Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities

description-logoDescription

Executive Summary

On May 14, 2019, Intel published information about a new subclass of speculative execution side channel vulnerabilities known as Microarchitectural Data Sampling. An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities. These vulnerabilities are known as: CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS) CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS) CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM) Important: These issues will affect other systems such as Android, Chrome, iOS, Linux, and MacOS. We advise customers seek to guidance from their respective vendors. Microsoft has released software updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services. Microsoft has no information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers.

Recommended Actions

To protect your system from these vulnerabilities, Microsoft recommends that you take the following actions, and refer to the subsequent sections for links to further information for your specific situation:
    The best protection is to keep computers up to date. This includes installing OS and microcode updates.
To be fully protected, customers may also need to disable Hyper-Threading (also known as Simultaneous Multi Threading (SMT)). Please see Knowledge Base Article 4073757for guidance on protecting Windows devices. OEMs might also provide additional guidance. Customers using Surface products should seeMicrosoft Knowledge Base Article 4073065.
    Microsoft recommends that enterprise customers review this advisory in detail and register for the security notifications mailer to be alerted of content changes to this advisory. SeeMicrosoft Technical Security Notifications. Software developers should review the C++ developer guidance for speculative execution side channels. Verify the status of protections for the various CVEs by running the PowerShell script Get-SpeculationControlSettings. For more information and to obtain the PowerShell script seeUnderstanding Get-SpeculationControlSettings PowerShell script output.
Important Please note that at the release of this advisory, microcode updates are not available for the following versions of Windows. These microcode updates will be released at a later date. Microsoft recommends that customers running these versions of Windows install applicable Windows updates in the meantime: Windows 10 Version 1803 for x64-based Systems Windows Server, version 1803 (Server Core Installation) Windows 10 Version 1809 for x64-based Systems Windows Server 2019 Windows Server 2019 (Server Core installation)

Microsoft Windows client customers

Customers using Windows client operating systems need to apply both firmware (microcode) and software updates. SeeMicrosoft Knowledge Base Article 4073119 for additional information. Microsoft is making available Intel-validated microcode updates for Windows 10 operating systems. Please seeMicrosoft Knowledge Base Article 4093836 for the current Intel microcode updates. In addition, customers should check to see if their OEM is providing additional guidance on updates and mitigations. Surface Support Article 4073065 provides more information to Surface customers.

Microsoft Windows Server customers

Customers using Windows server operating systems listed in theAffected Productstable need to apply firmware (microcode) and software updates as well as to configure protections. SeeMicrosoft Knowledge Base Article 4072698for additional information, including workarounds. Microsoft Azure has taken steps to address the security vulnerabilities at the hypervisor level to protect Windows Server VMs running in Azure. More information can be foundhere.

Microsoft cloud customers

Microsoft has already deployed mitigations across our cloud services. More information is availablehere.

Microsoft SQL Server customers

In scenarios running Microsoft SQL Server, customers should follow the guidance outlined inMicrosoft Knowledge Base Article 4073225.

Microsoft HoloLens customers

Updates to Windows 10 for HoloLens are available to HoloLens customers through Windows Update. AfterapplyingtheFebruary 2018 Windows Security UpdateHoloLens customers do not need to take any additional action to update their device firmware. These mitigations will also be included in all future releases of Windows 10 for HoloLens.

Potential performance impacts

Specific performance impact varies by hardware generation and implementation by the chip manufacturer. For most consumer devices, impact on performance may not be noticeable. Some customers may have to disable Hyper-Threading (SMT) to fully address the risk from MDS vulnerabilities. In testing Microsoft has seen some performance impact with these mitigations, in particular when hyperthreading is disabled. Microsoft values the security of its software and services and has made the decision to implement certain mitigation strategies in an effort to better secure our products. In some cases, mitigations are not enabled by default to allow users and administrators to evaluate the performance impact and risk exposure before deciding to enable the mitigations. We continue to work with hardware vendors to improve performance while maintaining a high level of security.

References

See the following for further information from Intel: Intel Security advisory (Intel-SA-00233): https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html Software Security Guidance for developers: https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling MDS: https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html www.intel.com/securityfirst

FAQ

1. When will the firmware updates be available? If you have a non-Microsoft device, we suggest contacting your OEM for this information. 2. Will there be updates for Windows operating systems? Yes. Please see the Security Updates table. 3. I am running Windows Server 2008 for x64-based Systems. Is an update available for my system? At the time of release, an update is not available for Windows Server 2008 for x64-based Systems. When the update is available, customers will be notified through a revision to this advisory. If you wish to be notified when the update is released, Microsoft recommends that you register for the security notifications mailer to be alerted of content changes to this advisory. SeeMicrosoft Technical Security Notifications. 4. Where can I find information regarding other speculative side-channel execution vulnerabilities? For information on Microsoft guidance for Spectre and Meltdown vulnerabilities, see ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities. For information about Microsoft guidance for CVE-2018-3639, seeADV180012 | Microsoft Guidance for Speculative Store Bypass. For information about Microsoft guidance for CVE-2018-3640, see ADV180013 | Microsoft Guidance for Rogue System Register Read For information about Microsoft guidance for L1 Terminal Fault vulnerabilities, see ADV180018 | Microsoft Guidance to mitigate L1TF variant

affected-products-logoAffected Applications

Windows Server version 1903 (Server Core installation)
Windows Server 2016
Windows Server version 1803 (Server Core Installation)
Windows Server 2012
Windows 8
Windows 7
Windows 10
Windows Server 2008
Windows Server 2019