This article will be updated as additional information becomes available. Please check back here regularly for updates and new FAQ.
Microsoft is aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM.
Note This issue also affects other systems, such as Android, Chrome, iOS, and Mac OS. Therefore, we advise customers to seek guidance from those vendors.
Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more information.
Microsoft has not yet received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware or firmware updates and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software.
This advisory addresses the following vulnerabilities:
- CVE-2017-5715 (branch target injection)
- CVE-2017-5753 (bounds check bypass)
- CVE-2017-5754 (rogue data cache load)
To learn more about this class of vulnerabilities, see ADV180002.
The following sections will help you identify, mitigate, and remedy Windows Server environments that are affected by the vulnerabilities that are identified in Microsoft Security Advisory ADV180002. The advisory also explains how to enable the update for your systems.
To address these issues, Microsoft is working together with the hardware industry to develop mitigations and guidance.
Customers should take the following actions to help protect against the vulnerabilities:
- Apply all available Windows operating system updates, including the monthly Windows security updates. For details about how to enable this update, see Microsoft Knowledge Base article 4072699.
- Make necessary configuration changes to enable protection.
- Apply an applicable firmware update from the OEM device manufacturer.
Important Customers who install only the Windows security updates will not receive the benefit of all known protections.
Windows Server-based machines (physical or virtual) should install the January and February 2018 Windows security updates available from Windows Update. The following updates are available:
Operating system version
Update KB (x64)
Windows Server, version 1709 (Server Core Installation)
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2
Windows Server 2008 SP2
In addition to installing the latest Windows security updates, a processor microcode update is required. This should be available through your OEM.
Disable mitigation against Spectre Variant 2
While Intel tests, updates, and deploys new microcode, we are offering a new option for advanced users on impacted devices to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently through registry setting changes.
If you have installed the microcode, but you want to disable CVE-2017-5715 - Branch target injection mitigation due to unexpected reboots or system stability issues, use the following instructions.
To disable Variant 2: CVE 2017-5715"Branch Target Injection":
To enable Variant 2: CVE 2017-5715 "Branch Target Injection":
Note Disabling and enabling the Variant 2 through registry setting changes requires administrative rights and a restart.
Enabling protections on the server
Customers have to enable mitigations to receive all available protections against speculative execution side-channel vulnerabilities.
Enabling these mitigations may affect performance. The actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running. Microsoft recommends that customers assess the performance impact for their environment and make necessary adjustments.
Your server is at increased risk if it is in one of the following categories:
- Hyper-V hosts – Requires protection for VM to VM and VM to host attacks.
- Remote Desktop Services Hosts (RDSH) – Requires protection from one session to another session or from session to host attacks.
- For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources. Requires protection from untrusted process to another process or from untrusted process to kernel attacks.
Use the following registry keys to enable the mitigations on the server and make sure that the system is restarted for the changes to take effect.
Switch | Registry Settings
To enable the fix
If this is a Hyper-V host and the firmware updates have been applied: fully shutdown all Virtual Machines (to enable the firmware related mitigation for VMs you have to have the firmware update applied on the host before the VM starts).
Restart the server for changes to take effect.
To disable this fix
Restart the server for the changes to take effect.
(There is no need to change MinVmVersionForCpuBasedMitigations.)
Note Setting FeatureSettingsOverrideMask to 3 is accurate for both the "enable" and "disable" settings. (See the "FAQ" section for more details about registry keys.)
Note For Hyper-V hosts, live migration between updated and non-updated hosts may fail. For more information, see https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms.
Note For Windows Server 2016 Hyper-V, there is an alternative protection mechanism that you can use on hosts that do not yet have updated firmware available. For more information, see Alternative protections for Windows Server 2016 Hyper-V Hosts against the speculative execution side-channel vulnerabilities.
Verifying that protections are enabled
To help customers verify that protections have been enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands.
PowerShell Verification using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)
Install the PowerShell Module
Run the PowerShell module to validate the protections are enabled
PowerShell Verification using a download from Technet (Earlier OS versions/Earlier WMF versions)
Install the PowerShell Module from Technet ScriptCenter.
Download SpeculationControl.zip to a local folder.
Extract the contents to a local folder, for example C:\ADV180002
Run the PowerShell module to validate the protections are enabled
Start PowerShell, then (using the example above), copy and run the following commands:
The output of this PowerShell script will resemble the following. Enabled protections appear in the output as “True.”
PS C:\> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID optimization is enabled: True
Frequently asked questions
Q1: I wasn't offered the Windows security updates that were released in January and February. What should I do?
A1: To help avoid adversely affecting customer devices, the Windows security updates released in January and February 2018, have not been offered to all customers. For details, see Microsoft Knowledge Base Article 4072699.
Q2: How can I tell whether I have the correct version of the CPU microcode?
A2: The microcode is delivered through a firmware update. Consult with your OEM about the firmware version that has the appropriate update for your CPU.
Q3: What is the performance impact for the mitigations?
