Change date |
Decription of change |
---|---|
April 20, 2023 |
|
August 8, 2023 |
|
August 9, 2023 |
|
April 9, 2024 |
|
April 16, 2024 |
|
Summary
This article provides guidance for a new class of silicon-based microarchitectural and speculative execution side-channel vulnerabilities that affect many modern processors and operating systems. This includes Intel, AMD, and ARM. Specific details for these silicon-based vulnerabilities can be found in the following ADVs (Security Advisories) and CVEs (Common Vulnerabilities and Exposures):
-
ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
-
ADV180013 | Microsoft Guidance for Rogue System Register Read
-
ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities
-
ADV220002 | Microsoft Guidance on Intel Processor MMIO Stale Data Vulnerabilities
: These issues also affects other operating systems, such as Android, Chrome, iOS, and MacOS. We advise customers to seek guidance from those vendors.
We have released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more details.
We have not yet received any information to indicate that these vulnerabilities were used to attack customers. We are working closely with industry partners including chip makers, hardware OEMs, and application vendors to protect customers. To get all available protections, firmware (microcode) and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software.
Vulnerabilities
This article addresses the following speculative execution vulnerabilities:
Windows Update will also provide Internet Explorer and Edge mitigations. We will continue to improve these mitigations against this class of vulnerabilities.
To learn more about this class of vulnerabilities, see
On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling and documented in ADV190013 | Microarchitectural Data Sampling. They have been assigned the following CVEs:
-
CVE-2019-11091 | Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
-
CVE-2018-12126 | Microarchitectural Store Buffer Data Sampling (MSBDS)
-
CVE-2018-12127 | Microarchitectural Fill Buffer Data Sampling (MFBDS)
-
CVE-2018-12130 | Microarchitectural Load Port Data Sampling (MLPDS)
: These issues will affect other systems such as Android, Chrome, iOS, and MacOS. We advise customers to seek guidance from those vendors.
Microsoft has released updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services. We strongly recommend deploying these updates.
For more information about this issue, see the following Security Advisory and use scenario-based guidance to determine actions necessary to mitigate the threat:
-
ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities
-
Windows guidance to protect against speculative execution side-channel vulnerabilities
: We recommend that you install all the latest updates from Windows Update before you install any microcode updates.
On August 6, 2019 Intel released details about a Windows kernel information disclosure vulnerability. This vulnerability is a variant of the Spectre, Variant 1 speculative execution side-channel vulnerability and has been assigned CVE-2019-1125.
On July 9, 2019 we released security updates for the Windows operating system to help mitigate this issue. Please note that we held back documenting this mitigation publicly until the coordinated industry disclosure on Tuesday, August 6, 2019.
Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. There is no further configuration necessary.
: This vulnerability does not require a microcode update from your device manufacturer (OEM).
For more information about this vulnerability and applicable updates, see the Microsoft Security Update Guide:
On November 12, 2019, Intel published a technical advisory around Intel® Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability that is assigned CVE-2019-11135. Microsoft has released updates to help mitigate this vulnerability and the OS protections are enabled by default for Windows Server 2019 but disabled by default for Windows Server 2016 and earlier Windows Server OS editions.
On June 14 2022, we published ADV220002 | Microsoft Guidance on Intel Processor MMIO Stale Data Vulnerabilities and assigned these CVEs:
Recommended actions
You should take the following actions to help protect against the vulnerabilities:
-
Apply all available Windows operating system updates, including the monthly Windows security updates.
-
Apply the applicable firmware (microcode) update that is provided by the device manufacturer.
-
Evaluate the risk to your environment based on the information that is provided on Microsoft Security Advisories: ADV180002, ADV180012, ADV190013, and ADV220002, in addition to the information provided in this knowledge base article.
-
Take action as required by using the advisories and registry key information that are provided in this knowledge base article.
: Surface customers will receive a microcode update through Windows Update. For a list of the latest Surface device firmware (microcode) updates, see KB4073065.
On July 12, 2022, we published CVE-2022-23825 | AMD CPU Branch Type Confusion which describes that aliases in the branch predictor may cause certain AMD processors to predict the wrong branch type. This issue might potentially lead to information disclosure.
To help protect against this vulnerability, we recommend installing Windows updates that are dated on or after July 2022 and then take action as required by CVE-2022-23825 and registry key information that is provided in this knowledge base article.
