Summary
This article discusses the impact of the recently disclosed processor vulnerabilities, named “Spectre” and “Meltdown,” for Windows customers. This article also provides resources to help keep your devices protected at home, at work, and across your enterprise.
Microsoft is aware of new vulnerabilities in hardware processors named “Spectre” and “Meltdown”. These are a newly discovered class of vulnerabilities based on a common chip architecture that, when originally designed, was created to speed up computers. The technical name is “speculative execution side-channel vulnerabilities”. You can learn more about these vulnerabilities at
Google Project Zero.
In January, Microsoft released information about a newly discovered class of hardware vulnerabilities (known as Spectre and Meltdown) that involve speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21, 2018
Google Project Zero (GPZ), Microsoft, and
Intel disclosed two new chip vulnerabilities that are related to the Spectre and Meltdown issues that are known as
Speculative Store Bypass (SSB) and
Rogue System Registry Read.
The customer risk from both disclosures is low.
For more information about these vulnerabilities, see resources listed in this article under the heading May 2018 Windows operating system updates, under New speculative execution side-channel vulnerability disclosure (Speculative Store Bypass - CVE-2018-3639 and Rogue System Register Read - CVE-2018-3640).
Steps to help protect your Windows devices
What steps should I take to protect my devices?
You will need to update both your hardware and your software to address this vulnerability. This includes applicable firmware updates from device manufacturers and, in some cases, updates to your antivirus software as well. We encourage you to keep your devices up-to-date by installing the monthly security updates.
To receive all available protections, follow these steps to get the latest updates for both software and hardware.
Note
- Keep your Windows device up to date by turning on automatic updates.
- Check that you’ve installed the latest Windows operating system security update from Microsoft. If automatic updates are turned on, the updates should be automatically delivered to you, but you should still verify that they’re installed. For instructions, see Windows Update: FAQ
- Install available hardware (firmware) updates from your device manufacturer. All customers will have to check with their device manufacturer to download and install their device specific hardware update. See the "Additional resources" section for a list of device manufacturer websites.
Note
Customers should install the latest Windows operating system security updates from Microsoft to take advantage of available protections. Antivirus software updates should be installed first. Operating system and firmware updates should follow. We encourage you to keep your devices up-to-date by installing the monthly security updates.
Who is affected?
Affected chips include those that are manufactured by Intel, AMD, and ARM. This means that all devices that are running Windows operating systems are potentially vulnerable. This includes desktops, laptops, cloud servers, and smartphones. Devices that are running other operating systems, such as Android, Chrome, iOS, and MacOS, are also affected. We advise customers who are running these operating systems to seek guidance from those vendors.
At this time of publication, we have not received any information to indicate that these vulnerabilities have been used to attack customers.
Protections we’ve provided to date
Starting in January 2018, Microsoft released updates for Windows operating systems and the Internet Explorer and Edge web browsers to help mitigate these vulnerabilities and help to protect customers. We also released updates to secure our cloud services. We continue working closely with industry partners, including chip makers, hardware OEMs, and app vendors, to protect customers against this class of vulnerability.
We encourage you to always install the monthly updates to keep your devices up-to-date and secure.
We will update this documentation when new mitigations become available and recommend you check back here regularly.
June 2018 Windows operating system updates
Announcing Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors
On June 12th Microsoft announced Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors. The updates require corresponding microcode/firmware and registry updates for functionality. For information about the updates and the steps to apply to turn on SSBD, see the "Recommended actions" section in
ADV180012 | Microsoft Guidance for Speculative Store Bypass.
May 2018 Windows operating system updates
New speculative execution side-channel vulnerability disclosure (Speculative Store Bypass - CVE-2018-3639 and Rogue System Register Read - CVE-2018-3640)
In January 2018, Microsoft released information about a newly discovered class of hardware vulnerabilities (known as Spectre and Meltdown) that involve speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21, 2018
Google Project Zero (GPZ), Microsoft, and
Intel disclosed two new chip vulnerabilities that are related to the Spectre and Meltdown issues that are known as
Speculative Store Bypass (SSB) and
Rogue System Registry Read.
