Windows client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Recommended actions

Customers should take the following actions to help protect against the vulnerabilities:

  1. Apply all available Windows operating system updates, including the monthly Windows security updates.

  2. Apply the applicable firmware (microcode) update that is provided by the device manufacturer.

  3. Evaluate the risk to your environment based on the information that is provided on Microsoft Security Advisories: ADV180002, ADV180012, ADV190013 and information provided in this Knowledge Base article.

  4. Take action as required by using the advisories and registry key information that are provided in this Knowledge Base article.

Note Surface customers will receive a microcode update through Windows update. For a list of the latest available Surface device firmware (microcode) updates, see KB 4073065.

Mitigation settings for Windows clients

Security advisories ADV180002ADV180012, and ADV190013 provide information about the risk that is posed by these vulnerabilities, and they help you identify the default state of mitigations for Windows client systems. The following table summarizes the requirement of CPU microcode and the default status of the mitigations on Windows clients.

CVE

Requires CPU microcode/firmware?

Mitigation Default status

CVE-2017-5753

No

Enabled by default (no option to disable)

Please refer to ADV180002 for additional information.

CVE-2017-5715

Yes

Enabled by default. Users of systems based on AMD processors should see FAQ #15  and users of ARM processors should see FAQ #20 on ADV180002 for additional action and this KB article for applicable registry key settings.

Note “Retpoline” is enabled by default for devices running Windows 10 1809 or newer if Spectre Variant 2 (CVE-2017-5715) is enabled. For more information, around “Retpoline”, follow the guidance in theMitigating Spectre variant 2 with Retpoline on Windows blog post.

CVE-2017-5754

No

Enabled by default

Please refer to ADV180002 for additional information.

CVE-2018-3639

Intel: Yes
AMD: No
ARM: Yes

Intel and AMD: Disabled by default. See ADV180012 for more information and this KB article for applicable registry key settings.

ARM: Enabled by default without option to disable.

CVE-2018-11091

Intel: Yes

Enabled by default.

See ADV190013 for more information and this KB article for applicable registry key settings.

CVE-2018-12126

Intel: Yes

Enabled by default.

See ADV190013 for more information and this KB article for applicable registry key settings.

CVE-2018-12127

Intel: Yes

Enabled by default.

See ADV190013 for more information and this KB article for applicable registry key settings.

CVE-2018-12130

Intel: Yes

Enabled by default.

See ADV190013 for more information and this KB article for applicable registry key settings.

CVE-2019-11135

Intel: Yes

Enabled by default.

See CVE-2019-11135 for more information and this KB article for applicable registry key settings.


Note Enabling mitigations that are off by-default may affect performance. The actual performance effect depends on multiple factors, such as the specific chipset in the device and the workloads that are running.

Registry settings

We are providing the following registry information to enable mitigations that are not enabled by default, as documented in Security Advisories ADV180002 and ADV180012. Additionally, we are providing registry key settings for users who want to disable the mitigations that are related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see the following article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

Manage mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

Important note Retpoline is enabled by default on Windows 10, version 1809 devices if Spectre, Variant 2 (CVE-2017-5715) is enabled. Enabling Retpoline on the latest version of Windows 10 may enhance performance on devices running Windows 10, version 1809 for Spectre variant 2, particularly on older processors.

To enable default mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

To disable mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Note A value of 3 is accurate for FeatureSettingsOverrideMask for both the "enable" and "disable" settings. (See the "FAQ" section for more details about registry keys.)

Manage mitigation for CVE-2017-5715 (Spectre Variant 2)

To disable mitigations for  CVE-2017-5715 (Spectre  Variant 2) :

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

To enable default mitigations for  CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

AMD and ARM processors only: Enable full mitigation for CVE-2017-5715 (Spectre Variant 2)

By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD and ARM CPUs. Customers must enable the mitigation to receive additional protections for CVE-2017-5715. For more information, see FAQ #15 in ADV180002 for AMD processors and FAQ #20 in ADV180002 for ARM processors.

