Windows 10: Protect your Windows devices against Spectre and Meltdown

Page 1 of 9 123 ... LastLast
  1. Brink's Avatar
    Posts : 32,382
    64-bit Windows 10 Pro build 18242
       09 Jan 2018 #1

    Protect your Windows devices against Spectre and Meltdown


    Summary

    This article discusses the impact of the recently disclosed processor vulnerabilities, named “Spectre” and “Meltdown,” for Windows customers. This article also provides resources to help keep your devices protected at home, at work, and across your enterprise.

    Microsoft is aware of new vulnerabilities in hardware processors named “Spectre” and “Meltdown”. These are a newly discovered class of vulnerabilities based on a common chip architecture that, when originally designed, was created to speed up computers. The technical name is “speculative execution side-channel vulnerabilities”. You can learn more about these vulnerabilities at Google Project Zero.

    In January, Microsoft released information about a newly discovered class of hardware vulnerabilities (known as Spectre and Meltdown) that involve speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21, 2018 Google Project Zero (GPZ), Microsoft, and Intel disclosed two new chip vulnerabilities that are related to the Spectre and Meltdown issues that are known as Speculative Store Bypass (SSB) and Rogue System Registry Read.

    The customer risk from both disclosures is low.

    For more information about these vulnerabilities, see resources listed in this article under the heading May 2018 Windows operating system updates, under New speculative execution side-channel vulnerability disclosure (Speculative Store Bypass - CVE-2018-3639 and Rogue System Register Read - CVE-2018-3640).

    Steps to help protect your Windows devices

    What steps should I take to protect my devices?

    You will need to update both your hardware and your software to address this vulnerability. This includes applicable firmware updates from device manufacturers and, in some cases, updates to your antivirus software as well. We encourage you to keep your devices up-to-date by installing the monthly security updates.

    To receive all available protections, follow these steps to get the latest updates for both software and hardware.

    Note   Note
    Before your begin, make sure your antivirus (AV) software is up to date and compatible. Check your antivirus software manufacturer's website for their latest compatibility information.

    • Keep your Windows device up to date by turning on automatic updates.
    • Check that you’ve installed the latest Windows operating system security update from Microsoft. If automatic updates are turned on, the updates should be automatically delivered to you, but you should still verify that they’re installed. For instructions, see Windows Update: FAQ
    • Install available hardware (firmware) updates from your device manufacturer. All customers will have to check with their device manufacturer to download and install their device specific hardware update. See the "Additional resources" section for a list of device manufacturer websites.
      Note   Note
      Customers should install the latest Windows operating system security updates from Microsoft to take advantage of available protections. Antivirus software updates should be installed first. Operating system and firmware updates should follow. We encourage you to keep your devices up-to-date by installing the monthly security updates.

    Who is affected?

    Affected chips include those that are manufactured by Intel, AMD, and ARM. This means that all devices that are running Windows operating systems are potentially vulnerable. This includes desktops, laptops, cloud servers, and smartphones. Devices that are running other operating systems, such as Android, Chrome, iOS, and MacOS, are also affected. We advise customers who are running these operating systems to seek guidance from those vendors.

    At this time of publication, we have not received any information to indicate that these vulnerabilities have been used to attack customers.

    Protections we’ve provided to date

    Starting in January 2018, Microsoft released updates for Windows operating systems and the Internet Explorer and Edge web browsers to help mitigate these vulnerabilities and help to protect customers. We also released updates to secure our cloud services. We continue working closely with industry partners, including chip makers, hardware OEMs, and app vendors, to protect customers against this class of vulnerability.

    We encourage you to always install the monthly updates to keep your devices up-to-date and secure.

    We will update this documentation when new mitigations become available and recommend you check back here regularly.

    June 2018 Windows operating system updates

    Announcing Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors

    On June 12th Microsoft announced Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors. The updates require corresponding microcode/firmware and registry updates for functionality. For information about the updates and the steps to apply to turn on SSBD, see the "Recommended actions" section in ADV180012 | Microsoft Guidance for Speculative Store Bypass.

    May 2018 Windows operating system updates

    New speculative execution side-channel vulnerability disclosure (Speculative Store Bypass - CVE-2018-3639 and Rogue System Register Read - CVE-2018-3640)
    In January 2018, Microsoft released information about a newly discovered class of hardware vulnerabilities (known as Spectre and Meltdown) that involve speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21, 2018 Google Project Zero (GPZ), Microsoft, and Intel disclosed two new chip vulnerabilities that are related to the Spectre and Meltdown issues that are known as Speculative Store Bypass (SSB) and Rogue System Registry Read.

    The customer risk from both disclosures is low.

