How To Patch and Verify Meltdown and Spectre Protection on Windows PCs

2

Meltdown and Spectre, arguably the biggest vulnerabilities discovered in modern computers to date, are the flaws in the processor level and to affect almost every chip sold in the last 20 years. The affected chips include those manufactured by Intel, AMD, and ARM, which literally means that all devices that run Windows platform are potentially vulnerable, including desktops, laptops, cloud servers, and smartphones.

Meltdown Spectre - How To Patch and Verify Meltdown and Spectre Protection on Windows PCs

The good news is that there is no reported incident indicating that these serious vulnerabilities have been used to attack end users, at least at this very moment. That gives us a few breath moments to get all our systems patched up so no sensitive information will be leaked because of these side-channel attacks when they arrived.

What is Meltdown/Spectre?

I won’t go into details explaining what it is and how it works because there are already plenty of materials out there that will help you understand them in depth. Not only that, it’s also a very complicated technical issue that many tech-savvy people were having a difficult time to wrap their heads around it.

And that’s why I really like this simplified version by CloudFlare that explains the Meltdown/Spectre Bugs for a Non-Technical Audience.

For those who also would like to learn it more technically, there’s a paper on Meltdown and a separate one on Spectre.

Recommended steps to patch Meltdown/Spectre

According to Microsoft, here are 3 recommended steps to help protect against the vulnerabilities.

  1. Verify that you are running a supported Antivirus program before installing OS or Firmware patches and make sure the definition data is up-to-date.
  2. Install latest updates from Microsoft, including the January 2018 Windows Security Updates.
  3. Install the BIOS/firmware update provided by the device manufacturer.

So, to plug the hole left by Meltdown/Spectre, you need to patch not only in software level with the Windows Update but also in hardware level with the firmware update. The last one is more painful and tedious to do. You will need to find the model of your computer and download the applicable patch from manufacturer’s website and then install it on your computer. Luckily, almost every major vendor has prepared a page that helps you easily find and download the firmware patch for your computer.

Acerhttps://us.answers.acer.com/app/answers/detail/a_id/53104
Asushttps://www.asus.com/News/YQ3Cr4OYKdZTwnQK
Dellhttps://www.dell.com/support/meltdown-spectre
Fujitsu
HPhttps://support.hp.com/document/c05869091
Lenovohttps://support.lenovo.com/us/en/solutions/len-18282
LGhttps://www.lg.com/us/support
Panasonichttps://pc-dl.panasonic.co.jp/itn/vuln/g18-001.html
Samsunghttp://www.samsung.com/uk/support/intel_update/
SurfaceSurface Guidance to protect against speculative execution side-channel vulnerabilities
Toshibahttp://go.toshiba.com/intel-side-channel
Vaiohttps://solutions.vaio.com/3316

Resources

  • Guidance to mitigate speculative execution side-channel vulnerabilities – ADV180002
  • Protect your Windows devices against Spectre and Meltdown – KB4073757

How to verify if I am protected

PowerShell Team has built a PowerShell module called SpeculationControl that provides the ability to query the speculation control settings for the system to confirm whether a system has enabled the protections needed to protect against the Meltdown/Spectre vulnerability.

To install the module open a PowerShell with Administrator window and run the following cmdlets.

Install-Module SpeculationControl

Answer “Y” twice along the way.

PowerShell install module speculationcontrol - How To Patch and Verify Meltdown and Spectre Protection on Windows PCs

Note that on Windows 7, you will need to download the module first and use the Import-Module cmdlet to install it.

Import-Module path-to-downloaded-module

To check the vulnerability, use:

Get-SpeculationControlSettings

Set the execution policy if needed:

Set-ExecutionPolicy Unrestricted

The script will check the system and list all the functions status needed for the protection, as well as all the suggested actions needed to patch your system, like below.

PowerShell Get SpeculationControlSettings unpatched - How To Patch and Verify Meltdown and Spectre Protection on Windows PCs

If all the recommended actions are taken, including the firmware patch, you will see all the green sign with “True” to every particular function listed from the cmdlet.

PowerShell Get SpeculationControlSettings Patched - How To Patch and Verify Meltdown and Spectre Protection on Windows PCs

If you have a large network to take care of, you can verify Meltdown/Spectre protections remotely as well, though I haven’t tested it out personally. Or you can use

Enter-PSSession -ComputerName Remote_Computer

to get into the remote computer first, and then run the PowerShell cmdlets described above to manually check the protection for the vulnerability, as long as you have the proper credentials to remote in.

PowerShell remote PowerShell session - How To Patch and Verify Meltdown and Spectre Protection on Windows PCs

If it cannot connect, review the WinRM setup. Or simply run Enable-PSRemoting cmdlet on the remote computer to get everything properly set up for you.

PowerShell Enable PSRemoting - How To Patch and Verify Meltdown and Spectre Protection on Windows PCs

2 COMMENTS

  1. Thanks Kent, that’s useful information.

    Microsoft hasn’t even offered me the January updates on this machine (Win 10 X64). I know there were AMD problems, but it didn’t sound like it was all AMD processors.

    Also, since Gigabyte hasn’t released a new BIOS for my MB since 2014, it seems unlikely they’ll start now.

    So I’m going to go with “probably nothing bad will happen anyway” 🙂

    • I believe it will. Vendors are still pushing the patches out, not all models have the patches yet. I have a 2012 test computer and a new Surface Pro, none of them have the patches yet. All I can do now is to patch Windows and wait. 🙂

LEAVE A REPLY

Please enter your comment!
Please enter your name here