Windows Server guidance to protect against speculative execution side-channel vulnerabilities

To help avoid adversely affecting customer devices, the Windows security updates that were released in January and February 2018 were not offered to all customers. For details, see Microsoft Knowledge Base article 4072699.

The microcode is delivered through a firmware update. Consult your OEM about the firmware version that has the appropriate update for your computer.

There are multiple variables that affect performance, ranging from the system version to the workloads that are running. For some systems, the performance effect will be negligible. For others, it will be considerable.

We recommend that you assess the performance effects on your systems and make adjustments as necessary.

In addition to the guidance that's in this article regarding virtual machines, you should contact your service provider to make sure that the hosts that are running your virtual machines are adequately protected.

For Windows Server virtual machines that are running in Azure, see Guidance for mitigating speculative execution side-channel vulnerabilities in Azure. For guidance on using Azure Update Management to mitigate this issue on guest VMs, see Microsoft Knowledge Base article 4077467.

The updates that were released for Windows Server container images for Windows Server 2016 and Windows 10, version 1709 include the mitigations for this set of vulnerabilities. No additional configuration is required.

Note You must still make sure that the host on which these containers are running is configured to enable the appropriate mitigations.

No, the installation order doesn't matter.

Yes, you must restart after the firmware (microcode) update and then again after the system update.

Here are the details for the registry keys:

FeatureSettingsOverride represents a bitmap that overrides the default setting and controls which mitigations will be disabled. Bit 0 controls the mitigation that corresponds to CVE-2017-5715. Bit 1 controls the mitigation that corresponds to CVE-2017-5754. The bits are set to 0 to enable the mitigation and to 1 to disable the mitigation.

FeatureSettingsOverrideMask represents a bitmap mask that's used together with FeatureSettingsOverride. In this situation, we use the value 3 (represented as 11 in the binary numeral or base-2 numeral system) to indicate the first two bits that correspond to the available mitigations. This registry key is set to 3 both to enable or to disable the mitigations.

MinVmVersionForCpuBasedMitigations is for Hyper-V hosts. This registry key defines the minimum VM version that's required for you to use the updated firmware capabilities (CVE-2017-5715). Set this to 1.0 to cover all VM versions. Notice that this registry value will be ignored (benign) on non-Hyper-V hosts. For more details, see Protecting guest virtual machines from CVE-2017-5715 (branch target injection).

Yes, there are no side effects if these registry settings are applied prior to installing the January 2018-related fixes.

See a detailed description of the script output at Understanding Get-SpeculationControlSettings PowerShell script output.

Yes, for Windows Server 2016 Hyper-V hosts that don't yet have the firmware update available, we have published alternative guidance that can help mitigate the VM to VM or VM to host attacks. See Alternative protections for Windows Server 2016 Hyper-V Hosts against the speculative execution side-channel vulnerabilities.

Security Only updates are not cumulative. Depending on your operating system version, you may need to install several security updates for full protection. In general, customers will need to install the January, February, March, and April 2018 updates. Systems that have AMD processors need an additional update as shown in the following table:

We recommend that you install the Security Only updates in the order of release.

Note An earlier version of this FAQ incorrectly stated that the February Security Only update included the security fixes that were released in January. In fact, it does not.

No. Security update KB 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and unexpected restarts after the installation of microcode. Applying the security updates on Windows client operating systems enables all three mitigations. On Windows Server operating systems, you still have to enable the mitigations after you do proper testing. For more information, see Microsoft Knowledge Base article 4072698.

This issue was resolved in KB 4093118.

In February 2018, Intel announced that they had completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel validated microcode updates that concern Spectre Variant 2 Spectre Variant 2 (CVE-2017-5715 – "Branch Target Injection"). KB 4093836 lists specific Knowledge Base articles by Windows version. Each specific KB article contains the available Intel microcode updates by CPU.

