and administrative rights.
Verifying that protections are enabled
To help customers verify that protections have been enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands:
PowerShell Verification using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)
Install the PowerShell Module
Run the PowerShell module to validate the protections are enabled
PowerShell Verification using a download from Technet (Earlier OS versions/Earlier WMF versions)
Install the PowerShell Module from Technet ScriptCenter.
Download SpeculationControl.zip to a local folder.
Extract the contents to a local folder, for example C:\ADV180002
Run the PowerShell module to validate the protections are enabled
Start PowerShell, then (using the example above), copy and run the following commands:
The output of this PowerShell script will resemble the following. Enabled protections appear in the output as “True.”
PS C:\> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID optimization is enabled: True
Frequently asked questions
Q1: I wasn’t offered the Windows security updates that were released in January and February. What should I do?
A1: To help avoid adversely affecting customer devices, the Windows security updates released in January and February, 2018, have not been offered to all customers. For details, see Microsoft Knowledge Base Article 4072699.
Q2: How can I tell whether I have the correct version of the CPU microcode?
A2: The microcode is delivered through a firmware update. Consult with your OEM about the firmware version that has the appropriate update for your CPU.
Q3: Why aren't Windows Server 2008 and Windows Server 2012 platforms getting an update? When can customers expect the fix?
A3: Addressing a hardware vulnerability by using a software update presents significant challenges, and some operating systems require extensive architectural changes. Microsoft is continuing to work together with affected chip manufacturers to investigate the best way to provide mitigations.
Q4: What is the performance impact for the mitigations?
A4: There are multiple variables that affect the performance of these mitigations, ranging from the CPU version to the running workloads. In some systems, the performance impact will be negligible, and in others it will be considerable.
Microsoft recommends that customers assess the performance impact for their systems and make adjustments if necessary.
Q5: I am running Windows Server in a third-party hosted environment or cloud. What should I do?
A5: In addition to the guidance above to address virtual machines, you have to contact your service provider to make sure that the hosts that are running your virtual machines are adequately protected.
For Windows Server virtual machines that are running in Azure, see this Azure blog. For using Azure Update Management to mitigate against this issue on guest VMs, see this article.
Q6: Are there any Windows Server container-specific guidelines?
A6: The updates released for Windows Server container images for Windows Server 2016 and Windows 10 Version 1709 include the mitigations for this set of vulnerabilities, and no additional configuration is required.
Note You still have to make sure that the host on which these containers are running is configured by using the appropriate mitigations.
Q7: Do the software and hardware updates have to be installed in a particular order?
A7: No, the installation order doesn't matter.
Q8: Do I have to restart after the microcode but before the OS update?
A8: Yes, you will have to restart each time: One time between the microcode update, and again after the system update.
Q9: Can you provide more details on the registry keys?
A9: Here are the details for the registry keys:
FeatureSettingsOverride represents a bitmap that overrides the default setting and controls which mitigations will be disabled. Bit 0 controls the mitigation corresponding to CVE-2017-5715 and Bit 1 controls the mitigation corresponding to CVE-2017-5754. The bits are set to “Zero” to enable the mitigation and to “One” to disable the mitigation.
FeatureSettingsOverrideMask represents a bitmap mask that is used in conjunction with FeatureSettingsOverride and in this case, we use the value 3 (represented as 11 in the binary numeral system or base-2 numeral system) which indicates the first two bits that correspond to the available mitigations. This registry key is set to 3 both when we want to enable the mitigations and to disable the mitigations.
MinVmVersionForCpuBasedMitigations is for Hyper-V hosts. This registry key defines the minimum VM version that will be able to use the updated firmware capabilities (CVE-2017-5715). We set this to 1.0 to cover all VM versions. Note that this registry value will be ignored (benign) on non-Hyper-V hosts. For more details, see https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms.
Q10: Can I set the registry keys before installing the update and then install the update and restart for the changes to take effect?
A10: Yes, there is no side-effect if these registry settings are applied prior to installing January 2018 related fixes.
Q11: Can you provide more details on the output of the PowerShell verification script?
A11: A detailed description of the script output can be found in Understanding the output of the Get-SpeculationControlSettings PowerShell script.
Q12: If the firmware update is not yet available from my OEM, is there still a way to protect my Hyper-V host?
A12: Yes, for Windows Server 2016 Hyper-V hosts that do not yet have the firmware update available to them, we have published alternative guidance that can help mitigate the VM to VM or VM to host attacks. Please see the guidance here: Alternative protections for Windows Server 2016 Hyper-V Hosts against the speculative execution side-channel vulnerabilities
Q13. Intel has identified reboot issues with microcode on some older processors. What should I do?
A13. Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection). Specifically, Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior”, and then noted that situations like this may result in “data loss or corruption.” Our own experience is that system instability can in some circumstances cause data loss or corruption. On January 22, Intel recommended that customers stop deploying the current microcode version on impacted processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.
While Intel tests, updates, and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing, this update has been found to prevent the behavior described. For the full list of devices, see Intel’s microcode revision guidance. This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.”
As of this time, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.
Q14. I have an x86 architecture, but I don’t see an update offered. Will I get one?
A14. Only Windows Server 2008 supports x86 systems. We are working with affected chip manufacturers to determine the best way to provide mitigations for x86 customers. These may be delivered in future updates.
Q15. I have not installed the January 2018 Security Only updates. If I install the February 2018 Security Only updates, am I protected from the vulnerabilities described in this advisory?
A15. Yes. While Security Only updates are not normally cumulative, to ensure customers are protected, Microsoft is including the mitigations against these vulnerabilities in the February Security Only updates. These updates also include the updates for AMD-based devices.
Q16. If I apply any of the applicable February security updates, will they disable the protections for CVE-2017-5715 like security update 4078130 did?
A16. No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and/or unexpected reboots after installation of microcode. Applying the February security updates on Windows client operating systems enables all three mitigations. On Windows server operating systems, you still need to enable the mitigations after proper testing is performed. See Microsoft Knowledge Base Article 4072698 for more information.