This article discusses the impact of the recently disclosed processor vulnerabilities, named “Spectre” and “Meltdown,” for Windows customers and provides resources to help keep your devices protected at home, at work, and across your enterprise.
Summary
Microsoft is aware of new vulnerabilities in hardware processors named “Spectre” and “Meltdown”. These are a newly discovered class of vulnerabilities based on a common chip architecture that, when originally designed, was created to speed up computers. The technical name is “speculative execution side-channel vulnerabilities”. You can learn more about these vulnerabilities here and here.
Who is affected?
Affected chips include those manufactured by Intel, AMD, and ARM, which means all devices running Windows operating systems are potentially vulnerable (e.g., desktops, laptops, cloud servers, and smartphones). Devices running other operating systems such as Android, Chrome, iOS, and MacOS are also affected. We advise customers running these operating systems to seek guidance from those vendors.
At this time of publication, we have not received any information to indicate that these vulnerabilities have been used to attack customers.
Protections we’ve provided to date
As of January 3, 2018, Microsoft released several updates to help mitigate these vulnerabilities and help protect customers. We have also deployed updates to secure our cloud services and Internet Explorer and Microsoft Edge browsers. We are continuing to work closely with industry partners including chip makers, device manufacturers, and app vendors.
What steps should I take to protect my devices?
You will need to update both your hardware and your software to address this vulnerability. This includes firmware updates from device manufacturers and, in some cases, updates to your antivirus software as well.
To receive all available protections, follow these steps to get the latest updates for both software and hardware:
Note: Before your begin, make sure your antivirus (AV) software is up to date and compatible. Check your antivirus software manufacturer's website for their latest compatibility information.
Note: Customers who only install the January 2018 Windows operating system security updates from Microsoft will not be fully protected against the vulnerabilities. Antivirus software updates should be installed first. Operating system and firmware updates should follow.
- Keep your Windows device up to date by turning on automatic updates.
- Check that you’ve installed the January 2018 Windows operating system security update from Microsoft. If automatic updates are turned on, the updates should be automatically delivered to you, but you should still confirm that they’re installed. For instructions, see Windows Update: FAQ
- Install available hardware (firmware) updates from your device manufacturer. All customers will need to check with their device manufacturer to download and install their device specific hardware update. See below for a list of device manufacturer websites.
Resources
Depending on your role, the following support articles will help you identify and mitigate client and server environments that are affected by the Spectre and Meltdown vulnerabilities.
Frequently asked questions
- Microsoft Security Advisory: MSRC ADV180002
- Intel: Security Advisory
- ARM: Security Update
- AMD: Security Information
- Microsoft Secure blog: Understanding the Performance Impact of Spectre and Meltdown Mitigations on Windows Systems
- Consumer Guidance: Protecting your device against chip-related security vulnerabilities
- Antivirus Guidance: Windows security updates released January 3, 2018, and antivirus software
- Guidance for AMD Windows OS security update block: KB4073707: Windows operating system security update block for some AMD based devices
- Surface Guidance: Surface Guidance to protect against speculative execution side-channel vulnerabilities
- IT Pro Guidance: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
- Edge Developer Blog: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer
- Server Guidance: Windows Server guidance to protect against speculative execution side-channel vulnerabilities
- Server Hyper-V Guidance
- Azure Blog: Securing Azure customers from CPU vulnerability
- Azure KB: KB4073235: Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities
- Azure Stack guidance: KB4073418: Azure stack guidance to protect against the speculative execution side-channel vulnerabilities
- SQL Server guidance: KB4073225: SQL Server Guidance to protect against speculative execution side-channel vulnerabilities
- SCCM guidance: Additional guidance to mitigate speculative execution side-channel vulnerabilities
Where can I find hardware/firmware updates for my device?
Use the links below to check with your device manufacturer for firmware updates. You will need to install both operating system and hardware/firmware updates for all available protections
My OEM device manufacturer is not listed. What do I do?
You will need to check with your device manufacturer for firmware updates. If your device manufacturer is not listed in the table, contact your OEM directly.
Where can I find Surface hardware/firmware updates?
Updates for Microsoft Surface devices will be delivered to customers through Windows Update. For more information, see KB4073065.
If your device is not from Microsoft, apply firmware from the device manufacturer. Contact your device manufacturer for more information.
Where can I find if my Windows OS has updates available?
The security updates released in January 2018 provide mitigations for devices running the following Windows operating systems: x86, x64, ARM64 and ARM.
