Microsoft CVE-2017-5754: Guidance to mitigate speculative execution side-channel vulnerabilities

Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as 'speculative execution side-channel attacks' that affect many modern processors and operating systems including Intel, AMD, and ARM. Note: this issue will affect other systems such as Android, Chrome, iOS, MacOS, so we advise customers to seek out guidance from those vendors.

An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run code on the system to leverage these vulnerabilities.

Microsoft has released updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs and in some cases updates to AV software as well. In some cases, installing these updates will have a performance impact. We have also taken action to secure our cloud services.

Microsoft has no information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers.

Please review Microsoft Security Advisory ADV180002 for more details.