Windows 10: Windows Server Guidance against speculative execution vulnerabilities

Brink · Jan 4, 2018

Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Summary

Microsoft is aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM.

Note This issue also affects other systems, such as Android, Chrome, iOS, and MacOS, so we advise customers to seek guidance from those vendors.

Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more information.

Microsoft has not yet received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software as well.

This advisory addresses the following vulnerabilities:

CVE-2017-5715 (branch target injection)

CVE-2017-5753 (bounds check bypass)

CVE-2017-5754 (rogue data cache load)

To learn more about this class of vulnerabilities, see ADV180002.

Overview

The following sections will help you identify, mitigate, and remedy Windows Server environments that are affected by the vulnerabilities identified in Microsoft Security Advisory ADV180002 on how to enable the update for your systems.

To address these issues, Microsoft is working with the hardware industry to develop mitigations and guidance.

Recommended actions

Customers should take the following actions to help protect against the vulnerabilities:

Apply the Windows operating system update. For details on how to enable this update, see Microsoft Knowledge Base Article 4072699.

Make necessary configuration changes to enable protection.

Apply an applicable firmware update from the OEM device manufacturer.

Important Customers who only install the Windows update will not receive the benefit of all known protections.

Windows Servers-based machines (physical or virtual) should get the Windows security updates that were released on January 3, 2018, and are available from Windows Update. The following updates are available:

Operating system version Update KB Windows Server, version 1709 (Server Core Installation) 4056892 Windows Server 2016 4056890 Windows Server 2012 R2 4056898 Windows Server 2012 Not available Windows Server 2008 R2 4056897 Windows Server 2008 Not available
In addition to installing the January security update, a processor microcode update is required. This should be available through your OEM.

Enabling protections on server

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 - How to back up and restore the registry in Windows

Customers need to enable mitigations to help protect against speculative execution side-channel vulnerabilities.

Enabling these mitigations may affect performance. The actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running. Microsoft recommends that customers assess the performance impact for their environment and make necessary adjustments.

Your server is at increased risk if it is in one of the following categories:

Hyper-V hosts

Remote Desktop Services Hosts (RDSH)

For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources.

Use these registry keys to enable the mitigations on server:

Switch | registry settings To enable the mitigations
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

To disable the mitigations
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Verifying protections are enabled

To help confirm whether protections have been enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands:

PowerShell Verification Temporarily set PowerShell script execution policy
PS> Set-ExecutionPolicy Unrestricted -Scope Process -Force

Install the PowerShell module
PS > Install-Module SpeculationControl -Force

Run the PowerShell module to validate protections are enabled
PS > Get-SpeculationControlSettings
The output of this PowerShell script will look like the following. Enabled protections will show in the output as “True”.

Code: PS C:\> Get-SpeculationControlSettings Speculation control settings for CVE-2017-5715 [branch target injection] Hardware support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is enabled: True Speculation control settings for CVE-2017-5754 [rogue data cache load] Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: True Windows OS support for kernel VA shadow is enabled: True Windows OS support for PCID optimization is enabled: True
Click to expand...

Additional information

Q1: I wasn’t offered the Windows security updates that were released on January 3, 2018. What should I do?
A1: To help avoid adversely affecting customer devices, the Windows security updates that were released on January 3, 2018, have not been offered to all customers. For details, see Microsoft Knowledge Base Article 4073225.

Q2: How can I tell if I have the right version of the CPU microcode?
A2: The microcode is delivered through a firmware update. Consult with your OEM about the firmware version that has the appropriate update for your CPU.

Q3: Why aren't Windows Server 2008 and Windows Server 2012 platforms getting an update? When can customers expect the fix?
A3: Addressing a hardware vulnerability through a software update presents significant challenges, and mitigations for older operating systems require extensive architectural changes. Microsoft continues to work with affected chip manufacturers to investigate the best way to provide mitigations.

Q4: What is the performance impact for the mitigations?
A4: There are multiple variables that affect the performance of these mitigations, ranging from the CPU version to the running workloads. In some systems, the performance impact will be negligible, and in others it will be considerable.

Microsoft recommends that customers assess the performance impact for their systems and make adjustments if necessary.