Product Update Released Released Release Date Release Channel KB Windows 10 - Version 1709 / Windows Server 2016 (1709) / IoT Core - Quality Update Released January 3 WU, WSUS, Catalog, Azure Image Gallery KB4056892 Windows Server 2016 (1709) - Server container Released January 5 Docker Hub KB4056892 Windows 10 - Version 1703 / IoT Core - Quality Update Released January 3 WU, WSUS, Catalog KB4056891 Windows 10 - Version 1607 / Windows Server 2016 / IoT Core- Quality Update Released January 3 WU, WSUS, Catalog KB4056890 Windows Server 2016 (1607) - Container Images Released January 4 Docker Hub KB4056890 Windows 10 - Version 1511 / IoT Core - Quality Update Released January 3 WU, WSUS, Catalog KB4056888 Windows 10 - Version RTM - Quality Update Released January 3 WU, WSUS, Catalog KB4056893 Windows 10 Mobile (OS Build 15254.192) - ARM Released January 5 WU, Catalog KB4073117 Windows 10 Mobile (OS Build 15063.850) Released January 5 WU, Catalog KB4056891 Windows 10 Mobile (OS Build 14393.2007) Released January 5 WU, Catalog KB4056890 Windows 10 HoloLens Released January 5 WU, Catalog KB4056890 Windows 8.1 / Windows Server 2012 R2 - Security Only Update Released January 3 WSUS, Catalog KB4056898 Windows Embedded 8.1 Industry Enterprise Released January 3 WSUS, Catalog KB4056898 Windows Embedded 8.1 Industry Pro Released January 3 WSUS, Catalog KB4056898 Windows Embedded 8.1 Pro Released January 3 WSUS, Catalog KB4056898 Windows 8.1 / Windows Server 2012 R2 Monthly Rollup Released January 8 WU, WSUS, Catalog KB4056895 Windows Embedded 8.1 Industry Enterprise Released January 8 WU, WSUS, Catalog KB4056895 Windows Embedded 8.1 Industry Pro Released January 8 WU, WSUS, Catalog KB4056895 Windows Embedded 8.1 Pro Released January 8 WU, WSUS, Catalog KB4056895 Windows Server 2012 Security Only Coming WSUS, Catalog Windows Server 2008 SP2 Coming WU, WSUS, Catalog Windows Server 2012 Monthly Rollup Coming WU, WSUS, Catalog Windows Embedded 8 Standard Coming Windows 7 SP1 / Windows Server 2008 R2 - Security Only Update Released January 3 WSUS, Catalog KB4056897 Windows Embedded Standard 7 Released January 3 WSUS, Catalog KB4056897 Windows Embedded POSReady 7 Released January 3 WSUS, Catalog KB4056897 Windows Thin PC Released January 3 WSUS, Catalog KB4056897 Windows 7 SP1 / Windows Server 2008 R2 Monthly Rollup Released January 4 WU, WSUS, Catalog KB4056894 Windows Embedded Standard 7 Released January 4 WU, WSUS, Catalog KB4056894 Windows Embedded POSReady 7 Released January 4 WU, WSUS, Catalog KB4056894 Windows Thin PC Released January 4 WU, WSUS, Catalog KB4056894 Internet Explorer 11-Cumulative Update for Windows 7 SP1 and Windows 8.1 Released January 3 WU, WSUS, Catalog KB4056568
My operating system (OS) is not listed. When can I expect a fix to be released?
Addressing a hardware vulnerability with a software update presents significant challenges and mitigations for older operating systems and can require extensive architectural changes. We are continuing to work with affected chip manufacturers and investigating the best way to provide mitigations, which may be provided in a future update. Replacing older devices running these older operating systems should address the remaining risk along with updated antivirus software.
Notes:
Although Windows Vista and Windows XP-based systems are affected products, Microsoft is not issuing an update for them because the comprehensive architectural changes required would jeopardize system stability and cause application compatibility problems. We recommend that security-conscious customers upgrade to a newer supported operating system to keep pace with the changing security threat landscape and benefit from the more robust protections that newer operating systems provide.
- Products currently out of both mainstream and extended support will not receive these OS updates. We recommend customers update to a supported OS version.
- We will not be issuing updates for Windows Vista or Windows XP-based systems including WES 2009 and POSReady 2009.
If I have installed the security updates released by Microsoft on January 3, 2018. Do I need to do anything else?
After you have installed the January Microsoft security update, you will also need to install firmware updates from your device manufacturer. These updates should be available on your device manufacturer's website. Antivirus software updates should be installed first. Operating system and firmware updates can be installed in either order.
Am I fully protected if I only install Windows security updates?
You will need to update both your hardware and your software to address this vulnerability. You will also need to install related firmware updates from your device manufacturer for more comprehensive protection.
Why is it so important to update my device with the latest feature release?
In each Windows 10 feature update, we build the latest security technology deep into the operating system, providing defense-in-depth features that prevent entire classes of malware from impacting your device. Feature update releases are targeted twice a year. In each monthly quality update, we add another layer of security, one that tracks emerging and changing trends in malware to make up-to-date systems safer in the face of changing and evolving threats.
My antivirus software is not listed as being compatible. What should I do?
Microsoft has been working closely with affected antivirus partners to ensure all customers receive the January Windows security updates as soon as possible. If customers are not being offered January security updates, Microsoft recommends customers contact their antivirus provider directly. Recommendations:
I wasn’t offered the Windows security updates that were released on January 3, 2018. What should I do?
- Ensure your devices are up to date with the latest security updates from Microsoft and from your hardware manufacturer. For more info on keeping your device up to date, see Windows Update: FAQ.
- Continue to practice sensible caution when visiting websites of unknown origin and do not remain on sites you do not trust. Microsoft recommends all customers protect their devices by running a supported antivirus program. Customers can also take advantage of built-in antivirus protection: Windows Defender for Windows 10 devices, or Microsoft Security Essentials for Windows 7 devices. These solutions are compatible in cases where customers can’t install or run antivirus software.
To help avoid adversely affecting customer devices, the Windows security updates that were released on January 3, 2018, have not been offered to all customers. For details, see the following: Microsoft Knowledge Base Article 4072699 and Microsoft Knowledge Base Article 4073707.
Source: https://support.microsoft.com/en-us/help/4073757/protect-your-devices-against-spectre-meltdown