Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Microsoft is aware of a new publicly disclosed class of vulnerabilities that are called “speculative execution side-channel attacks” that affect many modern processors and operating systems, including Intel, AMD, and ARM.

Note This issue also affects other operating systems, such as Android, Chrome, iOS, and Mac. Therefore, we advise customers to seek guidance from those vendors.

Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more details.

Microsoft has yet not received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft is working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software as well.

The following sections can help you identify and mitigate client environments that are affected by the vulnerabilities that are identified in Microsoft Security Advisory ADV180002.

Windows Update will also provide Internet Explorer and Edge mitigations. We will continue to improve these mitigations against this class of vulnerabilities.

Customers must take the following actions to help protect against the vulnerabilities:

1. Verify that you are running a supported antivirus application before you install operating system or firmware updates. Contact the antivirus software vendor for compatibility information.
2. Apply all available Windows operating system updates, including the monthly Windows security updates.
3. Apply the applicable firmware update that is provided by the device manufacturer.

Windows-based computers (physical or virtual) should install the Microsoft security updates that were released January – February 2018. See Microsoft Security Advisory ADV180002 for updates for the following versions of Windows.

How to get the monthly Windows security update for Windows Update and Windows Update for Business with Group or MDM policy configurations set to disable preview builds

(Note This is not applicable to WSUS users.)

If you have currently disabled preview builds, your organization’s devices will not be able to receive the January 2018 Windows security updates. The following Group or MDM policy configurations settings disable preview builds and will not allow the Windows security updates. They will have to be changed to do so. To verify that you cannot receive the update, you can scan for available updates.

To allow devices to receive the Windows security updates, you have to change the Group or MDM policies to the following “Not Configured” settings:

After devices have received the monthly Windows security updates, the policy configuration settings can be changed back to their previous state (disabling preview builds).

Verifying that protections are enabled

To help customers verify that protections are enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands.

Note These verification steps only apply to Windows client and not to Azure instances. For further cloud guidance, see the Azure blog.

The output of this PowerShell script will resemble the following. Enabled protections appear in the output as “True.”

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

Note By default, this update is enabled. No customer action is required to enable the fixes. We are providing the following registry information for completeness in the event that customers want to disable the security fixes related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.

* Note The value of 3 is accurate for both "enable" and "disable" settings because of masking.

While Intel tests, updates, and deploys new microcode, we are offering a new option for advanced users on impacted devices to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently through registry setting changes.

If you have installed the microcode, but you want to disable CVE-2017-5715 - Branch target injection mitigation because of unexpected reboots or system stability issues, use the following instructions.

Note Disabling and enabling the Variant 2 through registry setting changes requires administrative rights and a restart.

Applies to: Windows 10 Version 1803, Windows 10 Version 1709, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10, Windows 7 SP1

Some AMD processors (CPUs) offer an indirect branch control feature designed to mitigate indirect branch target injections thru an Indirect Branch Prediction Barrier (IBPB) mechanism. (For more information, see AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates).

Use the following instructions to control using IBPB when switching from user context to kernel context.

Note Enabling using Indirect Branch Prediction Barrier (IBPB) through registry setting changes requires administrative rights and a restart.

Applies to: Windows 10 Version 1803, Windows 10 Version 1709, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10, Windows 7 SP1

• Enable mitigations around Speculative Store Bypass (CVE-2018-3639) together with mitigations around Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) through the following registry settings (because they are not enabled by default).
   

  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

  
  Note These registry changes require administrative rights and a restart.

• Disable mitigations around Speculative Store Bypass (CVE-2018-3639) through the following registry settings.
   

  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /f reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /f

  
  Note These registry changes require administrative rights and a restart.

Q1: How can I tell whether I have the correct version of the CPU microcode?

A1: The microcode is delivered through a firmware update. Customers should check with their CPU (chipset) and device manufacturers on availability of applicable firmware security updates for their specific device, including Intel's Microcode Revision Guidance.

Q2: My operating system is not listed. When can I expect a fix to be released?

A2: Addressing a hardware vulnerability through a software update presents significant challenges, and mitigations for older operating systems require extensive architectural changes. We are working with affected chip manufacturers to determine the best way to provide mitigations, which may be delivered in future updates.

Q3: Where can I find Surface firmware or hardware updates?

A3: Updates for Microsoft Surface devices will be delivered to customers through Windows Update along with the updates for the Windows operating system. For a list of available Surface device firmware updates, see KB 4073065.

If your device is not from Microsoft, apply firmware from the device manufacturer. Contact the OEM device manufacturer for more information.

