Visual Studio 2015 Update 3 Spectre Variant 1 Toolset (/Qspectre)

Applies to: Visual Studio 2015 Update 3

Summary


Spectre is a new class of hardware vulnerabilities that involve speculative execution side channels that may be used to disclose information about the program being attacked. For more information, see this Visual C++ Team Blog article and security advisory 180002.

If you are a developer whose code operates on data that crosses a trust boundary, you should consider installing these updates and recompiling your code by having the /Qspectre switch enabled, and then linking to the Spectre-mitigated libraries that are provided. /Qspectre and the libraries provide mitigation assistance for Spectre Variant 1 - CVE-2017-5753.

How to get this update


Tool set update

For all architectures

VC14-KB4338871.exe

 

Spectre-mitigated VC++ libraries

For all supported x86-based systems

VS2015U3_vcpp_spectre_libs_x86.exe

For all supported x64-based systems

VS2015U3_vcpp_spectre_libs_x64.exe

For all supported ARM-based systems

VS2015U3_vcpp_spectre_libs_arm.exe

 

Prerequisites

To apply this update, you must have Update 3 for Visual Studio 2015 installed.

Restart information

You may have to restart the computer after you apply this update.

Replacement information

This update does not replace any previously released update.

More information about this update


When you install the tool set update, you can enable /Qspectre manually from the C/C++ command-line options.

Command-line options

You should also install the Spectre-mitigated VC++ libraries (one update per architecture), and then manually link to them.

Manually link

The paths are as follows:

x86: C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib\spectre

x64: C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib\spectre\amd64

ARM: C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib\spectre\arm

We are providing static linking support and application local deployment only. The contents of the Visual C++ 2015 Runtime Libraries Redistributable were not modified. Application local deployment means that you link to the new Spectre libraries by using the Multithreaded DLL (/MD or /MDd) option, and then, when you deploy your new program, you include the mitigated runtimes in the same directory as the .exe file that loads them. The centrally deployed version of the runtime (the one in C:\Windows\System32 or C:\Windows\SysWOW64) is the non-mitgated version. If the executable file is not in the same directory, it picks up the centrally deployed version of the runtime.

For ease of use, we are also providing copies of most libraries in the Spectre library directories. However, they are not all Spectre-mitigated. The following table specifies which libraries are mitigated. Note also that the files that have Spectre mitigations should be consistent across all architectures, if the technology is supported for that architecture.