KB4073065: Surface guidance to protect against silicon-based microarchitectural and speculative execution side-channel vulnerabilities

Introduction

Since January 2018, the Surface team has been publishing firmware updates for a class of silicon-based issues that involve microarchitectural and speculative execution side-channel vulnerabilities. The Surface team continues to work closely with the Windows team and industry partners to protect customers. To get all available protection, both firmware and Windows system updates are required.

Summary

__

Vulnerabilities announced in June 2022

The Surface team is aware of new silicon-based microarchitectural and speculative execution side-channel attack variants that also affect Surface products. For more information about the vulnerabilities and mitigations, see the following security advisory:

• Microsoft Security Advisory ADV220002
  We are working together with our partners to provide updates to Surface products as soon as we can make sure the updates meet our quality requirements. For more information about updates for Surface devices, see Surface update history.

__

Vulnerabilities announced in May 2019

The Surface team is aware of new speculative execution side-channel attack variants that also affect Surface products. Mitigation of those vulnerabilities requires an operating system update and a Surface UEFI update that includes new microcode. For more information about the vulnerabilities and mitigations, see the following security advisory:

• Microsoft Security Advisory ADV190013This advisory includes the following vulnerabilities:

  • CVE-2018-12126 | Microarchitectural Store Buffer Data Sampling (MSBDS)
  • CVE-2018-12130 | Microarchitectural Fill Buffer Data Sampling (MFBDS)
  • CVE-2018-12127 | Microarchitectural Load Port Data Sampling (MLPDS)
  • CVE-2019-11091 | Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
    In addition to installing the Windows Operating System security updates, Surface has released UEFI updates through Windows Update and the Download Center for the following devices:

• Surface 3 - July 11, 2019 update

• Surface Pro 3 - July 11, 2019 update

• Surface Pro 4 - June 27, 2019 update

• Surface Book - June 27, 2019 update

• Surface Studio - July 11, 2019 update

• Surface Pro (5th Gen) - June 27, 2019 update

• Surface Laptop - June 27, 2019 update

• Surface Book 2 - June 27, 2019 update

• Surface Pro 6 - June 27, 2019 update

• Surface Laptop 2 - June 27, 2019 update

• Surface Studio 2- July 31, 2019 update

• Surface GO WiFi - July 23, 2019 update

• Surface GO LTE - July 23, 2019 update
  In addition to the new microcode, a new UEFI setting that is known as “Simultaneous Multi-Threading (SMT)” will be available when the UEFI update is installed. This setting allows a user to disable Hyper-Threading.Notes

• If you decide to disable Hyper-Threading, we recommend that you use the new SMT UEFI setting.

• Disabling SMT provides additional protection against these new vulnerabilities and the L1 Terminal Fault attack that was announced earlier. However, this method also affects the performance of the device.

• Surface 3 and Surface Studio with Intel Core i5 do not have SMT. Therefore, those devices do not have this new setting.

• The Microsoft Surface Enterprise Management Mode (SEMM) UEFI configurator tool version 2.43.139 or later supports the new SMT setting. The tools can be downloaded from this webpage. Download the following required tools:

  • SurfaceUEFI_Configurator_v2.43.139.0.msi
  • SurfaceUEFI_Manager_v2.43.139.0.msi

__

Vulnerability announced in August 2018

The Surface team is aware of a new speculative execution side-channel attack called L1 Terminal Fault (L1TF) and assigned CVE-2018-3620 (OS and SMM) and CVE-2018-3646 (VMM). Affected Surface products are the same as in the “Vulnerabilities Announced in May 2018” section of this article. The microcode updates that mitigate the May 2018 findings also mitigate L1TF (CVE-2018-3646). For more information about the vulnerability and mitigations, see the following security advisory:

• Microsoft Security Advisory ADV180018This advisory includes the following vulnerabilities:
  • CVE-2018-3620
  • CVE-2018-3646
    The security advisory proposes that customers who are using Virtualization Based Security (VBS), which includes security features such as Credential Guard and Device Guard, should consider disabling Hyper-Threading in order to fully eliminate the risk from L1TF.

__

Vulnerabilities announced in May 2018

The Surface team has become aware of new speculative execution side-channel attack variants that also affect Surface products. Mitigation of those vulnerabilities requires UEFI updates that use new microcode. For more information about the vulnerabilities and mitigations, see the following security advisories:

• Microsoft Security Advisory ADV180012This advisory includes the following vulnerability:
  • CVE-2018-3639
• Microsoft Security Advisory ADV180013This advisory includes the following vulnerability:
  • CVE-2018-3640
    In addition to installing the Windows Operating System security updates, Surface has released UEFI updates through Windows Update and the Download Center for the following devices:
• Surface Book 2 - August 1, 2018 update
• Surface Book - August 21, 2018 update
• Surface Laptop - July 25, 2018 update
• Surface Studio - October 1, 2018 update
• Surface Pro 4 - July 25, 2018 update
• Surface Pro 3 - August 7, 2018 update
• Surface Pro Model 1796 and Surface Pro with Advanced LTE Model 1807 - July 26, 2018 update

__

Vulnerabilities announced in January 2018

The Surface team is aware of the publicly disclosed class of vulnerabilities that involve speculative execution side-channel (known as Spectre and Meltdown) that affect many modern processors and operating systems, including Intel, AMD, and ARM. For more information about the vulnerabilities and mitigations, see the following security advisory:

• Microsoft Security Advisory ADV180002This advisory includes the following vulnerabilities:
  • CVE-2017-5753
  • CVE-2017-5715
  • CVE-2017-5754
    For more information about Windows software updates, see the following knowledge base articles:
• KB4073757
• KB4073119 (client guidance)
  In addition to installing the January 3 Windows Operating System Security Updates, Surface has released UEFI updates through Windows Update and the Download Center for the following devices:
• Surface Book 2 - (Update history)
• Surface Book - (Update history)
• Surface Laptop - (Update history)
• Surface Studio - (Update history)
• Surface Pro 4 - (Update history)
• Surface Pro 3 - (Update History)
• Surface 3 - (Update History)
• Surface Pro Model 1796 and Surface Pro with Advanced LTE Model 1807- (Update History)
  These updates are available for devices that are running Windows 10 Creators Update (build 15063) and later versions.

More information

The Surface Hub operating system, Windows 10 Team, has implemented defense-in-depth strategies. Because of this, we believe that exploits that use these vulnerabilities are significantly reduced on Surface Hub when running Windows 10 Team operating system. For more information, see the following topic on the Windows IT Pro Center website: Differences between Surface Hub and Windows 10 Enterprise. The Surface team is focused on making sure that our users have a secure and reliable experience. We will continue to monitor and update devices as required to address these vulnerabilities and keep the devices reliable and secure.

References

__

Third-party information disclaimer

We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.