For more information, see the AMD-SB-1037 security bulletin.
On August 8, 2023, we published CVE-2023-20569 | Return Address Predictor (also known as Inception) which describes a new speculative side channel attack that can result in speculative execution at an attacker-controlled address. This issue affects certain AMD processors and might potentially lead to information disclosure.
To help protect against this vulnerability, we recommend installing Windows updates that are dated on or after August 2023 and then take action as required by CVE-2023-20569 and registry key information that is provided in this knowledge base article.
For more information, see the AMD-SB-7005 security bulletin.
On April 9, 2024 we published CVE-2022-0001 | Intel Branch History Injection which describes Branch History Injection (BHI) which is a specific form of intra-mode BTI. This vulnerability occurs when an attacker may manipulate branch history before transitioning from user to supervisor mode (or from VMX non-root/guest to root mode). This manipulation could cause an indirect branch predictor to select a specific predictor entry for an indirect branch, and a disclosure gadget at the predicted target will transiently execute. This may be possible because the relevant branch history may contain branches taken in previous security contexts, and in particular, other predictor modes.
Mitigation settings for Windows Server and Azure Stack HCI
Security advisories (ADVs) and CVEs provide information provide information about the risk that is posed by these vulnerabilities. They also help you identify the vulnerabilities and identify the default state of mitigations for Windows Server systems. The below table summarizes the requirement of CPU microcode and the default status of the mitigations on Windows Server.
CVE |
Requires CPU microcode/firmware? |
Mitigation Default status |
---|---|---|
No |
Enabled by default (no option to disable) Please refer to ADV180002 for additional information |
|
Yes |
Disabled by default. Please refer to ADV180002 for additional information and this KB article for applicable registry key settings. Note “Retpoline” is enabled by default for devices running Windows 10, version 1809 and later if Spectre Variant 2 (CVE-2017-5715) is enabled. For more information about “Retpoline”, follow Mitigating Spectre variant 2 with Retpoline on Windows blog post. |
|
No |
Windows Server 2019, Windows Server 2022, and Azure Stack HCI: Enabled by default. Windows Server 2016 and earlier: Disabled by default.Please refer to ADV180002 for additional information. |
|
Intel: Yes AMD: No |
Disabled by default. See ADV180012 for more information and this article for applicable registry key settings. |
|
Intel: Yes |
Windows Server 2019, Windows Server 2022, and Azure Stack HCI: Enabled by default. Windows Server 2016 and earlier: Disabled by default.See ADV190013 for more information and this article for applicable registry key settings. |
|
Intel: Yes |
Windows Server 2019, Windows Server 2022, and Azure Stack HCI: Enabled by default. Windows Server 2016 and earlier: Disabled by default.See ADV190013 for more information and this article for applicable registry key settings. |
|
Intel: Yes |
Windows Server 2019, Windows Server 2022, and Azure Stack HCI: Enabled by default. Windows Server 2016 and earlier: Disabled by default.See ADV190013 for more information and this article for applicable registry key settings. |
|
Intel: Yes |
Windows Server 2019, Windows Server 2022, and Azure Stack HCI: Enabled by default. Windows Server 2016 and earlier: Disabled by default.See ADV190013 for more information and this article for applicable registry key settings. |
|
Intel: Yes |
Windows Server 2019, Windows Server 2022, and Azure Stack HCI: Enabled by default. Windows Server 2016 and earlier: Disabled by default.See CVE-2019-11135 for more information and this article for applicable registry key settings. |
|
CVE-2022-21123 (part of MMIO ADV220002) |
Intel: Yes |
Windows Server 2019, Windows Server 2022, and Azure Stack HCI: Enabled by default. Windows Server 2016 and earlier: Disabled by default.*See CVE-2022-21123 for more information and this article for applicable registry key settings. |
CVE-2022-21125 (part of MMIO ADV220002) |
Intel: Yes |
Windows Server 2019, Windows Server 2022, and Azure Stack HCI: Enabled by default. Windows Server 2016 and earlier: Disabled by default.*See CVE-2022-21125 for more information and this article for applicable registry key settings. |
CVE-2022-21127 (part of MMIO ADV220002) |
Intel: Yes |
Windows Server 2019, Windows Server 2022, and Azure Stack HCI: Enabled by default. Windows Server 2016 and earlier: Disabled by default.*See CVE-2022-21127 for more information and this article for applicable registry key settings. |
CVE-2022-21166 (part of MMIO ADV220002) |
Intel: Yes |
Windows Server 2019, Windows Server 2022, and Azure Stack HCI: Enabled by default. Windows Server 2016 and earlier: Disabled by default.*See CVE-2022-21166 for more information and this article for applicable registry key settings. |
CVE-2022-23825 (AMD CPU Branch Type Confusion) |
AMD: No |
See CVE-2022-23825 for more information and this article for applicable registry key settings. |
CVE-2023-20569 (AMD CPU Return Address Predictor) |
AMD: Yes |
See CVE-2023-20569 for more information and this article for applicable registry key settings. |
Intel: No |
Disabled by default See CVE-2022-0001 for more information and this article for applicable registry key settings. |
* Follow mitigation guidance for Meltdown below.
