Windows client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Applies to: Windows Server 2016 Version 1709Windows Server 2012 R2 StandardWindows Server 2012 Standard More

Summary


Microsoft is aware of a new publicly disclosed class of vulnerabilities that are called “speculative execution side-channel attacks” and that affect many modern processors including Intel, AMD, and ARM.

Note This issue also affects other operating systems, such as Android, Chrome, iOS, and macOS. Therefore, we advise customers to seek guidance from those vendors.

Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more details.

Microsoft has not yet received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft is working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, firmware (microcode) and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software.

This article addresses the following vulnerabilities:

Windows Update will also provide Internet Explorer and Edge mitigations. We will continue to improve these mitigations against this class of vulnerabilities.

To learn more about this class of vulnerabilities, see ADV180002 and ADV180012.

Recommended actions


Customers should take the following actions to help protect against the vulnerabilities:

  1. Apply all available Windows operating system updates, including the monthly Windows security updates.
  2. Apply the applicable firmware (microcode) update that is provided by the device manufacturer.
  3. Evaluate the risk to your environment based on the information provided on Microsoft Security Advisories ADV180002 and ADV180012 and on this knowledge base article.
  4. Take action as required using the advisories and registry key information provided in this knowledge base article.

Note Surface customers will receive a microcode update through Windows update. For a list of available Surface device firmware (microcode) updates, see KB 4073065.

Mitigation Settings for Windows Client


Security advisories ADV180002 and ADV180012 provide information on the risk posed by these vulnerabilities and identify the default state of mitigations for Windows client systems. The below table summarizes the requirement of CPU microcode and the default status of the mitigations on Windows client.

CVE

Requires CPU microcode?

Mitigation Default status

CVE-2017-5753

No

Enabled by default (no option to disable)

CVE-2017-5715

Yes

Enabled by default. Users of systems based on AMD processors should see FAQ #15 on ADV180002 for additional action and this KB article for applicable registry key settings.

CVE-2017-5754

No

Enabled by default

CVE-2018-3639

Yes

Disabled by default. See ADV180012 for more information and this KB article for applicable registry key settings.

Enabling mitigations that are off-by-default may affect performance. The actual performance effect depends on multiple factors, such as the specific chipset in the device and the workloads that are running.

Switch | Registry Settings


We are providing the following registry information to enable mitigations that are not enabled by default, as documented on Security Advisories ADV180002 and ADV180012. In addition, we are providing registry key settings for users that want to disable the mitigations related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

Manage mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)


To enable mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

To disable mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Note Setting FeatureSettingsOverrideMask to 3 is accurate for both the "enable" and "disable" settings. (See the "FAQ" section for more details about registry keys.)

Manage the mitigation for CVE-2017-5715 (Spectre Variant 2)


While Intel tests, updates, and deploys new microcode, we are offering a new option for advanced users on affected devices to manually disable and enable the mitigation against Spectre Variant 2 (CVE-2017-5715 – "Branch Target Injection") independently through registry setting changes.

If you have installed the microcode, but you want to disable the CVE-2017-5715 mitigation because of unexpected restarts or system stability issues, use the following instructions.

To disable Variant 2: (CVE-2017 "Branch Target Injection") mitigation:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

To enable Variant 2: (CVE-2017-5715"Branch Target Injection") mitigation:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Enable using Indirect Branch Prediction Barrier (IBPB) for Spectre Variant 2 on AMD processors (CPUs)


Some AMD processors (CPUs) offer an indirect branch control feature to mitigate indirect branch target injections through an Indirect Branch Prediction Barrier (IBPB) mechanism. (For more information, see FAQ #15 in ADV180002 and AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates).

Use the following instructions to control IBPB when switching from user context to kernel context:

To enable using Indirect Branch Prediction Barrier (IBPB) when you switch from user context to kernel context:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Manage mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)


To enable mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

To disable mitigations for CVE-2018-3639 (Speculative Store Bypass) AND mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Verifying that protections are enabled


To help customers verify that protections are enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands.

PowerShell Verification by using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)

Install the PowerShell Module:

PS> Install-Module SpeculationControl

Run the PowerShell module to verify that protections are enabled:

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> Import-Module SpeculationControl

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

PowerShell Verification by using a download from Technet (earlier operating system versions and earlier WMF versions)

Install the PowerShell Module from Technet ScriptCenter:

Go to https://aka.ms/SpeculationControlPS

Download SpeculationControl.zip to a local folder.

Extract the contents to a local folder, for example C:\ADV180002

Run the PowerShell module to verify that protections are enabled:

Start PowerShell, then (by using the previous example) copy and run the following commands:

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> CD C:\ADV180002\SpeculationControl

PS> Import-Module .\SpeculationControl.psd1

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

For a detailed explanation of the output of the PowerShell script, please see Knowledge Base article 4074629.

Frequently asked questions


How can I tell whether I have the correct version of the CPU microcode?

The microcode is delivered through a firmware update. Customers should check with their CPU (chipset) and device manufacturers on availability of applicable firmware security updates for their specific device, including Intel's Microcode Revision Guidance.