Are you safe from Meltdown and Spectre?
Even if you have installed patches from Windows Update, your PC may not be completely safe against CPU flaws like Meltdown and Spectre. Here’s how you can check if you’re fully protected, and what to do if you aren’t.
For a complete protection against Meltdown and Spectre, you’ll need to install a UEFI or BIOS update from your PC’s manufacturer as well as the various software patches. These UEFI updates contain new Intel processor microcode that adds additional protection against these attacks. Unfortunately, you don't just get these via a conventional Windows Update—unless you’re using a Microsoft Surface device—so they must be downloaded from your manufacturer’s website and installed manually.
How to Check if Your PC Is Really Protected
Microsoft has made available a PowerShell script that will quickly tell you whether your PC is protected or not. The PowerShell can be easily run by using the command line.
If you’re a Windows 7 user, you will first need to download the Windows Management Framework 5.0 software, which will install a newer version of PowerShell on your system otherwise the script won’t run properly (you certainly don't want that). If you use Windows 10, you need not worry about the PowerShell installation as it's already there.
On Windows 10, right-click the Start button and select Windows PowerShell (Admin). On lower versions like Windows 7 or 8.1, search the Start menu for PowerShell, right-click on Windows PowerShell shortcut, and then Run as Administrator.
Type the following command into the PowerShell prompt and press Enter to install the script on your system
Install-Module SpeculationControl
If you’re prompted to install the NuGet provider, type y and press Enter. You may need to type y again and press Enter to trust the software repository.
The standard execution policy won't allow you to run this script. So, in order to run it, you'll have to first save the current settings so you can restore them at a later stage. Then change the execution policy so the script can run. To do this you'll have to run the following two commands:
$SaveExecutionPolicy = Get-ExecutionPolicy
Set-ExecutionPolicy RemoteSigned -Scope Currentuser
Type y and press Enter when you’re prompted to confirm.
The following commands are needed to be entered to actually run the script:
Import-Module SpeculationControl
Get-SpeculationControlSettings
Now you should be able to see information about whether your PC has the appropriate hardware support. In particular, you’ll be more interested in looking for two things:
- The Windows OS support for branch target injection mitigation refers to the software update from Microsoft. This needs to be present to protect against both Meltdown and Spectre attacks.
- The Hardware support for branch target injection mitigation refers to the UEFI firmware/BIOS update that you’ll need from your PC manufacturer. This needs to be present to protect against certain Spectre attacks.
So as represented below, the command suggests that we have the Windows patch, but not the UEFI/BIOS update.
This command also shows whether your CPU has the PCID peformance optimization hardware feature that makes the fix perform more speedily. This feature is present in CPUs like Intel Haswell and some later ones, while the older Intel CPUs do not have this hardware support and may see more of a performance hit after installing these patches.
To reset the execution policy to its original settings after you’re done, run the following command:
Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser
Type y and press Enter when prompted to confirm.
How to Get the Windows Update Patch
If Windows OS support for branch target injection mitigation is present is false, it means that your computer hasn’t yet installed the operating system update that protects you from these attacks.
To get the patch on Windows 10, head over to Settings > Update & security > Windows Update and then click Check for updates to install any available updates. On Windows 7 you can do so by going to Control Panel > System and Security > Windows Update and clicking Check for updates.
Note: If you use a computer running on AMD processor, the update might not be visible at the moment. Microsoft has temporarily paused issuing update on systems running on AMD processors due to some problems. Do check back for updates in the future.
If no updates are found, your antivirus software might be the problem, as Windows won’t install it if your antivirus software isn’t yet compatible. Contact your antivirus software provider and ask for more information about when their software will be compatible with the Meltdown and Spectre patch in Windows. This spreadsheet shows which antivirus software has been updated for compatibility with the patch.
How to Get the UEFI/BIOS Update
If hardware support for branch target injection mitigation is set to false, you’ll need to get the UEFI firmware or BIOS update from your PC’s manufacturer via their online support. If you built your own PC, check your motherboard manufacturer’s website for an update.
Once you’ve found the support page for your PC, head to the Driver Downloads section and look for any new versions of the UEFI firmware or BIOS. You need a firmware update that contains the December/January 2018 microcode from Intel. If you don’t see one, check back later for your PC’s update if it isn’t available.
Once the update has been downloaded, follow the instructions in the readme file to install it. Usually this involves putting the update file on a flash drive, then launching the update process from your UEFI or BIOS interface, but the process will vary from PC to PC.
Intel announced that it will release updates for about 90% of processors released in the last five years by January 12, 2018. But, after Intel has released those processor microcode updates, manufacturers will still need to package them up and distribute them to you. It’s still unclear what is going to happen with older CPUs.
After you’ve installed the update, you can double-check and see whether the fix is enabled by running the installed script again. It should show Hardware support for branch target injection mitigation as true.
You Also Need to Patch Your Browser and/or Other Applications
The Windows update and BIOS update aren’t the only two updates you need. You’ll also need to patch your web browser, for example. If you use Microsoft Edge or Internet Explorer, the patch is included in the Windows Update. For Google Chrome and Mozilla Firefox, you’ll need to ensure you have the latest version—these browsers automatically update themselves unless you’ve gone out of your way to change that, so most users won’t have to do much. Initial fixes are available in Firefox 57.0.4, which has already been released. Google Chrome will receive patches starting with Chrome 64, which is scheduled for release on January 23, 2018.
Browsers aren’t the only piece of software that needs to be updated. Some hardware drivers may be vulnerable to Spectre attacks and need updates as well. Any application that interprets untrusted code—like how web browsers interpret JavaScript code on web pages—needs an update to protect against Spectre attacks. This is just one more good reason to keep all your software up to date, all the time.
Comments
Post a Comment