Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Protect your Windows devices against speculative execution side-channel attacks

Protect your Windows devices against speculative execution side-channel attacks

View products that this article applies to.

Summary


This article provides information and updates for a new class of attacks known as “speculative execution side-channel attacks.”  It also provides a comprehensive list of Windows client and server resources to help keep your devices protected at home, at work, and across your enterprise.

On January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities (known as Spectre and Meltdown) involving speculative execution side channels that affect AMD, ARM, and Intel processors to varying degrees. This class of vulnerabilities are based on a common chip architecture that was originally designed to speed up computers. You can learn more about these vulnerabilities at Google Project Zero.

On May 21, 2018, Google Project Zero (GPZ), Microsoft, and Intel disclosed two new chip vulnerabilities that are related to the Spectre and Meltdown issues that are known as Speculative Store Bypass (SSB) and Rogue System Registry Read. The customer risk from both disclosures is low.

For more information about these vulnerabilities, see the resources that are listed under May 2018 Windows operating system updates, and refer to the following Security Advisories:

On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. For more information about this vulnerability and recommended actions, see the following Security Advisory:

On August 14, 2018, L1 Terminal Fault (L1TF), a new speculative execution side channel vulnerability was announced that has multiple CVEs. L1TF affects Intel® Core® processors and Intel® Xeon® processors. For more information about L1TF and recommended actions, see our Security Advisory:

Note: We recommend that you install all of the latest updates from Windows Update before you install any microcode updates.

On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling. They have been assigned the following CVEs:

Important: These issues will affect other systems such as Android, Chrome, iOS, and MacOS. We advise customers seek guidance from their respective vendors.

Microsoft has released updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services.

Note: We recommend that you install all of the latest updates from Windows Update before you install microcode updates.

For more information about these issues and recommended actions, see the following Security Advisory:

ADV 190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities

On August 6, 2019 Intel released details about a Windows kernel information disclosure vulnerability. This vulnerability is a variant of the Spectre Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.

Microsoft released a security update for the Windows operating system on July 9, 2019 to help mitigate this issue. Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. Note that this vulnerability does not require a microcode update from your device manufacturer (OEM).

For more information about this vulnerability and applicable updates, see CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability in the Microsoft Security Update Guide.

↑ Back to the top

Steps to help protect your Windows devices

What steps should I take to help protect my devices?

You may have to update both your firmware (microcode) and your software to address these vulnerabilities. Please refer to the Microsoft Security Advisories for recommended actions. This includes applicable firmware (microcode) updates from device manufacturers and, in some cases, updates to your antivirus software. We encourage you to keep your devices up-to-date by installing the monthly security updates. 

To receive all available protections, follow these steps to get the latest updates for both software and hardware.

  1. Keep your Windows device up-to-date by turning on automatic updates.
  2. Check that you’ve installed the latest Windows operating system security update from Microsoft. If automatic updates are turned on, the updates should be automatically delivered to you. However, you should still verify that they’re installed. For instructions, see Windows Update: FAQ
  3. Install available firmware (microcode) updates from your device manufacturer. All customers will have to check with their device manufacturer to download and install their device specific hardware update. See the "Additional resources" section for a list of device manufacturer websites. 
Who is affected?

Affected chips include those that are manufactured by Intel, AMD, and ARM. This means that all devices that are running Windows operating systems are potentially vulnerable. This includes desktops, laptops, cloud servers, and smartphones. Devices that are running other operating systems, such as Android, Chrome, iOS, and macOS, are also affected. We advise customers who are running these operating systems to seek guidance from those vendors.

At the time of publication, we had not received any information to indicate that these vulnerabilities have been used to attack customers.

Protections we’ve provided to date

Starting in January 2018, Microsoft released updates for Windows operating systems and the Internet Explorer and Edge web browsers to help mitigate these vulnerabilities and help to protect customers. We also released updates to secure our cloud services.  We continue working closely with industry partners, including chip makers, hardware OEMs, and app vendors, to protect customers against this class of vulnerability. 

We encourage you to always install the monthly updates to keep your devices up-to-date and secure. 

We will update this documentation when new mitigations become available, and we recommend you check back here regularly. 

↑ Back to the top

July 2019 Windows operating system updates

Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125)

On August 6, 2019, Intel disclosed details for security vulnerability CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability. Security updates for this vulnerability were released as part of the July monthly update release on July 9, 2019.

