Windows Client Guidance against speculative execution vulnerabilities

Page 1 of 75 1231151 ... LastLast
    Windows Client Guidance against speculative execution vulnerabilities

    Windows Client Guidance against speculative execution vulnerabilities


    Last Updated: 14 Aug 2018 at 15:05

    Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities



    Summary

    Microsoft is aware of a new publicly disclosed class of vulnerabilities that are called “speculative execution side-channel attacks” that affect many modern processors and operating systems, including Intel, AMD, and ARM.

    Note This issue also affects other operating systems, such as Android, Chrome, iOS, and MacOS, so we advise customers to seek guidance from those vendors.

    Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more details.

    Microsoft has yet not received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft is working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software as well.

    The following sections will help you identify and mitigate client environments that are affected by the vulnerabilities that are identified in Microsoft Security Advisory ADV180002.

    Windows Update will also provide Internet Explorer and Edge mitigations. And we will continue to improve these mitigations against this class of vulnerabilities.



    Recommended actions

    Customers must take the following actions to help protect against the vulnerabilities.

    1. Verify that you are running a supported antivirus application before you install OS or firmware updates. Contact the antivirus software vendor for compatibility information.
    2. Apply all available Windows operating system updates, including the January 2018 Windows security updates.
    3. Apply the applicable firmware update that is provided by the device manufacturer.

    Windows-based machines (physical or virtual) should install the Microsoft security updates that were released on January 3, 2018. See Microsoft Security Advisory ADV180002 for updates for the following versions of Windows.

    Operating System Version
    Windows 10 (RTM, 1511, 1607, 1703, 1709) for x64 and x86 based systems
    Windows 8.1
    Windows 7 SP1

    warning   Warning
    Customers who only install the Windows January and February 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January and February security updates, a processor microcode, or firmware, update is required. This should be available through your OEM device manufacturer.

    Note Surface customers will receive a microcode update via Windows update. For a list of available Surface device firmware updates, see KB 4073065.

    Surface updates for recent chip-related security vulnerability Surface - Windows 10 Forums

    How to get the monthly Windows security update for Windows Update and Windows Update for Business with Group or MDM policy configurations set to disable preview builds

    (Note This is not applicable to WSUS users.)

    If you have currently disabled preview builds, your organization’s devices will not be able to receive the January 2018 Windows security updates. The following Group or MDM policy configurations settings disable preview builds and will not allow the Windows security updates. They will have to be changed to do so. To verify that you cannot receive the update, you can scan for available updates.

    Group/MDM Configuration Setting Description
    System/AllowBuildPreview 0 Not allowed
    “Toggle user control over Insider builds” Enabled
    Update/ManagePreviewBuilds 0 or 1 Disable preview builds -or- Disable preview builds once next release is public
    “Manage preview builds” Disable preview builds -or- Disable preview builds once next release is public

    To allow devices to receive the Windows security updates, you need to change the Group or MDM policies to the following “Not Configured” settings:

    Group/MDM Configuration Setting Description
    System/AllowBuildPreview 2 Not Configured
    “Toggle user control over Insider builds” Not Configured
    Update/ManagePreviewBuilds 3 Not Configured
    “Manage preview builds” Not Configured

    After devices have received the monthly Windows security updates, the policy configuration settings can be changed back to their previous state (disabling preview builds).

    Verifying that protections are enabled

    To help customers confirm whether protections have been enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands:

    Note These verification steps only apply to Windows client and not to Azure instances. For further cloud guidance, see the Azure blog.

    PowerShell Verification using the PowerShell Gallery
    1) Open elevated PowerShell.

    2) Temporarily set PowerShell script execution policy

    PS> Set-ExecutionPolicy Unrestricted -Scope Process -Force

    3) Install the PowerShell module
    PS > Install-Module SpeculationControl -Force

    Type Y and press Enter if prompted to install and import NuGet.

    4) Run the PowerShell module to validate protections are enabled
    PS > Get-SpeculationControlSettings

    OR

    PowerShell Verification using download from Technet
    1) Install PowerShell Module from Technet ScriptCenter

    Go to Speculation Control Validation PowerShell Script

    Download SpeculationControl.zip to a local folder.

    Extract the contents to a local folder, for example C:\ADV180002

    2) Open elevated PowerShell.

    3) Switch to directory of extracted contents
    PS> CD C:\ADV180002\SpeculationControl

    4) Temporarily set PowerShell script execution policy
    PS> Set-ExecutionPolicy Unrestricted -Scope Process -Force

    5) Install the downloaded PowerShell module
    PS > Import-Module .\SpeculationControl.psd1

    6) Run the PowerShell module to validate protections are enabled
    PS > Get-SpeculationControlSettings

    The output of this PowerShell script will look like the following. Enabled protections will show in the output as “True”.

    Code:
    PS C:\> Get-SpeculationControlSettings
    Speculation control settings for CVE-2017-5715 [branch target injection]
    Hardware support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is enabled: True
    Speculation control settings for CVE-2017-5754 [rogue data cache load]
    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID optimization is enabled: True
    Windows Client Guidance against speculative execution vulnerabilities-powershell_verification.png Windows Client Guidance against speculative execution vulnerabilities-download_verification.png



    Switch | Registry Settings

    Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

    322756 How to back up and restore the registry in Windows

    Note By default, this update is enabled. No customer action is required to enable the fixes. We are providing the following registry information for completeness in the event that customers want to disable the security fixes related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.

