Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities
Executive SummaryOn May 14, 2019, Intel published information about a new subclass of speculative execution side channel vulnerabilities known as Microarchitectural Data Sampling. An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities. These vulnerabilities are known as: CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS) CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS) CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM) Important: These issues will affect other systems such as Android, Chrome, iOS, Linux, and MacOS. We advise customers seek to guidance from their respective vendors. Microsoft has released software updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services. Microsoft has no information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers.
Recommended ActionsTo protect your system from these vulnerabilities, Microsoft recommends that you take the following actions, and refer to the subsequent sections for links to further information for your specific situation:
- The best protection is to keep computers up to date. This includes installing OS and microcode updates.
- Microsoft recommends that enterprise customers review this advisory in detail and register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications. Software developers should review the C++ developer guidance for speculative execution side channels. Verify the status of protections for the various CVEs by running the PowerShell script Get-SpeculationControlSettings. For more information and to obtain the PowerShell script see Understanding Get-SpeculationControlSettings PowerShell script output.
Microsoft Windows client customersCustomers using Windows client operating systems need to apply both firmware (microcode) and software updates. See Microsoft Knowledge Base Article 4073119 for additional information. Microsoft is making available Intel-validated microcode updates for
Windows Server, version 1903 (Server Core installation),Windows Server 2016,Windows Server, version 1803 (Server Core Installation),Windows Server 2012,Windows 8,Windows 7,Windows 10,Windows Server 2008,Windows Server 2019