Windows client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

The microcode is delivered through a firmware update. Customers should check with their CPU (chipset) and device manufacturers on availability of applicable firmware security updates for their specific device, including Intel's Microcode Revision Guidance.

Addressing a hardware vulnerability through a software update presents significant challenges, and mitigations for older operating systems require extensive architectural changes. We are working with affected chip manufacturers to determine the best way to provide mitigations, which may be delivered in future updates.

Updates for Microsoft Surface devices will be delivered to customers through Windows Update along with the updates for the Windows operating system. For a list of available Surface device firmware (microcode) updates, see KB 4073065.

If your device is not from Microsoft, apply firmware from the device manufacturer. Contact the OEM device manufacturer for more information.

In February and March 2018, Microsoft released added protection for some x86-based systems. For more information see KB 4073757 and the Microsoft Security Advisory ADV 180002.

Updates to Windows 10 for HoloLens are available to HoloLens customers through Windows Update.

After applying the February 2018 Windows Security Update, HoloLens customers do not have to take any additional action to update their device firmware. These mitigations will also be included in all future releases of Windows 10 for HoloLens.

No. Security Only updates are not cumulative. Depending on the operating system version you are running, you will have to install every monthly Security Only updates to be protected against these vulnerabilities. For example, if you are running Windows 7 for 32-bit Systems on an affected Intel CPU you must install all of the Security Only updates. We recommend installing these Security Only updates in the order of release.

Note An earlier version of this FAQ incorrectly stated that the February Security Only update included the security fixes released in January. In fact, it does not.

No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and/or unexpected reboots after installation of microcode. Applying the February security updates on Windows client operating systems enables all three mitigations.

Intel recently announced they have completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection"). KB 4093836 and and KB 4100347 list specific Knowledge Base articles by Windows version. Each specific KB contains the available Intel microcode updates by CPU.

This issue has been resolved in KB 4093118.

AMD recently announced they have started to release microcode for newer CPU platforms around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection"). For more information refer to the AMD Security Updates and AMD Whitepaper: Architecture Guidelines around Indirect Branch Control. These are available from the OEM firmware channel.

Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 “Branch Target Injection”). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).

The microcode update is also available directly from Catalog if it was not installed on the device prior to upgrading the OS. Intel microcode is available through Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see KB 4100347.

For more information, see the following resources:

• ADV180012 | Microsoft Guidance for Speculative Store Bypass for CVE-2018-3639 
• ADV180013 | Microsoft Guidance for Rogue System Register Read for CVE-2018-3640 and KB 4073065 | Guidance for Surface Customers
• Microsoft Security Research and Defense Blog
• Developer Guidance for Speculative Store Bypass

For details, see the “Recommended actions” and “FAQ” sections in  ADV180012 | Microsoft Guidance for Speculative Store Bypass.

To verify the status of SSBD, the Get-SpeculationControlSettings PowerShell script has been updated to detect affected processors, status of the SSBD operating system updates, and state of the processor microcode if applicable. For more information and to obtain the PowerShell script, see KB 4074629.

 On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. There are no configuration (registry) settings needed for Lazy Restore FP Restore.

For more information about this vulnerability and recommended actions, please refer to the Security Advisory: ADV180016 | Microsoft Guidance for Lazy FP State Restore.

Note There are no configuration (registry) settings needed for Lazy Restore FP Restore.

Bounds Check Bypass Store (BCBS) was disclosed on July 10, 2018 and assigned CVE-2018-3693. We consider BCBS to belong to the same class of vulnerabilities as Bounds Check Bypass (Variant 1). We are not currently aware of any instances of BCBS in our software, but we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required. We continue to encourage researchers to submit any relevant findings to Microsoft’s Speculative Execution Side Channel bounty program, including any exploitable instances of BCBS. Software developers should review the developer guidance that has been updated for BCBS at https://aka.ms/sescdevguide.

On August 14, 2018, L1 Terminal Fault (L1TF) was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, can lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.

For more information about this vulnerability and a detailed view of affected scenarios, including Microsoft's approach to mitigating L1TF please see the following resources:

• ADV180018 | Microsoft Guidance to mitigate L1TF variant
• Security Advisory Security Research Blog
• Server Guidance for L1 Terminal Fault

Customers using 64-bit ARM processors should check with the device OEM for firmware support because ARM64 operating system protections that mitigate CVE-2017-5715 - Branch target injection (Spectre, Variant 2) require the latest firmware update from device OEMs to take effect.