If you want to obtain all available protections against these vulnerabilities, you must make registry key changes to enable these mitigations that are disabled by default.
Enabling these mitigations may affect performance. The scale of the performance effects depends on multiple factors, such as the specific chipset in your physical host and the workloads that are running. We recommend that you assess the performance effects for your environment and make any necessary adjustments.
Your server is at increased risk if it's in one of the following categories:
-
Hyper-V hosts: Requires protection for VM-to-VM and VM-to-host attacks.
-
Remote Desktop Services Hosts (RDSH): Requires protection from one session to another session or from session-to-host attacks.
-
Physical hosts or virtual machines that are running untrusted code, such as containers or untrusted extensions for database, untrusted web content, or workloads that run code that is from external sources. These require protection from untrusted process-to-another-process or untrusted-process-to-kernel attacks.
Use the following registry key settings to enable the mitigations on the server, and restart the device for the changes to take effect.
: By default, enabling mitigations that are off may affect performance. The actual performance effect depends on multiple factors, such as the specific chipset in the device and the workloads that are running.
Registry settings
We are providing the following registry information to enable mitigations that are not enabled by default, as documented in Security Advisories (ADVs) and CVEs. Additionally, we provide registry key settings for users who want to disable the mitigations when applicable for Windows clients.
IMPORTANT This section, method, or task contains steps that tell you how to change the registry. However, serious problems might occur if you change the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you change it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see the following article in the Microsoft Knowledge Base:
KB322756 How to back up and restore the registry in Windows
IMPORTANT By default, Retpoline is configured as follows if Spectre, Variant 2 mitigation (CVE-2017-5715) is enabled:
- Retpoline mitigation is enabled on Windows 10, version 1809 and later Windows versions.
- Retpoline mitigation is disabled on Windows Server 2019 and later Windows Server versions.
For more information about the configuration of Retpoline, see Mitigating Spectre variant 2 with Retpoline on Windows.
|
: Setting FeatureSettingsOverrideMask to 3 is accurate for both the "enable" and "disable" settings. (See the "FAQ " section for more details about registry keys.)
To disable Variant 2: (CVE-2017-5715 | Branch Target Injection) mitigation: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f Restart the device for the changes to take effect. To enable Variant 2: (CVE-2017-5715 | Branch Target Injection) mitigation: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f Restart the device for the changes to take effect. |
By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD CPUs. Customers must enable the mitigation to receive additional protections for CVE-2017-5715. For more information, see FAQ #15 in ADV180002.
Enable user-to-kernel protection on AMD processors along with other protections for CVE 2017-5715: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f If the Hyper-V feature is installed, add the following registry setting: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted. Restart the device for the changes to take effect. |
To enable mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown): reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f If the Hyper-V feature is installed, add the following registry setting: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted. Restart the device for the changes to take effect. To disable mitigations for CVE-2018-3639 (Speculative Store Bypass) AND mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown) reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f Restart the device for the changes to take effect. |
By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD processors. Customers must enable the mitigation to receive additional protections for CVE-2017-5715. For more information, see FAQ #15 in ADV180002.