    To enable the fix *

    Code:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
    
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    Restart the computer for the changes to take effect.

    To disable the fix *

    Code:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
    
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    Restart the computer for the changes to take effect.

    (There is no need to change MinVmVersionForCpuBasedMitigations.)
    * Note setting of 3 is accurate for both enable/disable settings due to masking.



    Disable mitigation against Spectre Variant 2

    While Intel tests, updates, and deploys new microcode, we are offering a new option for advanced users on impacted devices to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently via registry setting changes.

    If you have installed the microcode, but want to disable CVE-2017-5715 - Branch target injection mitigation due to unexpected reboots and/or system stability issues, use the following instructions.

    To enable Variant 2: CVE 2017-5715 "Branch Target Injection":

    Code:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f
    
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    To disable Variant 2: CVE 2017-5715"Branch Target Injection":

    Code:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
    
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    Note disabling and enabling the Variant 2 via registry setting changes will require a reboot and administrative rights.



    Enable usage of Indirect Branch Prediction Barrier (IBPB) for Spectre Variant 2 for AMD processors (CPUs)

    Applies to: Windows 10, version 1803, Windows 10, version 1709, Windows 10, version 1703, Windows 10, version 1607, Windows 10, Windows 8.1, and Windows 7 SP1.

    Some AMD processors (CPUs) offer an indirect branch control feature designed to mitigate indirect branch target injections thru an Indirect Branch Prediction Barrier (IBPB) mechanism. (For more information, see AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates).

    Use the following instructions to control usage of IBPB when switching from user context to kernel context:

    To enable usage of Indirect Branch Prediction Barrier (IBPB) when switching from user context to kernel context:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    Note: Enabling usage of Indirect Branch Prediction Barrier (IBPB) through registry setting changes requires administrative rights and a restart.


    Manage Speculative Store Bypass and mitigations around Spectre Variant 2 and Meltdown

    Applies to: Windows 10 Version 1803, Windows 10 Version 1709, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10, Windows 8.1, and Windows 7 SP1.

    • Enable mitigations around Speculative Store Bypass (CVE-2018-3639) together with mitigations around Spectre Variant 2 (CVE-2017-5715 "Branch Target Injection") and Meltdown (CVE-2017-5754) through the following registry settings (because they are not enabled by default).

      Code:
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f
      
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
      Note These registry changes require administrative rights and a restart.
    • Disable mitigations around Speculative Store Bypass (CVE-2018-3639) through the following registry settings.

      Code:
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /f
      
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /f
      Note These registry changes require administrative rights and a restart.


    Read more: https://support.microsoft.com/en-us/...peculative-exe


    See also:
    Brink's Avatar Posted By: Brink
    04 Jan 2018


  1. Posts : 7,860
    Windows 11 Pro 64 bit
       #1

    The above PowerShell commands don't work for me running the latest version of W10 Pro. What do users need to do to run these commands?
      My Computers


  2. Posts : 1,871
    W10 pro x64 20H2 Build 19042.610
       #2

    Same here.
      My Computer


  3. Posts : 26,406
    Windows 11 Pro 22631.3296
       #3

    Mooly said:
    Same here.
      My Computer


  4. Posts : 27,157
    Win11 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
       #4

    Shawn, mine shows a little bit more at the bottom;
    Windows Client Guidance against speculative execution vulnerabilities-image.png
      My Computers


  5. Posts : 27,157
    Win11 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
       #5

    Steve C said:
    The above PowerShell commands don't work for me running the latest version of W10 Pro. What do users need to do to run these commands?
    Mooly said:
    Same here.
    Josey Wales said:
    Are you guys running as admin?

    It will want to install nuget first if you don't have it installed yet(like if you are a Chocolatey user).
      My Computers


  6. Posts : 1,871
    W10 pro x64 20H2 Build 19042.610
       #6

    Thanks Cliff.

    Tried admin and non admin but didn't know you needed to install something first... and so as I like to keep my main system clean I probably won't pursue it. But thanks :)
      My Computer


  7. Posts : 856
    Windows 10 Pro 21H2 build 19045.2193 Dual Boot Linux Mint
       #7

    Mooly said:
    Thanks Cliff.

    Tried admin and non admin but didn't know you needed to install something first... and so as I like to keep my main system clean I probably won't pursue it. But thanks :)
    Probably need to change the Execution Policy from Restricted first, I used
    PS C:\WINDOWS\system32> set-executionpolicy remotesigned.

    Put it back to Restricted after running the scripts.
      My Computers


  8. Posts : 26,406
    Windows 11 Pro 22631.3296
       #8

    Mooly said:
    Thanks Cliff.

    Tried admin and non admin but didn't know you needed to install something first... and so as I like to keep my main system clean I probably won't pursue it. But thanks :)
    I did as well, Thanks again Cliff
      My Computer


  9. Posts : 14,901
    Windows 10 Pro
       #9

    Installed the latest update of Windows and this is how it looks for me, apparently it is for many users like this and means the Spectre bug hasn't been completely patched with a BIOS update. I flashed the latest BIOS version yesterday to patch a previous security problem.
    Windows Client Guidance against speculative execution vulnerabilities-image.png
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 23:03.
Find Us




Windows 10 Forums