Q4: I have an x86 architecture, but I don’t see an update offered. Will I get one?

A4: In February and March 2018, Microsoft released added protection for some x86-based systems. For more information see KB4073757 and the Microsoft Security Advisory ADV 180002.

Q5: Intel has identified restart issues with microcode on some older processors. What should I do?

A5: Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection). Specifically, Intel noted that this microcode can cause "higher than expected reboots and other unpredictable system behavior", and then noted that situations like this may result in "data loss or corruption". Our own experience is that system instability can in some circumstances cause data loss or corruption. On January 22, Intel recommended that customers stop deploying the current microcode version on impacted processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.

While Intel tests, updates, and deploys new microcode, we have made available an out of band update, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – "Branch target injection vulnerability." In our testing, this update has been found to prevent the behavior described. For the full list of devices, see Intel’s microcode revision guidance. This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715 – "Branch target injection vulnerability."

As of this update, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715) has been used to attack customers. We recommend Windows customers, when appropriate, re-enable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.

Q6: Where can I find Microsoft HoloLens operating system and firmware updates?

A6: Updates to Windows 10 for HoloLens are available to HoloLens customers through Windows Update.

After applying the February 2018 Windows Security Update, HoloLens customers do not have to take any additional action to update their device firmware. These mitigations will also be included in all future releases of Windows 10 for HoloLens.

Q7: I have not installed any of the 2018 Security Only updates. If I install the latest 2018 Security Only updates, am I protected from the vulnerabilities described?

A7: No. Security Only updates are not cumulative. Depending on the operating system version you are running, you will have to install every monthly Security Only updates to be protected against these vulnerabilities. For example, if you are running Windows 7 for 32-bit Systems on an affected Intel CPU you must install all of the Security Only updates. We recommend installing these Security Only updates in the order of release.

Note An earlier version of this FAQ incorrectly stated that the February Security Only update included the security fixes released in January.

Q8: If I apply any of the applicable February security updates, will they disable the protections for CVE-2017-5715 like security update 4078130 did?

A8: No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and/or unexpected reboots after installation of microcode. Applying the February security updates on Windows client operating systems enables all three mitigations.

Q9: I've heard Intel has released microcode updates. Where can I find them?

A9: Intel recently announced they have completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel validated microcode updates around Spectre Variant 2 [CVE 2017-5715 ("Branch Target Injection")]. KB4093836 and and KB4100347 list specific Knowledge Base articles by Windows version. Each specific KB contains the available Intel microcode updates by CPU.

Q10: Known Issue: Some users may experience network connectivity issues or lose IP address settings after installing the March 13, 2018 Security Update (KB 4088875).

A10: This issue has been resolved in KB4093118. 

Q11: I've heard AMD has released microcode updates. Where can I find and install these updates for my system?

A11: AMD recently announced they have started to release microcode for newer CPU platforms around Spectre Variant 2 [CVE 2017-5715 ("Branch Target Injection")]. For more information refer to the AMD Security Updates and AMD Whitepaper: Architecture Guidelines around Indirect Branch Control. These are available from the OEM firmware channel. 

Q13. I'm running Windows 10 April 2018 Update (version 1803). Is there Intel microcode available for my device? Where can I find it?

A13: Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE 2017-5715 “Branch Target Injection”). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).

The microcode update is also available directly from Catalog if it was not installed on the device prior to upgrading the OS. Intel microcode is available through Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see KB4100347.

Q14: Where can I find information about the new speculative execution side-channel vulnerabilities (Speculative Store Bypass - CVE-2018-3639 and Rogue System Register Read - CVE-2018-3640)?

A14: For more information, see the following resources:

• ADV180012 | Microsoft Guidance for Speculative Store Bypass for CVE-2018-3639 
• ADV180013 | Microsoft Guidance for Rogue System Register Read for CVE-2018-3640 and KB 4073065 | Guidance for Surface Customers
• Microsoft Security Research and Defense Blog
• Developer Guidance for Speculative Store Bypass

Q15. Where can I find more information about Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors.

A15. For details, see the “Recommended actions” and “FAQ” sections in  ADV180012 | Microsoft Guidance for Speculative Store Bypass.

Q16. How do I verify if SSBD is enabled or disabled?

A16. To verify the status of SSBD, the Get-SpeculationControlSettings PowerShell script has been updated to detect affected processors, status of the SSBD operating system updates, and state of the processor microcode if applicable. For more information and to obtain the PowerShell script, see KB4074629.