    For more information about these vulnerabilities, see the following resources:


    Enable usage of Indirect Branch Prediction Barrier (IBPB) for Spectre Variant 2 for AMD processors (CPUs)
    Applies to: Windows 10 Version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation), and Windows Server, version 1709 (Server Core installation)

    We have provided support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs) for mitigating CVE-2017-5715, Spectre Variant 2 when switching from user context to kernel context. (For more information, see AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates).

    Customers who are running Windows 10 Version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation), and Windows Server, version 1709 (Server Core installation) must install security update 4103723 for additional mitigations for AMD processors for CVE-2017-5715, Branch Target Injection. This update is also available via Windows Update.

    Follow the instructions outlined in KB4073119 for Windows Client (IT Pro) guidance and KB4072698 for Windows Server guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when switching from user context to kernel context.

    Intel microcode updates for Windows 10 version 1803 and Windows Server version 1803
    Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE 2017-5715 “Branch Target Injection”). To get the latest Intel microcode updates via Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).

    The microcode update is also available directly from Catalog if it was not installed on the device prior to upgrading the OS. Intel microcode is available via Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see KB4100347.

    We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.

    Intel microcode updates
    Microsoft is making available Intel validated microcode updates around Spectre Variant 2 [CVE 2017-5715 ("Branch Target Injection”)]. KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the latest available Intel microcode updates by CPU.

    We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.

    April 2018 Windows operating system updates

    Enable usage of Indirect Branch Prediction Barrier (IBPB) for Spectre Variant 2 for AMD processors (CPUs)
    Applies to Windows 10 version 1709

    We have provided support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs) for mitigating CVE-2017-5715, Spectre Variant 2 when switching from user context to kernel context. (For more information, see AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates).

    Follow the instructions outlined in KB 4073119 for Windows Client (IT Pro) guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when switching from user context to kernel context.

    Intel microcode updates
    Microsoft is making available Intel validated microcode updates around Spectre Variant 2 [CVE 2017-5715 ("Branch Target Injection”)]. KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the latest available Intel microcode updates by CPU.

    We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.

    March 2018 Windows operating system updates

    March 23, TechNet Security Research & Defense: KVA Shadow: Mitigating Meltdown on Windows

    March 14, Security Tech Center: Speculative Execution Side Channel Bounty Program Terms

    March 13, blog: March 2018 Windows Security Update – Expanding Our Efforts to Protect Customers

    March 1, blog: Update on Spectre and Meltdown security updates for Windows devices

    Intel microcode updates
    Microsoft is making available Intel validated microcode updates around Spectre Variant 2 [CVE 2017-5715 ("Branch Target Injection”)]. KB4093836 lists specific Knowledge Base articles by Windows version. Each specific KB contains the available Intel microcode updates by CPU .

    We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.

    Windows operating system updates for 32-bit (x86) systems
    Starting in March 2018, Microsoft released security updates to provide mitigations for devices running the following x86-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related knowledge base article for technical details and the FAQ below.

    Product update released Released Release date Release channel KB
    Windows 8.1 & Windows Server 2012 R2 - Security Only Update Released 13-Mar WSUS, Catalog, KB4088879
    Windows 7 SP1 & Windows Server 2008 R2 SP1 - Security Only Update Released 13-Mar WSUS, Catalog KB4088878
    Windows Server 2012 - Security Only Update
    Windows 8 Embedded Standard Edition - Security Only Update
    Released 13-Mar WSUS, Catalog KB4088877
    Windows 8.1 & Windows Server 2012 R2 - Monthly Rollup Released 13-Mar WU, WSUS, Catalog KB4088876
    Windows 7 SP1 & Windows Server 2008 R2 SP1 - Monthly Rollup Released 13-Mar WU, WSUS, Catalog KB4088875
    Windows Server 2012 - Monthly Rollup
    Windows 8 Embedded Standard Edition - Monthly Rollup
    Released 13-Mar WU, WSUS, Catalog KB4088877
    Windows Server 2008 SP2 Released 13-Mar WU, WSUS, Catalog KB4090450

    Windows operating system updates for 64-bit (x64) systems
    Starting in March 2018, Microsoft released security updates to provide mitigations for devices running the following x64-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related knowledge base article for technical details and the FAQ later in this article.

    Product update released Released Release date Release channel KB
    Windows Server 2012 - Security Only Update
    Windows 8 Embedded Standard Edition - Security Only Update
    Released 13-Mar WSUS, Catalog KB4088877
    Windows Server 2012 - Monthly Rollup
    Windows 8 Embedded Standard Edition - Monthly Rollup
    Released 13-Mar WU, WSUS, Catalog KB4088877
    Windows Server 2008 SP2 Released 13-Mar WU, WSUS, Catalog KB4090450

    Windows kernel update for CVE-2018-1038

    This update addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows. This vulnerability is documented in CVE-2018-1038. Users must apply this update to be fully protected against this vulnerability if their computers were updated on or after January 2018 by applying any of the following updates.


