Surface Guidance to protect against speculative execution side-channel vulnerabilities

Applies to: Surface Pro 4, Surface Book, Surface Studio, Surface Pro (latest), Surface Laptop, Surface Pro with LTE Advanced, Surface Book 2 - 13 inch, Surface Book 2 - 15 inch


Introduction

Since January 2018, the Surface team has been publishing firmware updates for a new class of hardware vulnerabilities that involve speculative execution side channels. The Surface team has not received any information to indicate that these vulnerabilities have been used to attack customers currently, and the team continues to work closely with the Windows team and industry partners to protect customers. To get all available protection, both firmware and Windows system updates are required.

Summary

Vulnerabilities Announced in May 2018
The Surface team has become aware of new speculative execution side-channel attack variants that also affect Surface products. Mitigation of those vulnerabilities requires UEFI updates that use new microcode. For more information about the vulnerabilities and mitigations, see the following security advisories:


We are working with our partners to provide updates to the following Surface products as soon as we can make sure that the updates meet our quality requirements:

  • Surface Book 2
  • Surface Book
  • Surface Laptop
  • Surface Studio
  • Surface Pro 4
  • Surface Pro 3
  • Surface Pro Model 1796 and Surface Pro with Advanced LTE Model 1807

References


Vulnerabilities Announced in January 2018
The Surface team is aware of the publicly disclosed class of vulnerabilities that involve speculative execution side channels (known as Spectre and Meltdown) that affect many modern processors and operating systems, including Intel, AMD, and ARM. For more information about the vulnerabilities and mitigations, see the following security advisory:

Microsoft Security Advisory ADV180002

For more information about Windows software updates, see the following Knowledge Base articles:

  • 4073757 Protect your Windows devices against Spectre and Meltdown vulnerabilities
  • 4073119 Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

In addition to installing the January 3 Windows Operating System Security Updates, Surface has released UEFI updates through Windows Update and the Download Center for the following devices:


These updates are available for devices that are running Windows 10 Creators Update (build 15063) and later versions.

References


More Information

Note Surface hub has implemented defense-in-depth strategies. For more information, go to the following topic on the Microsoft website:

Differences between Surface Hub and Windows 10 Enterprise

Because of this, we believe that exploits that use these vulnerabilities are significantly reduced on Surface Hub.

The Surface team is focused on making sure that our users have a secure and reliable experience. We will continue to monitor and update devices as required to address these vulnerabilities and keep the device reliable and secure.


Source: https://support.microsoft.com/en-us/...n-side-channel


See also: Surface devices and the new speculative execution side-channel vulnerabilities (May 2018) Surface