Enable user-to-kernel protection on AMD processors along with other protections for CVE 2017-5715 and protections for CVE-2018-3639 (Speculative Store Bypass): reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f If the Hyper-V feature is installed, add the following registry setting: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted. Restart the device for the changes to take effect. |
To enable mitigations for Intel Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling ( CVE-2018-11091 , CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130 ) along with Spectre [CVE-2017-5753 & CVE-2017-5715], Meltdown [CVE-2017-5754] variants, MMIO (CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, and CVE-2022-21166) including Speculative Store Bypass Disable (SSBD) [CVE-2018-3639 ] as well as L1 Terminal Fault (L1TF) [CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646] without disabling Hyper-Threading: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f If the Hyper-V feature is installed, add the following registry setting: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted. Restart the device for the changes to take effect. To enable mitigations for Intel Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling ( CVE-2018-11091, CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130) along with Spectre [CVE-2017-5753 & CVE-2017-5715] and Meltdown [CVE-2017-5754] variants, including Speculative Store Bypass Disable (SSBD) [CVE-2018-3639] as well as L1 Terminal Fault (L1TF) [CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646] with Hyper-Threading disabled: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f If the Hyper-V feature is installed, add the following registry setting: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted. Restart the device for the changes to take effect. To disable mitigations for Intel Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling ( CVE-2018-11091, CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130) along with Spectre [CVE-2017-5753 & CVE-2017-5715] and Meltdown [CVE-2017-5754] variants, including Speculative Store Bypass Disable (SSBD) [CVE-2018-3639] as well as L1 Terminal Fault (L1TF) [CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646]: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f Restart the device for the changes to take effect. |
To enable the mitigation for CVE-2022-23825 on AMD processors:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 16777280 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
To be fully protected, customers might also need to disable Hyper-Threading (also known as Simultaneous Multi Threading (SMT)). Please see KB4073757 for guidance on protecting Windows devices.
To enable the mitigation for CVE-2023-20569 on AMD processors:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 67108928 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
To enable the mitigation for CVE-2022-0001 on Intel processors:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x00800000 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x00000003 /f
Enabling multiple mitigations
To enable multiple mitigations, you must add the REG_DWORD value of each mitigation together.
For example:
Mitigation for Transaction Asynchronous Abort vulnerability, Microarchitectural Data Sampling, Spectre, Meltdown, MMIO, Speculative Store Bypass Disable (SSBD), and L1 Terminal Fault (L1TF) with Hyper-Threading disabled |
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f |
NOTE 8264 (in Decimal) = 0x2048 (in Hex) To enable BHI along with other existing settings, you will need to use bitwise OR of current value with 8,388,608 (0x800000). 0x800000 OR 0x2048(8264 in decimal) and it will become 8,396,872(0x802048). Same with FeatureSettingsOverrideMask. |
|
Mitigation for CVE-2022-0001 on Intel processors |
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x00800000 /f |
Combined mitigation |
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x00802048 /f |
Mitigation for Transaction Asynchronous Abort vulnerability, Microarchitectural Data Sampling, Spectre, Meltdown, MMIO, Speculative Store Bypass Disable (SSBD), and L1 Terminal Fault (L1TF) with Hyper-Threading disabled |
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f" |
Mitigation for CVE-2022-0001 on Intel processors |
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x00000003 /f |
Combined mitigation |
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x00000003 /f |
Verifying that protections are enabled
To help verify that protections are enabled, we have published a PowerShell script that you can run on your devices. Install and run the script by using one of the following methods.
Install the PowerShell Module: PS> Install-Module SpeculationControl Run the PowerShell module to verify that protections are enabled: PS> # Save the current execution policy so it can be reset PS> $SaveExecutionPolicy = Get-ExecutionPolicy PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser PS> Import-Module SpeculationControl PS> Get-SpeculationControlSettings PS> # Reset the execution policy to the original state PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser |
Install the PowerShell module from Technet ScriptCenter:
Run the PowerShell module to verify that protections are enabled: Start PowerShell, and then use the previous example to copy and run the following commands: PS> # Save the current execution policy so it can be reset PS> $SaveExecutionPolicy = Get-ExecutionPolicy PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser PS> CD C:\ADV180002\SpeculationControl PS> Import-Module .\SpeculationControl.psd1 PS> Get-SpeculationControlSettings PS> # Reset the execution policy to the original state PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser |
For a detailed explanation of the output of the PowerShell script, see KB4074629 .
Frequently asked questions
To help avoid adversely affecting customer devices, the Windows security updates that were released in January and February 2018 were not offered to all customers. For details, see KB407269 .
The microcode is delivered through a firmware update. Consult your OEM about the firmware version that has the appropriate update for your computer.
There are multiple variables that affect performance, ranging from the system version to the workloads that are running. For some systems, the performance effect will be negligible. For others, it will be considerable.