Microsoft released a security update for the Windows operating system on July 9, 2019 to help mitigate this issue. We held back documenting this mitigation publicly until the coordinated industry disclosure on Tuesday, August 6, 2019.

Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. Note that this vulnerability does not require a microcode update from your device manufacturer (OEM).

 

↑ Back to the top

May 2019 Windows operating system updates

New speculative execution side-channel vulnerability disclosure (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130) 

On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling and were assigned the following CVEs:

For more information about this issue, see the following Security Advisory and use scenario-based guidance outlined in the Windows guidance for Clients and Server articles to determine actions necessary to mitigate the threat:

Windows 64-bit OS protections to mitigate Microarchitectural Data Sampling (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2018-11091)

Microsoft has released protections against a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling for 64-Bit (x64) versions of Windows (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130).

Use the registry settings as described in the Windows Client (KB4073119) and Windows Server (KB4457951) articles These registry settings are enabled by default for Windows Client OS editions and Windows Server OS editions.

We recommend that you install all of the latest updates from Windows Update first, before you install any microcode updates.

For more information about this issue and recommended actions, see the following Security Advisory: 

Intel microcode updates to mitigate Microarchitectural Data Sampling (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130)

Intel has released a microcode update for recent CPU platforms to help mitigate CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130. The May 14, 2019 Windows KB 4093836 lists specific Knowledge Base articles by Windows OS version.  The article also contains links to the available Intel microcode updates by CPU. These updates are available via the Microsoft Catalog.

Note: We recommend that you install all of the latest updates from Windows Update before you install any microcode updates.

Retpoline mitigations for Spectre, variant 2 enabled by default on Windows 10, version 1809 devices.

We’re happy to announce that the Retpoline is enabled by default on Windows 10, version 1809 devices (for client and server) if Spectre Variant 2 (CVE-2017-5715) is enabled. By enabling Retpoline on the latest version of Windows 10, via the May 14, 2019 update (KB 4494441), we anticipate enhanced performance, particularly on older processors.

Customers should ensure previous OS protections against the Spectre Variant 2 vulnerability are enabled using the registry settings described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions but disabled by default for Windows Server OS editions). For more information about “Retpoline”, see Mitigating Spectre variant 2 with Retpoline on Windows.

 

↑ Back to the top

November 2018 Windows operating system updates

Window OS protections for Speculative Store Bypass for AMD processors

Microsoft has released operating system protections for Speculative Store Bypass (CVE-2018-3639) for AMD processors (CPUs).

Window OS protections for Speculative Store Bypass for ARM64 devices

Microsoft has released additional operating system protections for customers using 64-bit ARM processors. Please check with your device OEM manufacturer for firmware support because ARM64 operating system protections that mitigate CVE-2018-3639, Speculative Store Bypass, require the latest firmware update from your device OEM.

↑ Back to the top

September 2018 Windows operating system updates

Additional protections against L1 Terminal Fault for Windows Server 2008 SP2

On September 11, 2018, Microsoft released Windows Server 2008 SP2 Monthly Rollup 4458010 and Security Only 4457984 for Windows Server 2008 that provide protections against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) affecting Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646). 

This release completes the additional protections on all supported Windows system versions through Windows Update. For more information and a list of affected products, please see ADV180018 | Microsoft Guidance to mitigate L1TF variant.

Note: Windows Server 2008 SP2 now follows the standard Windows servicing rollup model. For more information about these changes, please see our blog Windows Server 2008 SP2 servicing changes. Customers running Windows Server 2008 should install either 4458010 or 4457984 in addition to Security Update 4341832, which was released on August 14, 2018. Customers should also ensure previous OS protections against Spectre Variant 2 and Meltdown vulnerabilities are enabled using the registry settings outlined in the Windows Client and Windows Server guidance KB articles. These registry settings are enabled by default for Windows Client OS editions but is disabled by default for Windows Server OS editions.

Windows OS protections around Spectre Variant 2 for ARM64 devices

Microsoft has released additional operating system protections for customers using 64-bit ARM processors. Please check with your device OEM manufacturer for firmware support because ARM64 operating system protections that mitigate CVE-2017-5715 - Branch target injection (Spectre, Variant 2) require the latest firmware update from your device OEMs to take effect.

↑ Back to the top

August 2018 Windows operating system updates

New speculative execution side-channel vulnerability disclosure (L1 Terminal Fault - CVE-2018-3615 - CVE-2018-3620 - CVE-2018-3640)

On August 14, 2018, L1 Terminal Fault (L1TF) was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, can lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.

