Meltdown and Spectre, arguably the biggest vulnerabilities discovered in modern computers to date, are the flaws in the processor level and to affect almost every chip sold in the last 20 years. The affected chips include those manufactured by Intel, AMD, and ARM, which literally means that all devices that run Windows platform are potentially vulnerable, including desktops, laptops, cloud servers, and smartphones.
The good news is that there is no reported incident indicating that these serious vulnerabilities have been used to attack end users, at least at this very moment. That gives us a few breath moments to get all our systems patched up so no sensitive information will be leaked because of these side-channel attacks when they arrived.
What is Meltdown/Spectre?
I won’t go into details explaining what it is and how it works because there are already plenty of materials out there that will help you understand them in depth. Not only that, it’s also a very complicated technical issue that many tech-savvy people were having a difficult time to wrap their heads around it.
And that’s why I really like this simplified version by CloudFlare that explains the Meltdown/Spectre Bugs for a Non-Technical Audience.
Recommended steps to patch Meltdown/Spectre
According to Microsoft, here are 3 recommended steps to help protect against the vulnerabilities.
- Verify that you are running a supported Antivirus program before installing OS or Firmware patches and make sure the definition data is up-to-date.
- Install latest updates from Microsoft, including the January 2018 Windows Security Updates.
- Install the BIOS/firmware update provided by the device manufacturer.
So, to plug the hole left by Meltdown/Spectre, you need to patch not only in software level with the Windows Update but also in hardware level with the firmware update. The last one is more painful and tedious to do. You will need to find the model of your computer and download the applicable patch from manufacturer’s website and then install it on your computer. Luckily, almost every major vendor has prepared a page that helps you easily find and download the firmware patch for your computer.
- Guidance to mitigate speculative execution side-channel vulnerabilities – ADV180002
- Protect your Windows devices against Spectre and Meltdown – KB4073757
How to verify if I am protected
PowerShell Team has built a PowerShell module called SpeculationControl that provides the ability to query the speculation control settings for the system to confirm whether a system has enabled the protections needed to protect against the Meltdown/Spectre vulnerability.
To install the module open a PowerShell with Administrator window and run the following cmdlets.
Answer “Y” twice along the way.
Note that on Windows 7, you will need to download the module first and use the Import-Module cmdlet to install it.
To check the vulnerability, use:
Set the execution policy if needed:
The script will check the system and list all the functions status needed for the protection, as well as all the suggested actions needed to patch your system, like below.
If all the recommended actions are taken, including the firmware patch, you will see all the green sign with “True” to every particular function listed from the cmdlet.
If you have a large network to take care of, you can verify Meltdown/Spectre protections remotely as well, though I haven’t tested it out personally. Or you can use
Enter-PSSession -ComputerName Remote_Computer
to get into the remote computer first, and then run the PowerShell cmdlets described above to manually check the protection for the vulnerability, as long as you have the proper credentials to remote in.
If it cannot connect, review the WinRM setup. Or simply run Enable-PSRemoting cmdlet on the remote computer to get everything properly set up for you.