A3: There are multiple variables that affect the performance of these mitigations, ranging from the CPU version to the running workloads. In some systems, the performance impact will be negligible, and in others it will be considerable.
Microsoft recommends that customers assess the performance impact for their systems and make adjustments if necessary.
Q4: I am running Windows Server in a third-party hosted environment or cloud. What should I do?
A4: In addition to the guidance above to address virtual machines, you have to contact your service provider to make sure that the hosts that are running your virtual machines are adequately protected.
For Windows Server virtual machines that are running in Azure, this Azure doc page. For using Azure Update Management to mitigate against this issue on guest VMs, see this article.
Q5: Are there any Windows Server container-specific guidelines?
A5: The updates released for Windows Server container images for Windows Server 2016 and Windows 10 Version 1709 include the mitigations for this set of vulnerabilities, and no additional configuration is required.
Note You still have to make sure that the host on which these containers are running is configured by using the appropriate mitigations.
Q6: Do the software and hardware updates have to be installed in a particular order?
A6: No, the installation order doesn't matter.
Q7: Do I have to restart after the microcode but before the OS update?
A7: Yes, you will have to restart each time: One time between the microcode update, and again after the system update.
Q8: Can you provide more details on the registry keys?
A8: Here are the details for the registry keys:
FeatureSettingsOverride represents a bitmap that overrides the default setting and controls which mitigations will be disabled. Bit 0 controls the mitigation corresponding to CVE-2017-5715 and Bit 1 controls the mitigation corresponding to CVE-2017-5754. The bits are set to “Zero” to enable the mitigation and to “One” to disable the mitigation.
FeatureSettingsOverrideMask represents a bitmap mask that is used in conjunction with FeatureSettingsOverride and in this case, we use the value 3 (represented as 11 in the binary numeral system or base-2 numeral system) which indicates the first two bits that correspond to the available mitigations. This registry key is set to 3 both when we want to enable the mitigations and to disable the mitigations.
MinVmVersionForCpuBasedMitigations is for Hyper-V hosts. This registry key defines the minimum VM version that will be able to use the updated firmware capabilities (CVE-2017-5715). We set this to 1.0 to cover all VM versions. Note that this registry value will be ignored (benign) on non-Hyper-V hosts. For more details, see https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms.
Q9: Can I set the registry keys before installing the update and then install the update and restart for the changes to take effect?
A9: Yes, there is no side-effect if these registry settings are applied prior to installing January 2018 related fixes.
Q10: Can you provide more details on the output of the PowerShell verification script?
A10: A detailed description of the script output can be found in Understanding the output of the Get-SpeculationControlSettings PowerShell script.
Q11: If the firmware update is not yet available from my OEM, is there still a way to protect my Hyper-V host?
A11: Yes, for Windows Server 2016 Hyper-V hosts that do not yet have the firmware update available to them, we have published alternative guidance that can help mitigate the VM to VM or VM to host attacks. Please see the guidance here: Alternative protections for Windows Server 2016 Hyper-V Hosts against the speculative execution side-channel vulnerabilities
Q12: I have not installed any of the 2018 Security Only updates. If I install the latest 2018 Security Only update, am I protected from the vulnerabilities described?
A12: No. Security Only updates are not cumulative. Depending on the operating system version you are running, you will need to install every Security Only update starting with January 2018 to be protected against these vulnerabilities. For example, if you are running Windows 7 for 32-bit Systems on an affected Intel CPU you need to install every 2018 Security Only update. We recommend installing these Security Only updates in the order of release.
Note: An earlier version of this FAQ incorrectly stated that the February Security Only update included the security fixes released in January.
Q13: If I apply any of the applicable security updates, will they disable the protections for CVE-2017-5715 like security update 4078130 did?
A13: No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and/or unexpected reboots after installation of microcode. Applying the security updates on Windows client operating systems enables all three mitigations. On Windows server operating systems, you still need to enable the mitigations after proper testing is performed. See Microsoft Knowledge Base Article 4072698 for more information.
Q14: Known Issue: Some users may experience network connectivity issues or lose IP address settings after installing the March 13, 2018 Security Update (KB 4088875).
A14: For more information, see the Known Issues section in the Knowledge Base article 4088878.
Q15: Intel has identified reboot issues with microcode on some older processors. What should I do?
A15: Mar 13, 2018: Intel recently announced they have completed their validations and started to release microcode for newer CPU platforms. Microsoft is making available Intel validated microcode updates around Spectre Variant 2 [CVE 2017-5715 ("Branch Target Injection”)]. KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the available Intel microcode updates by CPU.
Jan 11, 2018: Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection). Specifically, Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior”, and then noted that situations like this may result in “data loss or corruption. ” Our own experience is that system instability can in some circumstances cause data loss or corruption. On January 22, Intel recommended that customers stop deploying the current microcode version on impacted processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version and encourage customers to review their guidance on an ongoing basis to inform their decisions.
While Intel tests, updates, and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing, this update has been found to prevent the behavior described. For the full list of devices, see Intel’s microcode revision guidance. This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.”
As of this time, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.