We recommend that you assess the performance effects on your systems and make adjustments as necessary.
In addition to the guidance that's in this article regarding virtual machines, you should contact your service provider to make sure that the hosts that are running your virtual machines are adequately protected.Guidance for mitigating speculative execution side-channel vulnerabilities in Azure . For guidance on using Azure Update Management to mitigate this issue on guest VMs, see KB4077467.
For Windows Server virtual machines that are running in Azure, seeThe updates that were released for Windows Server container images for Windows Server 2016 and Windows 10, version 1709 include the mitigations for this set of vulnerabilities. No additional configuration is required.
Note You must still make sure that the host on which these containers are running is configured to enable the appropriate mitigations.No, the installation order doesn't matter.
Yes, you must restart after the firmware (microcode) update and then again after the system update.
Here are the details for the registry keys:
FeatureSettingsOverride represents a bitmap that overrides the default setting and controls which mitigations will be disabled. Bit 0 controls the mitigation that corresponds to CVE-2017-5715. Bit 1 controls the mitigation that corresponds to CVE-2017-5754. The bits are set to 0 to enable the mitigation and to 1 to disable the mitigation.
FeatureSettingsOverrideMask represents a bitmap mask that's used together with FeatureSettingsOverride. In this situation, we use the value 3 (represented as 11 in the binary numeral or base-2 numeral system) to indicate the first two bits that correspond to the available mitigations. This registry key is set to 3 both to enable or to disable the mitigations.
MinVmVersionForCpuBasedMitigations is for Hyper-V hosts. This registry key defines the minimum VM version that's required for you to use the updated firmware capabilities (CVE-2017-5715). Set this to 1.0 to cover all VM versions. Notice that this registry value will be ignored (benign) on non-Hyper-V hosts. For more details, see Protecting guest virtual machines from CVE-2017-5715 (branch target injection).
Yes, there are no side effects if these registry settings are applied prior to installing the January 2018-related fixes.
See a detailed description of the script output at KB4074629: Understanding SpeculationControl PowerShell script output .
Yes, for Windows Server 2016 Hyper-V hosts that don't yet have the firmware update available, we have published alternative guidance that can help mitigate the VM to VM or VM to host attacks. See Alternative protections for Windows Server 2016 Hyper-V Hosts against the speculative execution side-channel vulnerabilities .
Security-only updates are not cumulative. Depending on your operating system version, you may need to install several security updates for full protection. In general, customers will need to install the January, February, March, and April 2018 updates. Systems that have AMD processors need an additional update as shown in the following table:
Operating System version |
Security Update |
Windows 8.1, Windows Server 2012 R2 |
KB4338815 - Monthly Rollup |
KB4338824- Security-only |
|
Windows 7 SP1, Windows Server 2008 R2 SP1, or Windows Server 2008 R2 SP1 (Server Core installation) |
KB4284826 - Monthly Rollup |
KB4284867 - Security Only |
|
Windows Server 2008 SP2 |
KB4340583 - Security Update |
We recommend that you install the Security-only updates in the order of release.
: An earlier version of this FAQ incorrectly stated that the February Security-only update included the security fixes that were released in January. In fact, it does not.
No. Security update KB4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and unexpected restarts after the installation of microcode. Applying the security updates on Windows client operating systems enables all three mitigations. On Windows Server operating systems, you still have to enable the mitigations after you do proper testing. For more information, see KB4072698.
This issue was resolved in KB4093118.
In February 2018, Intel announced that they had completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel validated microcode updates that concern Spectre Variant 2 Spectre Variant 2 (CVE-2017-5715 | Branch Target Injection). KB4093836 lists specific knowledge base articles by Windows version. Each specific KB article contains the available Intel microcode updates by CPU.
On January 11, 2018, Intel reported issues in recently released microcode that was meant to address Spectre variant 2 (CVE-2017-5715 | Branch Target Injection). Specifically, Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and that these scenarios may cause “data loss or corruption.” Our experience is that system instability can cause data loss or corruption in some circumstances. On January 22, Intel recommended that customers stop deploying the current microcode version on affected processors while Intel performs additional testing on the updated solution. We understand that Intel is continuing to investigate the potential effect of the current microcode version. We encourage customers to review their guidance on an ongoing basis to inform their decisions.