Q5: I am running Windows Server in a third-party hosted environment or cloud. What should I do?
A5: In addition to the guidance above to address virtual machines, you need to contact your service provider to make sure that the hosts that are running your virtual machines are adequately protected.

For Windows Server virtual machines running in Azure, see Microsoft Knowledge Base Article 4073235.

Q6: Are there any Windows Server container-specific guidelines?
A6: The January update for Windows Server container images for Windows Server 2016 and Windows Server 10, version 1709 include the mitigations for this set of vulnerabilities, and no additional configuration is required.

Note that you still need to make sure that the host where these containers are running is configured with the appropriate mitigations.

Q7: Do the software and hardware updates have to be installed in a particular order?
A7: No, the installation order doesn't matter.

Q8: Do I need to reboot after the microcode but before the OS update?
A8: Yes, you must reboot between the microcode and OS updates.

[/quote]
Source: https://support.microsoft.com/en-us/...tive-execution

:)

Darlene Hamilton · Jan 4, 2018

Windows 10 we cannot connect to the update service

Apparently the problem is solved. It seemed to be "cured" by a Windows Update since then. I tried to manually update, and got that to work once (finding the update site was almost an exercise in futility, but I finally managed.) At least I assume it was
a later update. I singed on and did not observe the problem any more. I DO say that I've had to "re-register" Spotlight several times since the first update problem appeared, but even that seems to have worked itself out.

So, yes; it looks good, now, but I have no idea what the cause was.
Click to expand...

PLEASE READ :

Microsoft Security Advisory:
MSRC ADV180002

Intel:
Security Advisory

ARM:
Security Advisory

AMD:
Security Advisory

NVIDIA:
Security Advisory

Microsoft Secure blog:
Understanding the Performance Impact of Spectre and Meltdown Mitigations on Windows Systems

Windows for Business blog:
Windows Analytics now helps assess Meltdown and Spectre protections

Consumer Guidance:
Protecting your device against chip-related security vulnerabilities

Antivirus Guidance:
Windows security updates released January 3, 2018, and antivirus software

Guidance for AMD Windows OS security update block:
KB4073707: Windows operating system security update block for some AMD based devices

Update to Disable Mitigation against Spectre, Variant 2:
KB4078130: Intel has identified reboot issues with microcode on some older processors

Surface Guidance:
Surface Guidance to protect against speculative execution side-channel vulnerabilities

IT Pro Guidance:
Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Edge Developer Blog:
Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer

Server Guidance:
Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Server Hyper-V Guidance

Virtual Machine Resource Controls

Hyper-V Host CPU Resource Management

Azure Blog:
Securing Azure customers from CPU vulnerability

Azure KB:
KB4073235: Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities

Azure Stack guidance:
KB4073418: Azure stack guidance to protect against the speculative execution side-channel vulnerabilities

SQL Server guidance:
KB4073225: SQL Server Guidance to protect against speculative execution side-channel vulnerabilities

SCCM guidance:
Additional guidance to mitigate speculative execution side-channel vulnerabilities

'Mike P · Jan 4, 2018

Regarding KB4078130

Note Users who
do not have the affected Intel microcode do not have to download this update.

We are also offering a new option – available for
advanced users on affected devices – to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently through registry setting changes. The instructions for the registry key settings
can be found in the following Knowledge Base articles:

KB4073119: IT Pro Guidance

KB4072698:
Server Guidance

Windows 10: Windows Server Guidance against speculative execution vulnerabilities

Windows Server Guidance against speculative execution vulnerabilities

Windows Server Guidance against speculative execution vulnerabilities

Windows Server Guidance against speculative execution vulnerabilities - Similar Threads - Server Guidance against

Microsoft CVE-2017-5715: Guidance to mitigate speculative execution side-channel...

Manage Speculative Execution Settings Script for Windows

Windows client guidance for IT Pros to protect against speculative

Guidance to mitigate unconstrained delegation vulnerabilities

Surface Guidance for speculative execution side-channel vulnerability

SQL Server Guidance against speculative execution vulnerabilities

Mitigating speculative execution side channel hardware vulnerabilities

Azure Stack Guidance against speculative execution vulnerabilities

Windows Client Guidance against speculative execution vulnerabilities