APS V2 AU4 (and later) Guidance to protect against speculative execution side-channel vulnerabilities

Microsoft is aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including those from Intel, AMD, and ARM. 

Note This issue also affects other systems such as Android, Chrome, iOS, and MacOS, so we advise customers to seek guidance from those vendors. 

We have released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more detail.

We have not yet received any information to indicate that these vulnerabilities have been used to attack our customers. We are working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software as well. 
 
For more information about the vulnerabilities, see Microsoft Security Advisory ADV180002. 

Although Analytics Platform System (APS) runs on impacted versions of Microsoft SQL Server 2014 and SQL Server 2016, as stated in the related SQL Server Knowledge Base article, APS does not support any features that allow user code to directly execute on the appliance.   

APS currently does not allow use of the following: 

• SQL CLR assemblies  

• R and Python packages that run through the external scripts mechanism or from the standalone R/Machine Learning Studio on the same physical machine as APS

• SQL Agent extensibility points that run on the same physical machine as APS (ActiveX scripts)

• Microsoft or non-Microsoft OLE DB providers that are used on linked servers where APS is the source

• Microsoft or non-Microsoft extended stored procedures 

All software is restricted from installation on the appliance unless approved by Microsoft APS product team.  

Note It is possible for someone who has access to the appliance to install malicious software on the appliance without permission from Microsoft. 

We recommend that all customers install the latest Windows OS security hotfix by using WSUS. For more information, see: 

Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Note If you are running antivirus software, see KB 4056898 before you install the update.

Customers who are running APS software version older than V2 AU4 should upgrade to the latest version of APS. Customers who are running HDInsight in APS should wait for the AU4 hotfix, as noted below.

The Microsoft APS team continues to investigate this issue. Although the impact to APS is minimal, the APS team will release Microsoft SQL Server-related hotfixes at a later date. 

Dates: 

APS2016 – Target hotfix date is February 2018. 

AU5 – To be determined 

AU4 - To be determined

We continue to evaluate the performance of patched binaries. However, at the time of publication of this article, we have not yet validated APS performance with all microcode patches. Customers are advised to evaluate the performance of their specific application when applying patches. Validate the performance impact of enabling microcode changes before deploying the changes into a production environment.

We will update this section with more information when it is available.