Enable user-to-kernel protection on AMD and ARM processors together with other protections for CVE 2017-5715:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Manage mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown)

To enable mitigations for CVE-2018-3639 (Speculative Store Bypass), default mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Note: AMD processors are not vulnerable to CVE-2017-5754 (Meltdown). This registry key is used in systems with AMD processors to enable default mitigations for CVE-2017-5715 on AMD processors and the mitigation for CVE-2018-3639.

To disable mitigations for CVE-2018-3639 (Speculative Store Bypass) *and* mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

AMD processors only: Enable full mitigation for CVE-2017-5715 (Spectre Variant 2) and CVE 2018-3639 (Speculative Store Bypass)

By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD processors. Customers must enable the mitigation to receive additional protections for CVE-2017-5715.  For more information, see FAQ #15 in ADV180002.

Enable user-to-kernel protection on AMD processors together with other protections for CVE 2017-5715 and protections for CVE-2018-3639 (Speculative Store Bypass):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Manage Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130) along with Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) variants, including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) as well as L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646)

To enable mitigations for Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling ( CVE-2018-11091 , CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130 ) along with Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) variants, including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) as well as L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646) without disabling Hyper-Threading:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

To enable mitigations for Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling ( CVE-2018-11091 , CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130 ) along with Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) variants, including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) as well as L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646) with Hyper-Threading disabled:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If the Hyper-V feature is installed, add the following registry setting:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

 

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they're restarted.

Restart the computer for the changes to take effect.

To disable mitigations for Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and  Microarchitectural Data Sampling ( CVE-2018-11091 , CVE-2018-12126 , CVE-2018-12127 , CVE-2018-12130 ) along with Spectre (CVE-2017-5753 & CVE-2017-5715) and Meltdown (CVE-2017-5754) variants, including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) as well as L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Verifying that protections are enabled

To help customers verify that protections are enabled, we have published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands.

PowerShell verification by using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)

Install the PowerShell Module:

PS> Install-Module SpeculationControl

Run the PowerShell module to verify that protections are enabled:

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> Import-Module SpeculationControl

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

 

PowerShell Verification by using a download from Technet (earlier operating system versions and earlier WMF versions)

Install the PowerShell Module from Technet ScriptCenter:

Go to https://aka.ms/SpeculationControlPS

Download SpeculationControl.zip to a local folder.

Extract the contents to a local folder, for example C:\ADV180002

Run the PowerShell module to verify that protections are enabled:

Start PowerShell, then (by using the previous example) copy and run the following commands:

PS> # Save the current execution policy so it can be reset

PS> $SaveExecutionPolicy = Get-ExecutionPolicy

PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser

PS> CD C:\ADV180002\SpeculationControl

PS> Import-Module .\SpeculationControl.psd1

PS> Get-SpeculationControlSettings

PS> # Reset the execution policy to the original state

PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser


For a detailed explanation of the output of the PowerShell script, please see Knowledge Base article 4074629.

Frequently asked questions

The microcode is delivered through a firmware update. Customers should check with their CPU (chipset) and device manufacturers on availability of applicable firmware security updates for their specific device, including Intel's Microcode Revision Guidance.

Addressing a hardware vulnerability through a software update presents significant challenges. Also, mitigations for older operating systems require extensive architectural changes. We are working with affected chip manufacturers to determine the best way to provide mitigations, which may be delivered in future updates.

Updates for Microsoft Surface devices will be delivered to customers through Windows Update together with the updates for the Windows operating system. For a list of available Surface device firmware (microcode) updates, see KB 4073065.

If your device is not from Microsoft, apply firmware from the device manufacturer. For more information, contact the OEM device manufacturer.

In February and March 2018, Microsoft released added protection for some x86-based systems. For more information see KB 4073757 and the Microsoft Security Advisory ADV180002.

Updates to Windows 10 for HoloLens are available to HoloLens customers through Windows Update.

