Summary
This article will be updated as additional information becomes available. Please check back here regularly for updates and new FAQ.
Microsoft is aware of a new publicly disclosed class of vulnerabilities that are called “speculative execution side-channel attacks” and that affect many modern processors including Intel, AMD, and ARM.
Note This issue also affects other operating systems, such as Android, Chrome, iOS, and macOS. Therefore, we advise customers to seek guidance from those vendors.
Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more details.
Microsoft has yet not received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft is working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, firmware (microcode) and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software.
The following sections can help you identify and mitigate client environments that are affected by the vulnerabilities that are identified in Microsoft Security Advisory ADV180002.
Windows Update will also provide Internet Explorer and Edge mitigations. We will continue to improve these mitigations against this class of vulnerabilities.
Recommended actions
Customers must take the following actions to help protect against the vulnerabilities:
- Verify that you are running a supported antivirus application before you install operating system or firmware (microcode) updates. Contact the antivirus software vendor for compatibility information.
- Apply all available Windows operating system updates, including the monthly Windows security updates.
- Apply the applicable firmware (microcode) update that is provided by the device manufacturer.
See Microsoft Security Advisory ADV180002 for updates for the following versions of Windows.
| Operating system version |
| Windows 10 (RTM, 1511, 1607, 1703, 1709) for x64 and x86 based systems |
| Windows 8.1 |
| Windows 7 SP1 |
Warning
Customers should install all monthy Windows 2018 security updates to receive the benefit of all known protections against the vulnerabilities. In addition to installing the these security updates, a processor microcode, or firmware, update is required. This should be available through your OEM device manufacturer.
Note Surface customers will receive a microcode update through Windows update. For a list of available Surface device firmware (microcode) updates, see KB 4073065.
How to get the monthly Windows security update for Windows Update and Windows Update for Business with Group or MDM policy configurations set to disable preview builds
(Note This is not applicable to WSUS users.)
If you have currently disabled preview builds, your organization’s devices will not be able to receive the January 2018 Windows security updates. The following Group or MDM policy configurations settings disable preview builds and will not allow the Windows security updates. They will have to be changed to do so. To verify that you cannot receive the update, you can scan for available updates.
| Group/MDM Configuration | Setting | Description |
| System/AllowBuildPreview | 0 | Not allowed |
| “Toggle user control over Insider builds” | Enabled | |
| Update/ManagePreviewBuilds | 0 or 1 | Disable preview builds -or- Disable preview builds once next release is public |
| “Manage preview builds” | Disable preview builds -or- Disable preview builds once next release is public |
To allow devices to receive the Windows security updates, you have to change the Group or MDM policies to the following “Not configured” settings:
| Group/MDM Configuration | Setting | Description |
| System/AllowBuildPreview | 2 | Not configured |
| “Toggle user control over Insider builds” | Not configured | |
| Update/ManagePreviewBuilds | 3 | Not configured |
| “Manage preview builds” | Not configured |
After devices have received the monthly Windows security updates, the policy configuration settings can be reverted to their previous state (disabling preview builds).
Verifying that protections are enabled
To help customers verify that protections are enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands.
Note These verification steps apply only to Windows client and not to Azure instances. For more cloud guidance, see the Azure blog.
| PowerShell Verification by using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1) |
| Install the PowerShell Module:
Run the PowerShell module to verify that protections are enabled:
|
| PowerShell Verification by using a download from Technet (earlier operating system versions and earlier WMF versions) |
| Install the PowerShell Module from Technet ScriptCenter: Go to https://aka.ms/SpeculationControlPS Download SpeculationControl.zip to a local folder. Extract the contents to a local folder, for example C:\ADV180002 Run the PowerShell module to verify that protections are enabled: Start PowerShell, then (by using the previous example) copy and run the following commands:
|
The output of this PowerShell script will resemble the following. Enabled protections appear in the output as “True.”
|
|
Switch | Registry Settings
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
Note By default, this update is enabled. No customer action is required to enable the fixes. We are providing the following registry information for completeness in the event that customers want to disable the security fixes related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.
| To enable the fix:
Restart the computer for the changes to take effect. To disable the fix:
Restart the computer for the changes to take effect. (You do not have to change MinVmVersionForCpuBasedMitigations.) |
Note The value of 3 is accurate for both "enable" and "disable" settings because of masking.
Disable mitigation against Spectre Variant 2
While Intel tests, updates, and deploys new microcode, we are offering a new option for advanced users on affected devices to manually disable and enable the mitigation against Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection") independently through registry setting changes.
If you have installed the microcode, but you want to disable the CVE-2017-5715 mitigation because of unexpected restarts or system stability issues, use the following instructions.
| To disable Variant 2: CVE-2017-5715 "Branch Target Injection" mitigation:
To enable Variant 2: CVE-2017-5715 "Branch Target Injection" mitigation:
|
Note Disabling and enabling the Variant 2 mitigation through registry setting changes requires administrative rights and a restart.
Enable using Indirect Branch Prediction Barrier (IBPB) for Spectre Variant 2 for AMD processors (CPUs)
Applies to: Windows 10, version 1803, Windows 10, version 1709, Windows 10, version 1703, Windows 10, version 1607, Windows 10, Windows 8.1, and Windows 7 SP1.
Some AMD processors (CPUs) offer an indirect branch control feature to mitigate indirect branch target injections through an Indirect Branch Prediction Barrier (IBPB) mechanism. (For more information, see AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates).
Use the following instructions to control using IBPB when you switch from user context to kernel context.
| To enable using Indirect Branch Prediction Barrier (IBPB) when you switch from user context to kernel context:
|
Note Enabling using Indirect Branch Prediction Barrier (IBPB) through registry setting changes requires administrative rights and a restart.
Manage Speculative Store Bypass and mitigations around Spectre Variant 2 and Meltdown
Applies to: Windows 10, version 1803, Windows 10, version 1709, Windows 10, version 1703, Windows 10, version 1607, Windows 10, Windows 8.1, and Windows 7 SP1.
- Enable mitigations around Speculative Store Bypass (CVE-2018-3639) together with mitigations around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection") and Meltdown (CVE-2017-5754) through the following registry settings (because they are not enabled by default).
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /freg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Note These registry changes require administrative rights and a restart.
- Disable mitigations around Speculative Store Bypass (CVE-2018-3639) through the following registry settings.
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /freg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /f
Note These registry changes require administrative rights and a restart.