Customers who use Surface products have to apply both firmware and software updates to protect against speculative execution side-channel vulnerabilities. For more information about the security mitigation, see the following security advisory:
The Surface team is aware of a new publicly disclosed class of vulnerabilities known as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including Intel, AMD, and ARM.
For additional information about Windows software updates, see the following Knowledge Base article:
4073119 Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues to work closely with industry partners, including chipmakers and application vendors, to protect customers. To get all available protections, hardware or firmware updates and software updates are required. This includes microcode and, in some cases, updates to AV software.
In addition to installing the January 3 Windows Operating System Security Updates, Surface has released UEFI updates via Windows Update and the Download Center for the following devices:
- Surface Book 2 - (Update history)
- Surface Book - (Update history)
- Surface Laptop - (Update history)
- Surface Studio - (Update history)
- Surface Pro 4 - (Update history)
- Surface Pro 3 - (Update History)
- Surface Pro Model 1796 and Surface Pro with Advanced LTE Model 1807- (Windows Update History)
These updates are available for devices running Windows 10 Creators Update (build 15063) and Windows 10 Fall Creators Update (build 16299).
Note Surface hub has implemented defense in depth strategies. For more information, go to the following topic on the Microsoft website:
Because of this, we believe that exploits that use these vulnerabilities are significantly reduced on Surface Hub. We will continue to monitor and update Surface Hub as required to address these vulnerabilities and keep the device reliable and secure.
The Surface team is focused on making sure that our users have a secure and reliable experience. We will continue to monitor and update devices as required to address these vulnerabilities.