    Cumulative security update for Internet Explorer
    This security update resolves several reported vulnerabilities in Internet Explorer. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures.

    Product update released Released Release date Release channel KB
    Internet Explorer 10 - Cumulative Update for Windows 8 Embedded Standard Edition Released 13-Mar WU, WSUS, Catalog KB4089187

    February 2018 Windows operating system updates

    Blog: Windows Analytics now helps assess Spectre and Meltdown protections

    Windows operating system updates for 32-bit (x86) systems
    The following security updates provide additional protections for devices running 32-bit (x86) Windows operating systems. Microsoft recommends customers install the update as soon as available. We continue to work to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates.

    Note: Windows 10 monthly security updates are cumulative month over month and will be downloaded and installed automatically from Windows Update. If you have installed earlier updates, only the new portions will be downloaded and installed on your device. For more information, see the related knowledge base article for technical details and the FAQ below.

    Product update released Released Release date Release channel KB
    Windows 10 - Version 1709 / Windows Server 2016 (1709) / IoT Core - Quality Update Released January 31 WU, Catalog KB4058258
    Windows Server 2016 (1709) - Server container Released February 13 Docker Hub KB4074588
    Windows 10 - Version 1703 / IoT Core - Quality Update Released February 13 WU, WSUS, Catalog KB4074592
    Windows 10 - Version 1607 / Windows Server 2016 / IoT Core - Quality Update Released February 13 WU, WSUS, Catalog KB4074590
    Windows 10 HoloLens - OS and Firmware Updates Released February 13 WU, Catalog KB4074590
    Windows Server 2016 (1607) - Container Images Released February 13 Docker Hub KB4074590
    Windows 10 - Version 1511 / IoT Core - Quality Update Released February 13 WU, WSUS, Catalog KB4074591
    Windows 10 - Version RTM - Quality Update Released February 13 WU, WSUS, Catalog KB4074596

    January 2018 Windows operation system updates

    Blog: Understanding the Performance Impact of Spectre and Meltdown Mitigations on Windows Systems

    Windows operating system updates for 64-bit (x64) systems
    Starting in January 2018, Microsoft released security updates to provide mitigations for devices running the following x64-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related knowledge base article for technical details and the FAQ below.

    Product Update Released Released Release Date Release Channel KB
    Windows 10 - Version 1709 / Windows Server 2016 (1709) / IoT Core - Quality Update Released January 3 WU, WSUS, Catalog, Azure Image Gallery KB4056892
    Windows Server 2016 (1709) - Server container Released January 5 Docker Hub KB4056892
    Windows 10 - Version 1703 / IoT Core - Quality Update Released January 3 WU, WSUS, Catalog KB4056891
    Windows 10 - Version 1607 / Windows Server 2016 / IoT Core- Quality Update Released January 3 WU, WSUS, Catalog KB4056890
    Windows Server 2016 (1607) - Container Images Released January 4 Docker Hub KB4056890
    Windows 10 - Version 1511 / IoT Core - Quality Update Released January 3 WU, WSUS, Catalog KB4056888
    Windows 10 - Version RTM - Quality Update Released January 3 WU, WSUS, Catalog KB4056893
    Windows 10 Mobile (OS Build 15254.192) - ARM Released January 5 WU, Catalog KB4073117
    Windows 10 Mobile (OS Build 15063.850) Released January 5 WU, Catalog KB4056891
    Windows 10 Mobile (OS Build 14393.2007) Released January 5 WU, Catalog KB4056890
    Windows 10 HoloLens Released January 5 WU, Catalog KB4056890
    Windows 8.1 / Windows Server 2012 R2 - Security Only Update Released January 3 WSUS, Catalog KB4056898
    Windows Embedded 8.1 Industry Enterprise Released January 3 WSUS, Catalog KB4056898
    Windows Embedded 8.1 Industry Pro Released January 3 WSUS, Catalog KB4056898
    Windows Embedded 8.1 Pro Released January 3 WSUS, Catalog KB4056898
    Windows 8.1 / Windows Server 2012 R2 Monthly Rollup Released January 8 WU, WSUS, Catalog KB4056895
    Windows Embedded 8.1 Industry Enterprise Released January 8 WU, WSUS, Catalog KB4056895
    Windows Embedded 8.1 Industry Pro Released January 8 WU, WSUS, Catalog KB4056895
    Windows Embedded 8.1 Pro Released January 8 WU, WSUS, Catalog KB4056895
    Windows Server 2012 Security Only Coming WSUS, Catalog
    Windows Server 2008 SP2 Coming WU, WSUS, Catalog
    Windows Server 2012 Monthly Rollup Coming WU, WSUS, Catalog
    Windows Embedded 8 Standard Coming
    Windows 7 SP1 / Windows Server 2008 R2 - Security Only Update Released January 3 WSUS, Catalog KB4056897
    Windows Embedded Standard 7 Released January 3 WSUS, Catalog KB4056897
    Windows Embedded POSReady 7 Released January 3 WSUS, Catalog KB4056897
    Windows Thin PC Released January 3 WSUS, Catalog KB4056897
    Windows 7 SP1 / Windows Server 2008 R2 Monthly Rollup Released January 4 WU, WSUS, Catalog KB4056894
    Windows Embedded Standard 7 Released January 4 WU, WSUS, Catalog KB4056894
    Windows Embedded POSReady 7 Released January 4 WU, WSUS, Catalog KB4056894
    Windows Thin PC Released January 4 WU, WSUS, Catalog KB4056894
    Internet Explorer 11-Cumulative Update for Windows 7 SP1 and Windows 8.1 Released January 3 WU, WSUS, Catalog KB4056568