For more information about L1TF and a detailed view of affected scenarios, including Microsoft’s approach to mitigating L1TF please see the following resources:

↑ Back to the top

July 2018 Windows operating system updates

We are pleased to announce that Microsoft has completed releasing additional protections on all supported Windows system versions through Windows Update for the following vulnerabilities:

  • Spectre Variant 2 for AMD processors
  • Speculative Store Bypass for Intel processors
New side-channel speculative execution vulnerability disclosure (Lazy FP State Restore - CVE-2018-3665)

On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. There are no configuration (registry) settings needed for Lazy Restore FP Restore.

For more information about this vulnerability, affected products, and recommended actions, see the following Security Advisory:

Intel microcode updates

Intel recently announced that they have completed their validations and started to release microcode for recent CPU platforms related to Spectre Variant 2 (CVE 2017-5715 “Branch Target Injection”). KB4093836 lists specific Knowledge Base articles by Windows version. The article contain links to the available Intel microcode updates by CPU.

↑ Back to the top

June 2018 Windows operating system updates

Announcing Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors

On June 12, Microsoft announced Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors. The updates require corresponding firmware (microcode) and registry updates for functionality. For information about the updates and the steps to apply to turn on SSBD, see the "Recommended actions" section in ADV180012 | Microsoft Guidance for Speculative Store Bypass.

↑ Back to the top

May 2018 Windows operating system updates

New speculative execution side-channel vulnerability disclosure (Speculative Store Bypass - CVE-2018-3639 and Rogue System Register Read - CVE-2018-3640)

In January 2018, Microsoft released information about a newly discovered class of hardware vulnerabilities (known as Spectre and Meltdown) that involve speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21, 2018 Google Project Zero (GPZ), Microsoft, and Intel disclosed two new chip vulnerabilities that are related to the Spectre and Meltdown issues that are known as Speculative Store Bypass (SSB) and Rogue System Registry Read.

The customer risk from both disclosures is low.

For more information about these vulnerabilities, see the following resources:

Enable use of Indirect Branch Prediction Barrier (IBPB) for Spectre Variant 2 for AMD processors (CPUs) 

Applies to: Windows 10, version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation), and Windows Server, version 1709 (Server Core installation)

We have provided support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs) for mitigating CVE-2017-5715, Spectre Variant 2 when you switch from user context to kernel context. (For more information, see AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates).

Customers who are running Windows 10, version 1607,  Windows Server 2016, Windows Server 2016 (Server Core installation), and Windows Server, version 1709 (Server Core installation) must install security update 4103723 for additional mitigations for AMD processors for CVE-2017-5715, Branch Target Injection. This update is also available through Windows Update.

Follow the instructions that are outlined in KB 4073119 for Windows Client (IT Pro) guidance and KB 4072698 for Windows Server guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when you switch from user context to kernel context.

Intel microcode updates for Windows 10, version 1803 and Windows Server, version 1803

Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715Branch Target Injection). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).

The microcode update is also available directly from Catalog if it was not installed on the device prior to upgrading the OS. Intel microcode is available through Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see KB 4100347.

We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.

Intel microcode updates

Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection"). KB 4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the latest available Intel microcode updates by CPU.

We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.

↑ Back to the top

April 2018 Windows operating system updates

Enable usage of Indirect Branch Prediction Barrier (IBPB) for Spectre Variant 2 for AMD processors (CPUs)

Applies to: Windows 10, version 1709

We have provided support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs) for mitigating CVE-2017-5715, Spectre Variant 2 when you switch from user context to kernel context. (For more information, see AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates).

Follow the instructions outlined in KB 4073119 for Windows Client (IT Pro) guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when you switch from user context to kernel context.

Intel microcode updates

Microsoft is making available Intel validated microcode updates around Spectre Variant 2  (CVE-2017-5715 "Branch Target Injection"). KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the latest available Intel microcode updates by CPU.

We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft. 

↑ Back to the top

March 2018 Windows operating system updates

March 23, TechNet Security Research & Defense: KVA Shadow: Mitigating Meltdown on Windows

March 14, Security Tech Center: Speculative Execution Side Channel Bounty Program Terms

March 13, blog: March 2018 Windows Security Update – Expanding Our Efforts to Protect Customers

March 1, blog: Update on Spectre and Meltdown security updates for Windows devices

Intel microcode updates

Microsoft is making available Intel validated microcode updates around Spectre Variant 2  (CVE-2017-5715 "Branch Target Injection"). KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the available Intel microcode updates by CPU .

