Microsoft Security Advisory 3108638

Update for Windows Hyper-V to Address CPU Weakness

Published: November 10, 2015

Version: 1.0

Executive Summary

Microsoft is announcing the availability of a security update for Windows Hyper-V to protect against a denial of service condition that can be triggered with certain central processing unit (CPU) chipsets. Although the weakness resides in the chipset, Microsoft is issuing this security update to protect customers. The update prevents guests on a Hyper-V system from triggering a weakness in the CPU that could allow instructions from a Hyper-V guest to place its Hyper-V host's CPU into an unresponsive state, leading to a denial of service condition for the guest operating systems running on the affected host. Successful exploitation of the CPU weakness would require kernel-mode code execution privileges on the guest operating system.

The update circumvents the CPU weakness by preventing a guest operating system from triggering the unresponsive state in the host system’s CPU. 

Recommendation. Please see the Suggested Actions section of this advisory for instructions on applying the updates for specific releases of Microsoft Windows.

Advisory Details

Vulnerability References

CVE References CVE-2015-5307 \ CVE-2015-8104 
Microsoft Knowledge Base Article 3108638 
Publicly Disclosed No
Active Attack No

Affected Software

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Operating System Security Impact Severity Rating Updates Replaced
Windows Server 2008
Windows Server 2008 for x64-based Systems Service Pack 2 (3108604) Denial of Service Important None
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3108604) Denial of Service Important None
Windows 8 and Windows 8.1
Windows 8 for x64-based Systems (Professional and Enterprise editions only) (3108604) Denial of Service Important None
Windows 8.1 for x64-based Systems (Professional and Enterprise editions only) (3108604) Denial of Service Important None
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012 (3108604) Denial of Service Important None
Windows Server 2012 R2 (3108604) Denial of Service Important None
Windows 10
Windows 10 for x64-based Systems[1](Excluding Home editions) (3105213) Denial of Service Important None
Windows 10 Version 1511 for x64-based Systems[1](Excluding Home editions) (3105211) Denial of Service Important None
Server Core installation option
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (3108604) Denial of Service Important None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3108604) Denial of Service Important None
Windows Server 2012 (Server Core installation) (3108604) Denial of Service Important None
Windows Server 2012 R2 (Server Core installation) (3108604) Denial of Service Important None

[1]Windows 10 updates are cumulative. In addition to containing non-security updates, they also contain all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with the monthly security release. The updates are available via the Microsoft Update Catalog.

Note Windows Server Technical Preview 3 is affected. Customers running this operating system are encouraged to apply the update, which is available via Windows Update.

Advisory FAQ

What is the scope of the advisory?  The purpose of this advisory is to notify customers of an available security update for Windows Hyper-V to protect against a denial of service condition that can be triggered with certain CPU chipsets.

What does the update do?
The security update bypasses the CPU weakness by preventing a guest operating system from triggering an unresponsive state in the CPU.

Suggested Actions

  • Apply the update for your version of Microsoft Windows

    The majority of customers have automatic updating enabled and will not need to take any action because the updates will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 3097966.

    For administrators and enterprise installations, or end users who want to install the updates manually, Microsoft recommends applying the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the updates, see Microsoft Knowledge Base Article 3108638.

Additional Suggested Actions

  • Protect your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.

  • Keep Microsoft Software Updated

    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Security Update Deployment

For Security Update Deployment information, see Microsoft Knowledge Base Article 3108638.

Other Information

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (November 10, 2015): Advisory published.

Page generated 2015-11-09 13:45-08:00.