    Resources and technical guidance

    Depending on your role, the following support articles will help you identify and mitigate client and server environments that are affected by the Spectre and Meltdown vulnerabilities.

    Microsoft blogs discussing Spectre and Meltdown

    List of technical resources and customer guidance

    Links to OEM and Server device manufacturers for updates to protect again Spectre and Meltdown vulnerabilities

    To help address these vulnerabilities, you need to update both your hardware and software. Use the following links to check with your device manufacturer for applicable firmware updates.

    List of OEM /Server device manufacturers

    Use the following links to check with your device manufacturer for firmware updates. You will have to install both operating system and hardware or firmware updates for all available protections.



    Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.


    Read more: https://support.microsoft.com/en-us/...ectre-meltdown


    See also:
    Last edited by Brink; 02 Jul 2018 at 10:38.
      My ComputersSystem Spec

  2.    09 Jan 2018 #1

    Where to find the list of updated and compatible antivirus-programs?
      My ComputerSystem Spec

  3.   My ComputersSystem Spec

  4.    09 Jan 2018 #3

    Thank you, Brink :).
      My ComputerSystem Spec

  5. Brink's Avatar
    Posts : 32,382
    64-bit Windows 10 Pro build 18242
    Thread Starter
       09 Jan 2018 #4

      My ComputersSystem Spec

  6. f14tomcat's Avatar
    Posts : 36,371
    Triple boot - Win 10 Pro, Win 10 Pro Insider (2) - (and a sprinkling of VMs)
       09 Jan 2018 #5

    Timely, timely, timely! Wish there were a way you could pin this to the top of Forum main page. :) Thank you!
      My ComputersSystem Spec

  7. emailx45's Avatar
    Posts : 15
    Windows 10 PRO build 1803
       09 Jan 2018 #6

    Microsoft halts distribution of Spectre & Meltdown fixes on AMD systems after reports of unbootable PCs

    Windows OS security update block for some AMD based devices - Windows 10 Forums
    Last edited by Brink; 09 Jan 2018 at 18:14. Reason: updated link
      My ComputerSystem Spec


  8. Posts : 15
    win10 64x home retail
       10 Jan 2018 #7

    Funny.. MSI also a big player and nothing but silence even on their forums...
      My ComputerSystem Spec


  9. Posts : 37,567
    Dual boot Windows 10 FCU Pro x 64 & current Insider 10 Pro
       10 Jan 2018 #8

    Thanks for putting this all together in one place, Shawn. :)

    I see ASUS nor AMD aren't concerned about the vulnerability. Why is it all just Intel?
      My ComputersSystem Spec

  10. Fabler2's Avatar
    Posts : 538
    Windows 10 preview 64-bit Pro
       10 Jan 2018 #9

    Many thanks Brink.
      My ComputerSystem Spec


 
Page 1 of 9 123 ... LastLast

Related Threads
I am running FCU Win 10 Pro on a MSI P35 Neo F v1 motherboard with Core 2 Duo E8400 CPU. I have ran the MS controlsettings script which informs me I am protected from Spectre by Windows Update but not Meltdown without a BIOS/Microcode update. As...
Emergency Windows Meltdown patch locks some AMD PCs into endless loop - TechRepublic
Source: Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems Microsoft Secure
Source: Meltdown and Spectre: what you need to know - Malwarebytes Labs | Malwarebytes Labs See also: Windows Client Guidance against speculative execution vulnerabilities - Windows 10 Forums
Hi,I have purchased the above machine and need some advice on a few aspects...HP have loaded their own updater/messages/support software which I would like to unload. Is this safe and recommended? Will removing this also remove any HP loaded device...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 02:27.
Find Us