The customer risk from both disclosures is low.
For more information about these vulnerabilities, see the following resources:
Enable usage of Indirect Branch Prediction Barrier (IBPB) for Spectre Variant 2 for AMD processors (CPUs)
Applies to: Windows 10 Version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation), and Windows Server, version 1709 (Server Core installation)
We have provided support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs) for mitigating
CVE-2017-5715, Spectre Variant 2 when switching from user context to kernel context. (For more information, see
AMD Architecture Guidelines around Indirect Branch Control and
AMD Security Updates).
Customers who are running Windows 10 Version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation), and Windows Server, version 1709 (Server Core installation) must install security update
4103723 for additional mitigations for AMD processors for
CVE-2017-5715, Branch Target Injection. This update is also available via Windows Update.
Follow the instructions outlined in
KB4073119 for Windows Client (IT Pro) guidance and
KB4072698 for Windows Server guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when switching from user context to kernel context.
Intel microcode updates for Windows 10 version 1803 and Windows Server version 1803
Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE 2017-5715 “Branch Target Injection”). To get the latest Intel microcode updates via Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).
The microcode update is also available directly from Catalog if it was not installed on the device prior to upgrading the OS. Intel microcode is available via Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see
KB4100347.
We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.
Intel microcode updates
Microsoft is making available Intel validated microcode updates around Spectre Variant 2 [CVE 2017-5715 ("Branch Target Injection”)].
KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the latest available Intel microcode updates by CPU.
We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.
April 2018 Windows operating system updates
Enable usage of Indirect Branch Prediction Barrier (IBPB) for Spectre Variant 2 for AMD processors (CPUs)
Applies to Windows 10 version 1709
We have provided support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs) for mitigating CVE-2017-5715, Spectre Variant 2 when switching from user context to kernel context. (For more information, see
AMD Architecture Guidelines around Indirect Branch Control and
AMD Security Updates).
Follow the instructions outlined in KB
4073119 for Windows Client (IT Pro) guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when switching from user context to kernel context.
Intel microcode updates
Microsoft is making available Intel validated microcode updates around Spectre Variant 2 [CVE 2017-5715 ("Branch Target Injection”)].
KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the latest available Intel microcode updates by CPU.
We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.
March 2018 Windows operating system updates
March 23, TechNet Security Research & Defense:
KVA Shadow: Mitigating Meltdown on Windows
March 14, Security Tech Center:
Speculative Execution Side Channel Bounty Program Terms
March 13, blog
: March 2018 Windows Security Update – Expanding Our Efforts to Protect Customers
March 1, blog:
Update on Spectre and Meltdown security updates for Windows devices
Intel microcode updates
Microsoft is making available Intel validated microcode updates around Spectre Variant 2 [CVE 2017-5715 ("Branch Target Injection”)].
KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the available Intel microcode updates by CPU .
We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.
Windows operating system updates for 32-bit (x86) systems
Starting in March 2018, Microsoft released security updates to provide mitigations for devices running the following x86-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related knowledge base article for technical details and the
FAQ below.
| Product update released |
Released |
Release date |
Release channel |
KB |
| Windows 8.1 & Windows Server 2012 R2 - Security Only Update |
Released |
13-Mar |
WSUS, Catalog, |
KB4088879 |
| Windows 7 SP1 & Windows Server 2008 R2 SP1 - Security Only Update |
Released |
13-Mar |
WSUS, Catalog |
KB4088878 |
Windows Server 2012 - Security Only Update
Windows 8 Embedded Standard Edition - Security Only Update |
Released |
13-Mar |
WSUS, Catalog |
KB4088877 |
| Windows 8.1 & Windows Server 2012 R2 - Monthly Rollup |
Released |
13-Mar |
WU, WSUS, Catalog |
KB4088876 |
| Windows 7 SP1 & Windows Server 2008 R2 SP1 - Monthly Rollup |
Released |
13-Mar |
WU, WSUS, Catalog |
KB4088875 |
Windows Server 2012 - Monthly Rollup
Windows 8 Embedded Standard Edition - Monthly Rollup |
Released |
13-Mar |
WU, WSUS, Catalog |
KB4088877 |
| Windows Server 2008 SP2 |
Released |
13-Mar |
WU, WSUS, Catalog |
KB4090450 |
Starting in March 2018, Microsoft released security updates to provide mitigations for devices running the following x64-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related knowledge base article for technical details and the
FAQ later in this article.