We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.

↑ Back to the top

Windows operating system updates for 32-bit (x86) systems

Starting in March 2018, Microsoft released security updates to provide mitigations for devices running the following x86-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related Knowledge Base article for technical details and the "FAQ" section.

Product update released Status Release date Release channel KB
Windows 8.1 & Windows Server 2012 R2 - Security Only Update Released 13-Mar WSUS, Catalog,  KB4088879
Windows 7 SP1 & Windows Server 2008 R2 SP1 - Security Only Update Released 13-Mar WSUS, Catalog KB4088878
Windows Server 2012 - Security Only Update
Windows 8 Embedded Standard Edition - Security Only Update		 Released 13-Mar WSUS, Catalog KB4088877
Windows 8.1 & Windows Server 2012 R2 - Monthly Rollup Released 13-Mar WU, WSUS, Catalog KB4088876
Windows 7 SP1 & Windows Server 2008 R2 SP1 - Monthly Rollup Released 13-Mar WU, WSUS, Catalog KB4088875
Windows Server 2012 - Monthly Rollup
Windows 8 Embedded Standard Edition - Monthly Rollup		 Released 13-Mar WU, WSUS, Catalog KB4088877
Windows Server 2008 SP2 Released 13-Mar WU, WSUS, Catalog KB4090450

↑ Back to the top

Windows operating system updates for 64-bit (x64) systems
Starting in March 2018, Microsoft released security updates to provide mitigations for devices running the following x64-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related knowledge base article for technical details and the "FAQ" section.
 
Product update released Status Release date Release channel KB
Windows Server 2012 - Security Only Update
Windows 8 Embedded Standard Edition - Security Only Update		 Released 13-Mar WSUS, Catalog KB4088877
Windows Server 2012 - Monthly Rollup
Windows 8 Embedded Standard Edition - Monthly Rollup		 Released 13-Mar WU, WSUS, Catalog KB4088877
Windows Server 2008 SP2 Released 13-Mar WU, WSUS, Catalog KB4090450

↑ Back to the top

Windows kernel update for CVE-2018-1038
This update addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows. This vulnerability is documented in CVE-2018-1038. Users must apply this update to be fully protected against this vulnerability if their computers were updated on or after January 2018 by applying any of the updates that are listed in the following Knowledge Base article:
 
Windows kernel update for CVE-2018-1038

↑ Back to the top

Cumulative security update for Internet Explorer
This security update resolves several reported vulnerabilities in Internet Explorer. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures
 
Product update released Status Release date Release channel KB
Internet Explorer 10 - Cumulative Update for Windows 8 Embedded Standard Edition Released 13-Mar WU, WSUS, Catalog KB4089187
 

↑ Back to the top

February 2018 Windows operating system updates

Blog: Windows Analytics now helps assess Spectre and Meltdown protections

Windows operating system updates for 32-bit (x86) systems

The following security updates provide additional protections for devices running 32-bit (x86) Windows operating  systems. Microsoft recommends customers install the update as soon as available. We continue to work to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. 

Note Windows 10 monthly security updates are cumulative month over month and will be downloaded and installed automatically from Windows Update. If you have installed earlier updates, only the new portions will be downloaded and installed on your device. For more information, see the related Knowledge Base article for technical details and the "FAQ" section.

Product update released Status Release date Release channel KB
Windows 10 - Version 1709 / Windows Server 2016 (1709) / IoT Core - Quality Update Released 31-Jan WU, Catalog  KB4058258
Windows Server 2016 (1709) - Server container Released 13-Feb Docker Hub KB4074588
Windows 10 - Version 1703 / IoT Core - Quality Update Released 13-Feb WU, WSUS, Catalog KB4074592
Windows 10 - Version 1607 / Windows Server 2016 / IoT Core - Quality Update Released 13-Feb WU, WSUS, Catalog KB4074590
Windows 10 HoloLens - OS and Firmware Updates Released 13-Feb WU, Catalog KB4074590
Windows Server 2016 (1607) - Container Images Released 13-Feb Docker Hub KB4074590
Windows 10 - Version 1511 / IoT Core - Quality Update Released 13-Feb WU, WSUS, Catalog KB4074591
Windows 10 - Version RTM - Quality Update Released 13-Feb WU, WSUS, Catalog KB4074596

↑ Back to the top

January 2018 Windows operating system updates

Blog: Understanding the Performance Impact of Spectre and Meltdown Mitigations on Windows Systems

Windows operating system updates for 64-bit (x64) systems

Starting in January 2018, Microsoft released security updates to provide mitigations for devices running the following x64-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related Knowledge Base article for technical details and the "FAQ" section.

