Microsoft is aware of the security vulnerability that impacts chips from several different manufacturers. Many devices and applications will be affected by this flaw, including any operating systems such as Windows that run on the affected chips. To take advantage of available protections, follow these steps to get the latest updates for both software and hardware:
-
Make sure your antivirus software is up to date. Check your software manufacturer's website for their latest info.
-
Keep your device up to date by turning on automatic updates.
-
Check that you’ve installed the latest Windows operating system security update from Microsoft. If automatic updates are turned on, the updates should be automatically delivered to you, but you should still confirm that they’re installed. For instructions, see Windows Update: FAQ.
-
Install any firmware updates from your device manufacturer. Firmware updates should be available on your device manufacturer's website.
Note: Customers who only install the latest security updates from Microsoft will not be fully protected against the vulnerabilities. You will also need to install applicable firmware updates from your device manufacturer. Antivirus software updates should be installed first. Operating system and firmware updates can be installed in either order.
We encourage you to keep your devices up to date and secure by installing Windows security updates monthly.
Frequently asked questions
Here are some answers about the recently discovered security vulnerability that impacts chips from several different manufacturers.
Affected chips include those manufactured by Intel and ARM, which means Windows and Windows Server operating system versions are potentially vulnerable. The security updates released on January 3, 2018 provide mitigations for devices running the following Windows x64-based operating systems:
o Windows 7 Service Pack 1
o Windows 8.1
o Windows 10 (initial version released July 2015, 1511, 1607, 1703, and 1709)
o Windows Server 2008 R2
o Windows Server 2012 R2
o Windows Server 2016
The security updates released on February 13, 2018 provide mitigations for devices running the following Windows x64-based operating systems:
o Windows 10 version 1709
o Windows 10 version 1703
o Windows 10 version 1607
o Windows 10 version 1511
o Windows 10 initial version released July 2015
Addressing a hardware vulnerability with a software update presents significant challenges for older operating systems and can require extensive architectural changes. We are continuing to work with affected chip manufacturers and investigating the best way to provide mitigations, which may be provided in a future update. Replacing older devices running these older operating systems should address the remaining risk along with updated antivirus software.
Customers should install the latest Windows operating system security updates from Microsoft to take advantage of available protections. You will also need to install applicable firmware updates from your device manufacturer. These updates should be available on your device manufacturer's website. Antivirus software updates should be installed first. Operating system and firmware updates can be installed in either order. We encourage you to keep your devices up to date by installing the monthly Windows security updates.
You will need to update both your hardware and your software to fix this vulnerability. You will also need to install applicable firmware updates from your device manufacturer for more comprehensive protection. We encourage you to keep your devices up to date by installing the monthly security updates.
You will need to check with your device manufacturer for firmware updates. For more information, see the table listed in KB 4073757.
Updates for Microsoft Surface devices will be delivered to customers through Windows Update. For more information, see KB 4073065.
In each Windows 10 feature update, we build the latest security technology deep into the operating system, providing defense-in-depth features that prevent entire classes of malware from impacting your device. Feature update releases are targeted twice a year. In each monthly quality update, we add another layer of security, one that tracks emerging and changing trends in malware to make up-to-date systems safer in the face of changing and evolving threats.
Recommendations:
-
Ensure your devices are up to date with the latest security updates from Microsoft and from your hardware manufacturer. For more info on keeping your device up to date, see Windows Update: FAQ.
-
Continue to practice sensible caution when visiting websites of unknown origin and do not remain on sites you do not trust. Microsoft recommends all customers protect their devices by running a supported antivirus program. Customers can also take advantage of built-in antivirus protection: Windows Security for Windows 10 devices (or Windows Defender Security Center in earlier versions of Windows 10), or Microsoft Security Essentials for Windows 7 devices.
We’ve taken steps to protect customers who use Microsoft browsers and we will continue to improve these mitigations in future updates. We also encourage our customers to practice good computing habits online, including exercising caution when clicking links to webpages, opening unknown files, or accepting file transfers.
If your device is running antivirus software that is not known to be compatible with the update, the update will not be installed. So, if you have issues installing the update, first check with your antivirus software manufacturer to find out if the antivirus software you are running has been updated. The update can’t be installed on devices that have incompatible antivirus software.
You can also try these Windows Update troubleshooting tips.
Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection) – specifically Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and then noted that situations like this may result in “data loss or corruption.” Our own experience is that system instability can in some circumstances cause data loss or corruption. On January 22, 2018, Intel recommended that customers stop deploying the current microcode version on impacted processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.
While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing this update has been found to prevent the behavior described. This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.”
As of January 25, 2018, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.
In February 2018, Intel announced they have completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel validated microcode updates around Spectre Variant 2 [CVE 2017-5715 ("Branch Target Injection")]. KB4093836 and KB4100347 lists specific Knowledge Base articles by Windows version. Each specific KB contains the available Intel microcode updates by CPU.
As of May 17, 2018, Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE 2017-5715 “Branch Target Injection”) for devices upgraded to Windows 10 April 2018 Update. To get the latest Intel microcode updates via Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803). KB4100347.
The microcode update is also available directly from Catalog if it was not installed on the device prior to upgrading the OS. Intel microcode is available via Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see