January 11, 2018: Intel reported issues in recently released microcode that was meant to address Spectre variant 2 (CVE-2017-5715 – "Branch Target Injection"). Specifically, Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and that these scenarios may cause “data loss or corruption. ” Our experience is that system instability can cause data loss or corruption in some circumstances. On January 22, Intel recommended that customers stop deploying the current microcode version on affected processors while Intel performs additional testing on the updated solution. We understand that Intel is continuing to investigate the potential effect of the current microcode version. We encourage customers to review their guidance on an ongoing basis to inform their decisions.

While Intel tests, updates, and deploys new microcode, we are making available an out-of-band (OOB) update, KB 4078130, that specifically disables only the mitigation against CVE-2017-5715. In our testing, this update has been found to prevent the described behavior. For the full list of devices, see the microcode revision guidance from Intel. This update covers Windows 7 Service Pack 1 (SP1), Windows 8.1, and all versions of Windows 10, both client and server. If you're running an affected device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715.

As of this time, there are no known reports that indicate that this Spectre Variant 2 (CVE-2017-5715 – "Branch Target Injection") has been used to attack customers. We recommend that, when appropriate, Windows users reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.

In February 2018, Intel announced that they have completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel-validated microcode updates that are related to Spectre Variant 2 Spectre Variant 2 (CVE-2017-5715 – "Branch Target Injection"). KB 4093836 and KB 4100347 list specific Knowledge Base articles by Windows version. The KBs list available Intel microcode updates by CPU.

For more information, see AMD Security Updates and AMD Whitepaper: Architecture Guidelines around Indirect Branch Control. These are available from the OEM firmware channel.

Microsoft is making available Intel-validated microcode updates that concern Spectre Variant 2 (CVE-2017-5715 – “Branch Target Injection”). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).

The microcode update is also available directly from the Microsoft Update Catalog if it was not installed on the device before upgrading the system. Intel microcode is available through Windows Update, Windows Server Update Services (WSUS), or the Microsoft Update Catalog. For more information and download instructions, see KB 4100347.

For more information, see the following resources:

• ADV180012 | Microsoft Guidance for Speculative Store Bypass for CVE-2018-3639 
• ADV180013 | Microsoft Guidance for Rogue System Register Read for CVE-2018-3640 and KB 4073065 | Guidance for Surface Customers
• Microsoft Security Research and Defense Blog
• Developer Guidance for Speculative Store Bypass

See the “Recommended actions” and “FAQ” sections of ADV180012 | Microsoft Guidance for Speculative Store Bypass.

To verify the status of SSBD, the Get-SpeculationControlSettings PowerShell script has been updated to detect affected processors, status of the SSBD operating system updates, and state of the processor microcode, if applicable. For more information and to obtain the PowerShell script, see KB 4074629.

On June 13, 2018, an additional vulnerability that involves side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. For information about this vulnerability and recommended actions, see the Security Advisory ADV180016 | Microsoft Guidance for Lazy FP State Restore.

Note There are no required configuration (registry) settings for Lazy Restore FP Restore.

Bounds Check Bypass Store (BCBS) was disclosed on July 10, 2018, and assigned CVE-2018-3693. We consider BCBS to belong to the same class of vulnerabilities as Bounds Check Bypass (Variant 1). We aren't currently aware of any instances of BCBS in our software. However, we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required. We encourage researchers to submit any relevant findings to the Microsoft Speculative Execution Side Channel bounty program, including any exploitable instances of BCBS. Software developers should review the developer guidance that's been updated for BCBS at C++ Developer Guidance for Speculative Execution Side Channels.

On August 14, 2018, L1 Terminal Fault (L1TF) was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, could lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities, depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.

For more information about this vulnerability and a detailed view of affected scenarios, including Microsoft's approach to mitigating L1TF, see the following resources:

• ADV180018 | Microsoft Guidance to mitigate L1TF variant
• Security Advisory Security Research Blog
• Server Guidance for L1 Terminal Fault

The steps to disable Hyper-Threading differ from OEM to OEM but are generally part of the BIOS or firmware setup and configuration tools.

Customers who use 64-bit ARM processors should contact the device OEM for firmware support because ARM64 operating system protections that mitigate CVE-2017-5715 - Branch target injection (Spectre, Variant 2) require the latest firmware update from device OEMs to take effect.