While Intel tests, updates, and deploys new microcode, we are making available an out-of-band (OOB) update, KB4078130, that specifically disables only the mitigation against CVE-2017-5715. In our testing, this update has been found to prevent the described behavior. For the full list of devices, see the microcode revision guidance from Intel. This update covers Windows 7 Service Pack 1 (SP1), Windows 8.1, and all versions of Windows 10, both client and server. If you're running an affected device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715.
As of this time, there are no known reports that indicate that this Spectre Variant 2 (CVE-2017-5715 | Branch Target Injection) has been used to attack customers. We recommend that, when appropriate, Windows users reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.
In February 2018, Intel announced that they have completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel-validated microcode updates that are related to Spectre Variant 2 Spectre Variant 2 (CVE-2017-5715 | Branch Target Injection). KB4093836 lists specific knowledge base articles by Windows version. The KBs list available Intel microcode updates by CPU.
For more information, see AMD Security Updates and AMD Whitepaper: Architecture Guidelines around Indirect Branch Control . These are available from the OEM firmware channel.
We are making available Intel-validated microcode updates that concern Spectre Variant 2 (CVE-2017-5715 | Branch Target Injection). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).
The microcode update is also available directly from the Microsoft Update Catalog if it was not installed on the device before upgrading the system. Intel microcode is available through Windows Update, Windows Server Update Services (WSUS), or the Microsoft Update Catalog. For more information and download instructions, see KB4100347.
For more information, see the following resources:
See the “Recommended actions” and “FAQ” sections of ADV180012 | Microsoft Guidance for Speculative Store Bypass.
To verify the status of SSBD, the Get-SpeculationControlSettings PowerShell script has been updated to detect affected processors, status of the SSBD operating system updates, and state of the processor microcode, if applicable. For more information and to obtain the PowerShell script, see KB4074629.
On June 13, 2018, an additional vulnerability that involves side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665 . For information about this vulnerability and recommended actions, see the Security Advisory ADV180016 | Microsoft Guidance for Lazy FP State Restore .
Note There are no required configuration (registry) settings for Lazy Restore FP Restore.
Bounds Check Bypass Store (BCBS) was disclosed on July 10, 2018, and assigned CVE-2018-3693. We consider BCBS to belong to the same class of vulnerabilities as Bounds Check Bypass (Variant 1). We aren't currently aware of any instances of BCBS in our software. However, we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required. We encourage researchers to submit any relevant findings to the Microsoft Speculative Execution Side Channel bounty program, including any exploitable instances of BCBS. Software developers should review the developer guidance that's been updated for BCBS at C++ Developer Guidance for Speculative Execution Side Channels
On August 14, 2018, L1 Terminal Fault (L1TF) was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, could lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities, depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.
For more information about this vulnerability and a detailed view of affected scenarios, including Microsoft's approach to mitigating L1TF, see the following resources:
The steps to disable Hyper-Threading differ from OEM to OEM but are generally part of the BIOS or firmware setup and configuration tools.
Customers who use 64-bit ARM processors should contact the device OEM for firmware support because ARM64 operating system protections that mitigate CVE-2017-5715 | Branch target injection (Spectre, Variant 2) require the latest firmware update from device OEMs to take effect.
For more information, refer to the following security advisories
Further guidance can be found in Windows guidance to protect against speculative execution side-channel vulnerabilities
Please refer to guidance in Windows guidance to protect against speculative execution side-channel vulnerabilities
For Azure guidance, please refer to this article: Guidance for mitigating speculative execution side-channel vulnerabilities in Azure.
For more information about Retpoline enablement, refer to our blog post: Mitigating Spectre variant 2 with Retpoline on Windows .
For details about this vulnerability, see the Microsoft Security Guide: CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability.
We’re not aware of any instance of this information disclosure vulnerability affecting our cloud service infrastructure.
As soon as we became aware of this issue, we worked quickly to address it and release an update. We strongly believe in close partnerships with both researchers and industry partners to make customers more secure, and did not publish details until Tuesday, August 6, consistent with coordinated vulnerability disclosure practices.
Further guidance can be found in Windows guidance to protect against speculative execution side-channel vulnerabilities.
Further guidance can be found in Windows guidance to protect against speculative execution side-channel vulnerabilities.
Further guidance can be found in Guidance for disabling Intel Transactional Synchronization Extensions (Intel TSX) capability.
References
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.
We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.