This article will be updated as additional information becomes available. Please check back here regularly for updates and new FAQ.
This article provides information and updates for a new class of attacks known as “speculative execution side-channel attacks.” It also provides a comprehensive list of Windows client and server resources to help keep your devices protected at home, at work, and across your enterprise.
On January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities (known as Spectre and Meltdown) involving speculative execution side channels that affect AMD, ARM, and Intel processors to varying degrees. This class of vulnerabilities are based on a common chip architecture that was originally designed to speed up computers. You can learn more about these vulnerabilities at Google Project Zero.
On May 21, 2018, Google Project Zero (GPZ), Microsoft, and Intel disclosed two new chip vulnerabilities that are related to the Spectre and Meltdown issues that are known as Speculative Store Bypass (SSB) and Rogue System Registry Read. The customer risk from both disclosures is low.
For more information about these vulnerabilities, see the resources that are listed under May 2018 Windows operating system updates, and refer to the following Security Advisories:
- ADV180012 | Microsoft Guidance for Speculative Store Bypass
- ADV180013 | Microsoft Guidance for Rogue System Register Read
On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. For more information about this vulnerability and recommended actions, see the following Security Advisory:
On August 14, 2018, L1 Terminal Fault (L1TF), a new speculative execution side channel vulnerability was announced that has multiple CVEs. L1TF affects Intel® Core® processors and Intel® Xeon® processors. For more information about L1TF and recommended actions, see our Security Advisory:
Note: We recommend that you install all of the latest updates from Windows Update before you install any microcode updates.
On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling. They have been assigned the following CVEs:
- CVE-2018-11091 – “Microarchitectural Data Sampling Uncacheable Memory (MDSUM)”
- CVE-2018-12126 – “Microarchitectural Store Buffer Data Sampling (MSBDS)”
- CVE-2018-12127 – “Microarchitectural Fill Buffer Data Sampling (MFBDS)”
- CVE-2018-12130 – “Microarchitectural Load Port Data Sampling (MLPDS)”
Important: These issues will affect other systems such as Android, Chrome, iOS, and MacOS. We advise customers seek guidance from their respective vendors.
Microsoft has released updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services.
Note: We recommend that you install all of the latest updates from Windows Update before you install microcode updates.
For more information about these issues and recommended actions, see the following Security Advisory:
On August 6, 2019 Intel released details about a Windows kernel information disclosure vulnerability. This vulnerability is a variant of the Spectre Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.
Microsoft released a security update for the Windows operating system on July 9, 2019 to help mitigate this issue. Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. Note that this vulnerability does not require a microcode update from your device manufacturer (OEM).
For more information about this vulnerability and applicable updates, see CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability in the Microsoft Security Update Guide.
July 2018 Windows operating system updates
March 2018 Windows operating system updates
March 23, TechNet Security Research & Defense: KVA Shadow: Mitigating Meltdown on Windows
March 14, Security Tech Center: Speculative Execution Side Channel Bounty Program Terms