Product update released Status Release date Release channel KB
Windows 10 - Version 1709 / Windows Server 2016 (1709) / IoT Core - Quality Update Released 3-Jan WU, WSUS, Catalog, Azure Image Gallery KB4056892
Windows Server 2016 (1709) - Server container Released 5-Jan Docker Hub KB4056892
Windows 10 - Version 1703 / IoT Core - Quality Update Released 3-Jan WU, WSUS, Catalog KB4056891
Windows 10 - Version 1607 / Windows Server 2016 / IoT Core- Quality Update Released 3-Jan WU, WSUS, Catalog KB4056890
Windows Server 2016 (1607) - Container Images Released 4-Jan Docker Hub KB4056890
Windows 10 - Version 1511 / IoT Core - Quality Update Released 3-Jan WU, WSUS, Catalog KB4056888
Windows 10 - Version RTM - Quality Update Released 3-Jan WU, WSUS, Catalog KB4056893
Windows 10 Mobile (OS Build 15254.192) - ARM Released 5-Jan WU, Catalog KB4073117
Windows 10 Mobile (OS Build 15063.850) Released 5-Jan WU, Catalog KB4056891
Windows 10 Mobile (OS Build 14393.2007) Released 5-Jan WU, Catalog KB4056890
Windows 10 HoloLens Released 5-Jan WU, Catalog KB4056890
Windows 8.1 / Windows Server 2012 R2 - Security Only Update Released 3-Jan WSUS, Catalog KB4056898
Windows Embedded 8.1 Industry Enterprise Released 3-Jan WSUS, Catalog KB4056898
Windows Embedded 8.1 Industry Pro Released 3-Jan WSUS, Catalog KB4056898
Windows Embedded 8.1 Pro Released 3-Jan WSUS, Catalog KB4056898
Windows 8.1 / Windows Server 2012 R2 Monthly Rollup Released 8-Jan WU, WSUS, Catalog KB4056895
Windows Embedded 8.1 Industry Enterprise Released 8-Jan WU, WSUS, Catalog KB4056895
Windows Embedded 8.1 Industry Pro Released 8-Jan WU, WSUS, Catalog KB4056895
Windows Embedded 8.1 Pro Released 8-Jan WU, WSUS, Catalog KB4056895
Windows Server 2012 Security Only Released   WSUS, Catalog  
Windows Server 2008 SP2 Released   WU, WSUS, Catalog  
Windows Server 2012 Monthly Rollup Released   WU, WSUS, Catalog  
Windows Embedded 8 Standard Released   WU, WSUS, Catalog  
Windows 7 SP1 / Windows Server 2008 R2 SP1 - Security Only Update Released 3-Jan WSUS, Catalog KB4056897
Windows Embedded Standard 7 Released 3-Jan WSUS, Catalog KB4056897
Windows Embedded POSReady 7 Released 3-Jan WSUS, Catalog KB4056897
Windows Thin PC Released 3-Jan WSUS, Catalog KB4056897
Windows 7 SP1 / Windows Server 2008 R2 SP1 Monthly Rollup Released 4-Jan WU, WSUS, Catalog KB4056894
Windows Embedded Standard 7 Released 4-Jan WU, WSUS, Catalog KB4056894
Windows Embedded POSReady 7 Released 4-Jan WU, WSUS, Catalog KB4056894
Windows Thin PC Released 4-Jan WU, WSUS, Catalog KB4056894
Internet Explorer 11-Cumulative Update for Windows 7 SP1 and Windows 8.1 Released 3-Jan WU, WSUS, Catalog KB4056568

↑ Back to the top

Resources and technical guidance

Depending on your role, the following support articles can help you identify and mitigate client and server environments that are affected by the Spectre and Meltdown vulnerabilities.