| Product update released |
Released |
Release date |
Release channel |
KB |
Windows Server 2012 - Security Only Update
Windows 8 Embedded Standard Edition - Security Only Update |
Released |
13-Mar |
WSUS, Catalog |
KB4088877 |
Windows Server 2012 - Monthly Rollup
Windows 8 Embedded Standard Edition - Monthly Rollup |
Released |
13-Mar |
WU, WSUS, Catalog |
KB4088877 |
| Windows Server 2008 SP2 |
Released |
13-Mar |
WU, WSUS, Catalog |
KB4090450 |
This update addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows. This vulnerability is documented in
CVE-2018-1038. Users must apply this update to be fully protected against this vulnerability if their computers were updated on or after January 2018 by applying any of the following updates.
Cumulative security update for Internet Explorer
This security update resolves several reported vulnerabilities in Internet Explorer. To learn more about these vulnerabilities, see
Microsoft Common Vulnerabilities and Exposures.
| Product update released |
Released |
Release date |
Release channel |
KB |
| Internet Explorer 10 - Cumulative Update for Windows 8 Embedded Standard Edition |
Released |
13-Mar |
WU, WSUS, Catalog |
KB4089187 |
The following security updates provide additional protections for devices running 32-bit (x86) Windows operating systems. Microsoft recommends customers install the update as soon as available. We continue to work to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates.
Note: Windows 10 monthly security updates are cumulative month over month and will be downloaded and installed automatically from Windows Update. If you have installed earlier updates, only the new portions will be downloaded and installed on your device. For more information, see the related knowledge base article for technical details and the FAQ below.
| Product update released |
Released |
Release date |
Release channel |
KB |
|---|
| Windows 10 - Version 1709 / Windows Server 2016 (1709) / IoT Core - Quality Update |
Released |
January 31 |
WU, Catalog |
KB4058258 |
| Windows Server 2016 (1709) - Server container |
Released |
February 13 |
Docker Hub |
KB4074588 |
| Windows 10 - Version 1703 / IoT Core - Quality Update |
Released |
February 13 |
WU, WSUS, Catalog |
KB4074592 |
| Windows 10 - Version 1607 / Windows Server 2016 / IoT Core - Quality Update |
Released |
February 13 |
WU, WSUS, Catalog |
KB4074590 |
| Windows 10 HoloLens - OS and Firmware Updates |
Released |
February 13 |
WU, Catalog |
KB4074590 |
| Windows Server 2016 (1607) - Container Images |
Released |
February 13 |
Docker Hub |
KB4074590 |
| Windows 10 - Version 1511 / IoT Core - Quality Update |
Released |
February 13 |
WU, WSUS, Catalog |
KB4074591 |
| Windows 10 - Version RTM - Quality Update |
Released |
February 13 |
WU, WSUS, Catalog |
KB4074596 |
Starting in January 2018, Microsoft released security updates to provide mitigations for devices running the following x64-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related knowledge base article for technical details and the FAQ below.
