This post is to outline changes to Fixlets for mitigating Speculative Execution vulnerabilities in the “Patches for Windows” site. These include mitigations for Meltdown, Spectre, and newer related vulnerabilities as detailed at https://support.microsoft.com/en-us/topic/kb4073119-windows-client-guidance-for-it-pros-to-protect-against-silicon-based-microarchitectural-and-speculative-execution-side-channel-vulnerabilities-35820a8a-ae13-1299-88cc-357f104f5b11

The updates were published and announced at Content Release: Patches for Windows published 2022-07-11 but this posting is to provide more context on the changes to Speculative Execution mitigations.

Reason for Change

There are multiple layers of mitigations available for Speculative Execution vulnerabilities as detailed in the Microsoft article. These mitigations have varying levels of performance impact upon the system and system owners need to carefully evaluate which protections are most important based on the systems’ security posture and availability requirements. Some extended mitigations apply only to AMD processors, or to Microsoft Hyper-V. The existing Fixlets did not allow for granular detection of which specific mitigations are in place, and reduced the ability to report vulnerability status for each specific mitigation.

The previous Fixlets have multiple Actions, and report “Fixed” when any of the mitigations are in place, preventing reporting on the other related mitigations.

• 407269801 4072698: Enable mitigations to help protect against speculative execution side-channel vulnerabilities CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown) - Windows Server 2008 / 2008 R2 / 2012 / 2012 R2 / Windows 2016/ Windows 2019

• 407311901 4073119: Enable mitigations to help protect against speculative execution side-channel vulnerabilities CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown) - Windows 7 / Windows 8.1 / Windows 10

New Fixlets

These new fixlets allow for granular detection of the specific mitigations (FeatureSettings, FeatureSettingsMask, and additional protections for AMD processors and Microsoft Hyper-V) that are in place on the system:

• 407269808 4072698: Enable mitigations to help protect against CVE-2018-3639 (Speculative Store Bypass) - Windows Server Operating Systems

• 407269809 4072698: Enable mitigations for additional protection against speculative execution side-channel vulnerabilities CVE-2017-5715 (Spectre Variant 2) for AMD Processors - Windows Server Operating Systems

• 407269812 4072698: Enable Additional Hyper-V Protections against speculative execution side-channel vulnerabilities - Windows Server Operating Systems with Hyper-V

• 407269817 4072698: Enable mitigations for speculative execution side-channel vulnerabilities CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown) and (CVE-2022-21123, 21125, 21127, 21166) - Windows Server Operating Systems

• 407311902 4073119: Enable mitigations for speculative execution side-channel vulnerabilities CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown) and (CVE-2022-21123, 21125, 21127, 21166) - Windows Client Operating Systems

• 407311904 4073119: Enable mitigations for additional protection against speculative execution side-channel vulnerabilities CVE-2017-5715 (Spectre Variant 2) for AMD Processors - Windows Client Operating Systems

• 407311905 4073119: Enable mitigations to help protect against CVE 2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown),(CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130) - Windows 7 / Windows 8.1 / Win

• 407311906 4073119: Enable mitigations to help protect against CVE-2018-3639 (Speculative Store Bypass) - Windows Client Operating Systems

• 407311911 4073119: Enable Additional Hyper-V Protections against speculative execution side-channel vulnerabilities - Windows Client Operating Systems with Hyper-V

Undo Mitigations

The following Fixlets for removing mitigations are unchanged:

• 407311903 4073119: Disable mitigations to help protect against speculative execution side-channel vulnerabilities - Windows 7 / Windows 8.1 / Windows 10

• 407269803 4072698: Disable mitigations to help protect against speculative execution side-channel vulnerabilities - Windows Server 2008 / Windows Server 2008 R2 / Windows Server 2012 / Windows Server 2012 R2 / Windows 2016/ Windows 2019

Expected Impacts

Some systems may report Relevant to one or more of these new fixlets, even if the previous Fixlets were used to apply some level of mitigation. Administrators should carefully review these new fixlets and determine whether additional mitigations are warranted in their environments and carefully review the Microsoft guidance above for performance impacts of each mitigation.

These new Fixlets have no Default Action and are published with Source Severity “Unspecified”, with the intent that Patch Policy should not automatically deploy any of these mitigations without specific Administrator action. There are individual CVE listings for each level of mitigation, and CVE reports and the “CVE Search Dashboard” will report these individual vulnerabilities based upon which Fixlets are relevant in your specific configuration.

The Speculative Execution mitigation settings are a complex set of overlapping configuration settings. Please reply back if there are any questions or issues with these updated fixlets.

Thank you,
Jason Walker
HCL BigFix

For the content from HCL that contains “4072698”, I do not see any references to Windows Server 2022.

Does anyone know if only 2019 and older were affected by the spectre/meltdown updates?