Surface Guidance to protect against speculative execution side-channel vulnerabilities

The Surface team is aware of a new speculative execution side-channel attack called L1 Terminal Fault (L1TF) and assigned CVE-2018-3620 (OS and SMM) and CVE-2018-3646 (VMM). Affected Surface products are the same as in section “Vulnerabilities Announced in May 2018” of this article. The microcode updates which mitigate the May 2018 findings also mitigate L1TF (CVE-2018-3646). For more information about the vulnerability and mitigations, see the following security advisory:

• Microsoft Security Advisory ADV180018

The security advisory proposes that customers using Virtualization Based Security (VBS), which includes security features such as Credential Guard and Device Guard, should consider disabling Hyper-Threading in order to fully eliminate risk from L1TF. Customers cannot currently disable Hyper-Threading on their Surface devices. VBS features are by-default disabled on Surface devices.  The Surface team is investigating options to allow disabling Hyper-Threading.

References

• CVE-2018-3620
• CVE-2018-3646

The Surface team has become aware of new speculative execution side-channel attack variants that also affect Surface products. Mitigation of those vulnerabilities requires UEFI updates that use new microcode. For more information about the vulnerabilities and mitigations, see the following security advisories:

• Microsoft Security Advisory ADV180012
• Microsoft Security Advisory ADV180013

We are working with our partners to provide updates to the following Surface products as soon as we can make sure that the updates meet our quality requirements:

• Surface Book 2 - August 1, 2018 update
• Surface Book - August 21, 2018 update
• Surface Laptop - July 25, 2018 update
• Surface Studio - October 1, 2018 update
• Surface Pro 4 - July 25, 2018 update
• Surface Pro 3 - August 7, 2018 update
• Surface Pro Model 1796 and Surface Pro with Advanced LTE Model 1807 - July 26, 2018 update

References

• CVE-2018-3640
• CVE-2018-3639

The Surface team is aware of the publicly disclosed class of vulnerabilities that involve speculative execution side channels (known as Spectre and Meltdown) that affect many modern processors and operating systems, including Intel, AMD, and ARM. For more information about the vulnerabilities and mitigations, see the following security advisory:

Microsoft Security Advisory ADV180002

For more information about Windows software updates, see the following Knowledge Base articles:

• 4073757 Protect your Windows devices against Spectre and Meltdown vulnerabilities
• 4073119 Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

In addition to installing the January 3 Windows Operating System Security Updates, Surface has released UEFI updates through Windows Update and the Download Center for the following devices:

• Surface Book 2 - (Update history)
• Surface Book - (Update history)
• Surface Laptop - (Update history)
• Surface Studio - (Update history)
• Surface Pro 4 - (Update history)
• Surface Pro 3 - (Update History)
• Surface 3 - (Update History)
• Surface Pro Model 1796 and Surface Pro with Advanced LTE Model 1807- (Update History)

These updates are available for devices that are running Windows 10 Creators Update (build 15063) and later versions.

References

• CVE-2017-5753
• CVE-2017-5715
• CVE-2017-5754