After applying the February 2018 Windows Security Update, HoloLens customers do not have to take any additional action to update their device firmware. These mitigations will also be included in all future releases of Windows 10 for HoloLens.

No. Security Only updates are not cumulative. Depending on the operating system version you are running, you will have to install every monthly Security Only updates to be protected against these vulnerabilities. For example, if you are running Windows 7 for 32-bit Systems on an affected Intel CPU you must install all of the Security Only updates. We recommend installing these Security Only updates in the order of release.

Note An earlier version of this FAQ incorrectly stated that the February Security Only update included the security fixes released in January. In fact, it does not.

No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and/or unexpected reboots after installation of microcode. Applying the February security updates on Windows client operating systems enables all three mitigations.

Intel recently announced they have completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection"). KB 4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the available Intel microcode updates by CPU.

This issue was resolved in KB 4093118.

AMD recently announced they have started to release microcode for newer CPU platforms around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection"). For more information refer to the AMD Security Updates and AMD Whitepaper: Architecture Guidelines around Indirect Branch Control. These are available from the OEM firmware channel.

We are making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 “Branch Target Injection ). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).

The microcode update is also available directly from Catalog if it was not installed on the device prior to upgrading the OS. Intel microcode is available through Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see KB 4100347.

For details, see the “Recommended actions” and “FAQ” sections in  ADV180012 | Microsoft Guidance for Speculative Store Bypass.

To verify the status of SSBD, the Get-SpeculationControlSettings PowerShell script was updated to detect affected processors, status of the SSBD operating system updates, and state of the processor microcode if applicable. For more information and to obtain the PowerShell script, see KB 4074629.

On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. No configuration (registry) settings are necessary for Lazy Restore FP Restore.

For more information about this vulnerability and for recommended actions, refer to security advisory ADV180016 | Microsoft Guidance for Lazy FP State Restore.

Note No configuration (registry) settings are necessary for Lazy Restore FP Restore.

Bounds Check Bypass Store (BCBS) was disclosed on July 10, 2018 and assigned CVE-2018-3693. We consider BCBS to belong to the same class of vulnerabilities as Bounds Check Bypass (Variant 1). We are not currently aware of any instances of BCBS in our software, but we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required. We continue to encourage researchers to submit any relevant findings to Microsoft’s Speculative Execution Side Channel bounty program, including any exploitable instances of BCBS. Software developers should review the developer guidance that was updated for BCBS at https://aka.ms/sescdevguide.

On August 14, 2018,  L1 Terminal Fault (L1TF) was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, can lead to information disclosure. An attacker could trigger the vulnerabilities through multiple vectors, depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.

For more information about this vulnerability and a detailed view of affected scenarios, including Microsoft's approach to mitigating L1TF,  see the following resources:

Customers using 64-bit ARM processors should check with the device OEM for firmware support because ARM64 operating system protections that mitigate CVE-2017-5715 - Branch target injection (Spectre, Variant 2) require the latest firmware update from device OEMs to take effect.

For Azure guidance, please refer to this article: Guidance for mitigating speculative execution side-channel vulnerabilities in Azure.  

For more information about Retpoline enablement, refer to our blog post: Mitigating Spectre variant 2 with Retpoline on Windows

For details about this vulnerability, see the Microsoft Security Guide: CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability.

We’re not aware of any instance of this information disclosure vulnerability affecting our cloud service infrastructure.

As soon as we became aware of this issue, we worked quickly to address it and release an update. We strongly believe in close partnerships with both researchers and industry partners to make customers more secure, and did not publish details until Tuesday, August 6, consistent with coordinated vulnerability disclosure practices.

 

Tarvitsetko lisäohjeita?

Kehitä taitojasi
Tutustu koulutusmateriaaliin
Saat uudet ominaisuudet ensimmäisten joukossa
Liity Microsoft Insider-käyttäjille

Oliko näistä tiedoista hyötyä?

Kiitos palautteestasi.

Kiitos palautteestasi! Näyttää siltä, että Office-tukiedustajamme avusta voi olla sinulle hyötyä.

×