Microsoft blogs that discuss speculative execution side-channel vulnerabilities

Microsoft Security Advisory for L1 Terminal Fault (L1TF): MSRC ADV180018, CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646

Security Research and Defense: Analysis and mitigation of speculative store bypass (CVE-2018-3639)

Microsoft Security Advisory for Speculative Store Bypass: MSRC ADV180012 and CVE-2018-3639

Microsoft Security Advisory for Rogue System Register Read | Security Update Guide for Surface: MSRC ADV180013 and CVE-2018-3640

Security Research and Defense: Analysis and mitigation of speculative store bypass (CVE-2018-3639)

TechNet Security Research & Defense: KVA Shadow: Mitigating Meltdown on Windows

Security Tech Center: Speculative Execution Side Channel Bounty Program Terms

Microsoft Experience blog: Update on Spectre and Meltdown security updates for Windows devices

Windows for Business blog: Windows Analytics now helps assess Spectre and Meltdown protections

Microsoft Secure blog: Understanding the Performance Impact of Spectre and Meltdown Mitigations on Windows Systems

Edge Developer Blog: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer

Azure Blog: Securing Azure customers from CPU vulnerability

SCCM guidance: Additional guidance to mitigate speculative execution side-channel vulnerabilities

List of technical resources and customer guidance

Microsoft Advisories:

Intel: Security Advisory

ARM: Security Advisory

AMD: Security Advisory

NVIDIA: Security Advisory

Consumer Guidance: Protecting your device against chip-related security vulnerabilities

Antivirus Guidance: Windows security updates released January 3, 2018, and antivirus software

Guidance for AMD Windows OS security update block: KB4073707: Windows operating system security update block for some AMD based devices

Update to Disable Mitigation against Spectre, Variant 2: KB4078130: Intel has identified reboot issues with microcode on some older processors 

Surface Guidance: Surface Guidance to protect against speculative execution side-channel vulnerabilities

Verify the status of speculative execution side channel mitigations: Understanding Get-SpeculationControlSettings PowerShell script output

IT Pro Guidance: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Server Guidance: Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Server Guidance for L1 Terminal Fault: Windows Server guidance to protect against L1 terminal fault

Developer guidance: Developer Guidance for Speculative Store Bypass

Server Hyper-V Guidance

Azure KB: KB4073235: Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities

Azure Stack guidance: KB4073418: Azure stack guidance to protect against the speculative execution side-channel vulnerabilities

Azure reliabilityAzure Reliability Portal

SQL Server guidance: KB4073225: SQL Server Guidance to protect against speculative execution side-channel vulnerabilities

↑ Back to the top

Links to OEM and Server device manufacturers for updates to protect against Spectre and Meltdown vulnerabilities

To help address these vulnerabilities, you must update both your hardware and software. Use the following links to check with your device manufacturer for applicable firmware (microcode) updates.

List of OEM and Server device manufacturers

Use the following links to check with your device manufacturer for firmware (microcode) updates. You will have to install both operating system and firmware (microcode) updates for all available protections.

OEM Device Manufacturers Link to microcode availability
Acer Meltdown and Spectre security vulnerabilities
Asus ASUS Update on Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method

Dell

Meltdown and Spectre Vulnerabilities
Epson CPU vulnerabilities (side channel attacks)
Fujitsu

CPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

HP

SUPPORT COMMUNICATION- SECURITY BULLETIN

Lenovo

Reading Privileged Memory with a Side Channel

LG

Get Product Help & Support
NEC On the response to the processor's vulnerability (meltdown, spectrum) in our products

Panasonic

Security information of vulnerability by Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method

Samsung

Intel CPUs Software Update Announcement

Surface

Surface Guidance to protect against speculative execution side-channel vulnerabilities

Toshiba

Intel, AMD & Microsoft Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method Security Vulnerabilities (2017)

Vaio

On the vulnerability support for side channel analysis

 

Server OEM Manufacturers Link to microcode availability

Dell

Meltdown and Spectre Vulnerabilities
Fujitsu CPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

HPE

Hewlett Packard Enterprise Product Security Vulnerability Alerts
Huawei Security Notice - Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design

Lenovo

Reading Privileged Memory with a Side Channel
Third-party contact disclaimer
Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.

↑ Back to the top

Frequently asked questions

My OEM device manufacturer is not listed. What do I do?

You will have to check with your device manufacturer for firmware (microcode) updates. If your device manufacturer is not listed in the table, contact your OEM directly.

↑ Back to the top

Keywords: meltdown, spectre, speculative execution side-channel vulnerabilities

↑ Back to the top

Article Info
Article ID : 4073757
Revision : 319
Created on : 2/28/2020
Published on : 2/28/2020
Exists online : False
Views : 289