This article will be updated as additional information becomes available. Please check back here regularly for updates and new FAQ.
Microsoft is aware of a new publicly disclosed class of vulnerabilities that are called “speculative execution side-channel attacks” and that affect many modern processors including Intel, AMD, VIA, and ARM.
Note This issue also affects other operating systems, such as Android, Chrome, iOS, and macOS. Therefore, we advise customers to seek guidance from those vendors.
We have released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more details.
We have not yet received any information to indicate that these vulnerabilities were used to attack customers. We are working closely with industry partners including chip makers, hardware OEMs, and application vendors to protect customers. To get all available protections, firmware (microcode) and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software.
This article addresses the following vulnerabilities:
Windows Update will also provide Internet Explorer and Edge mitigations. We will continue to improve these mitigations against this class of vulnerabilities.
To learn more about this class of vulnerabilities, see
UPDATED ON May 14, 2019 On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling. They have been assigned the following CVEs:
Important These issues will affect other systems such as Android, Chrome, iOS, and MacOS. We advise customers seek guidance from their respective vendors.
Microsoft has released updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services. We strongly recommend deploying these updates.
For more information about this issue, see the following Security Advisory and use scenario-based guidance to determine actions necessary to mitigate the threat:
Note We recommend that you install all of the latest updates from Windows Update before you install any microcode updates.
UPDATED ON AUGUST 6, 2019 On August 6, 2019 Intel released details about a Windows kernel information disclosure vulnerability. This vulnerability is a variant of the Spectre Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.
On July 9, 2019 we released security updates for the Windows operating system to help mitigate this issue. Please note that we held back documenting this mitigation publicly until the coordinated industry disclosure on Tuesday, August 6, 2019.
Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. There is no further configuration necessary.
Note This vulnerability does not require a microcode update from your device manufacturer (OEM).
For more information about this vulnerability and applicable updates , see the Microsoft Security Update Guide:
CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability
UPDATED ON NOVEMBER 12, 2019 On November 12, 2019, Intel published a technical advisory around Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability that is assigned CVE-2019-11135. Microsoft has released updates to help mitigate this vulnerability and the OS protections are enabled by default for Windows Server 2019 but disabled by default for Windows Server 2016 and earlier Windows Server OS editions.