| Product Update Released |
Released |
Release Date |
Release Channel |
KB |
|---|
| Windows 10 - Version 1709 / Windows Server 2016 (1709) / IoT Core - Quality Update |
Released |
January 3 |
WU, WSUS, Catalog, Azure Image Gallery |
KB4056892 |
| Windows Server 2016 (1709) - Server container |
Released |
January 5 |
Docker Hub |
KB4056892 |
| Windows 10 - Version 1703 / IoT Core - Quality Update |
Released |
January 3 |
WU, WSUS, Catalog |
KB4056891 |
| Windows 10 - Version 1607 / Windows Server 2016 / IoT Core- Quality Update |
Released |
January 3 |
WU, WSUS, Catalog |
KB4056890 |
| Windows Server 2016 (1607) - Container Images |
Released |
January 4 |
Docker Hub |
KB4056890 |
| Windows 10 - Version 1511 / IoT Core - Quality Update |
Released |
January 3 |
WU, WSUS, Catalog |
KB4056888 |
| Windows 10 - Version RTM - Quality Update |
Released |
January 3 |
WU, WSUS, Catalog |
KB4056893 |
| Windows 10 Mobile (OS Build 15254.192) - ARM |
Released |
January 5 |
WU, Catalog |
KB4073117 |
| Windows 10 Mobile (OS Build 15063.850) |
Released |
January 5 |
WU, Catalog |
KB4056891 |
| Windows 10 Mobile (OS Build 14393.2007) |
Released |
January 5 |
WU, Catalog |
KB4056890 |
| Windows 10 HoloLens |
Released |
January 5 |
WU, Catalog |
KB4056890 |
| Windows 8.1 / Windows Server 2012 R2 - Security Only Update |
Released |
January 3 |
WSUS, Catalog |
KB4056898 |
| Windows Embedded 8.1 Industry Enterprise |
Released |
January 3 |
WSUS, Catalog |
KB4056898 |
| Windows Embedded 8.1 Industry Pro |
Released |
January 3 |
WSUS, Catalog |
KB4056898 |
| Windows Embedded 8.1 Pro |
Released |
January 3 |
WSUS, Catalog |
KB4056898 |
| Windows 8.1 / Windows Server 2012 R2 Monthly Rollup |
Released |
January 8 |
WU, WSUS, Catalog |
KB4056895 |
| Windows Embedded 8.1 Industry Enterprise |
Released |
January 8 |
WU, WSUS, Catalog |
KB4056895 |
| Windows Embedded 8.1 Industry Pro |
Released |
January 8 |
WU, WSUS, Catalog |
KB4056895 |
| Windows Embedded 8.1 Pro |
Released |
January 8 |
WU, WSUS, Catalog |
KB4056895 |
| Windows Server 2012 Security Only |
Coming |
|
WSUS, Catalog |
|
| Windows Server 2008 SP2 |
Coming |
|
WU, WSUS, Catalog |
|
| Windows Server 2012 Monthly Rollup |
Coming |
|
WU, WSUS, Catalog |
|
| Windows Embedded 8 Standard |
Coming |
|
|
|
|
| Windows 7 SP1 / Windows Server 2008 R2 - Security Only Update |
Released |
January 3 |
WSUS, Catalog |
KB4056897 |
| Windows Embedded Standard 7 |
Released |
January 3 |
WSUS, Catalog |
KB4056897 |
| Windows Embedded POSReady 7 |
Released |
January 3 |
WSUS, Catalog |
KB4056897 |
| Windows Thin PC |
Released |
January 3 |
WSUS, Catalog |
KB4056897 |
| Windows 7 SP1 / Windows Server 2008 R2 Monthly Rollup |
Released |
January 4 |
WU, WSUS, Catalog |
KB4056894 |
| Windows Embedded Standard 7 |
Released |
January 4 |
WU, WSUS, Catalog |
KB4056894 |
| Windows Embedded POSReady 7 |
Released |
January 4 |
WU, WSUS, Catalog |
KB4056894 |
| Windows Thin PC |
Released |
January 4 |
WU, WSUS, Catalog |
KB4056894 |
|
| Internet Explorer 11-Cumulative Update for Windows 7 SP1 and Windows 8.1 |
Released |
January 3 |
WU, WSUS, Catalog |
KB4056568 |
Depending on your role, the following support articles will help you identify and mitigate client and server environments that are affected by the Spectre and Meltdown vulnerabilities.
Microsoft blogs discussing Spectre and Meltdown
List of technical resources and customer guidance
Links to OEM and Server device manufacturers for updates to protect again Spectre and Meltdown vulnerabilities
To help address these vulnerabilities, you need to update both your hardware and software. Use the following links to check with your device manufacturer for applicable firmware updates.
List of OEM /Server device manufacturers
Use the following links to check with your device manufacturer for firmware updates. You will have to install both operating system and hardware or firmware updates for all available protections.
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Quote
