Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to Know if I'm Protected Against Meltdown & Spectre


  • Please log in to reply
11 replies to this topic

#1 Xsara

Xsara

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kenmore, WA
  • Local time:10:21 PM

Posted 11 January 2018 - 08:56 PM

I have Windows 10 version 1709 (Fall Creators Update) on my home desktop PC. I have just updated with 2018-01 Cumulative Update for Windows 10 Version 1709 for x64-based Systems (KB4056892)

 

I have read the excellent and informative article How to Check if Your PC Is Protected Against Meltdown and Spectre by Chris Hoffman at How-To Geek. I ran this PowerShell script and after entering all of the commands my results are as follows:

 

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False (need BIOS update)

Windows OS support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is enabled: False

Windows OS support for branch target injection mitigation is disabled by system policy: False

Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

 

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: True

Windows OS support for PCID performance optimnization is enabled: False [not required for security]

 

Suggested actions

* Install BIOS/.firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.

 

If I have understood all of this correctly, I pretty much need to update my BIOS and that should resolve some of the 'False' results. My motherboard is an ASUS P6X58D-E and it was purchased about 7 years ago when I built this PC. The BIOS version is 0405 (0803 is the newest, from 11/2017). I downloaded version 0803 today and tried to install it but when I click AsusSetup.exe I see "Does not support this Operating System : WNT_6.2P_64". Presumably, this is because the BIOS are written for Windows 7 and not 10 (this is just a guess). I called ASUS earlier and they are looking into this.

 

I am also wondering what to do about these 2 branch target injection items:

 

Windows OS support for branch target injection mitigation is enabledFalse (the How-to Geek article - link above - says that "[this] means your PC hasn’t yet installed the operating system update that protects against these attacks." There currently are no available updates for my PC.

Windows OS support for branch target injection mitigation is disabled by absence of hardware supportTrue

 

I have heard that some antivirus can possibly interfere with getting the Windows OS updates. My AV is Avast Free version 17.9.2322 (build 17.9.3761.278). I have not had the chance to look into this so I will keep checking Windows Update over the next few days.


Edited by hamluis, 13 January 2018 - 01:33 PM.
Moved from W10 Spt to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 jcgriff2

jcgriff2

  • BSOD Kernel Dump Expert
  • 1,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey Shore
  • Local time:02:21 AM

Posted 11 January 2018 - 10:27 PM

If you have the most recent version BIOS installed, then your BIOS is up to date. There is nothing more for you to do with BIOS for now.

BIOS could care less and has no idea what version of Windows you are running. Windows does not load when you go into BIOS.

I did not take the time to read all that stuff at How-To Geek.

Why did you read and run all that stuff? Are you experiencing system problems?

If you're not experiencing system problems, then I would ignore the output of the Powershell app.

Yes, it is true that anti-virus apps can interfere with Windows Updates, but Avast Free Edition is not one that I generally see interfering. Usually, it is the Internet Security Suites with the 3rd party firewalls that wreak havoc with Windows Updates. The fact that you checked for Windows Updates and it said none were available means that all outstanding Windows Updates are installed.

You have plenty of protection with Avast, Windows Firewall, Internet Modem Firewall and Windows 10 itself. You really don't need further protection.

Regards. . .

jcgriff2

p.s. Just curious - what did they tell you at the How-To Geek forum?

Edited by jcgriff2, 11 January 2018 - 10:57 PM.

Microsoft MVP 2009-2015
Microsoft Windows Insider MVP 2018 - Present

#3 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,678 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:02:21 AM

Posted 11 January 2018 - 10:42 PM

There are only two things that anyone can do with regard to the Spectre and Meltdown vulnerabilities:

 

1.  Allow the OS security updates intended to help protect against them to be installed when they become available for your machine.

 

2.  Install updated UEFI/BIOS when that becomes available for your machine.

 

The former will "take care of itself" if you are using automatic updating.  If not, then you must take the steps necessary to obtain and install it.

 

So far as I know no major manufacturers have yet released updated UEFI/BIOS related to these vulnerabilities.  These should become available over the next few weeks and you should check at your manufacturer's support page for your specific make and model of computer in its "Software & Drivers" section looking for a BIOS/UEFI update that is dated after 1/1/2018.  When it becomes available, install it following the instructions supplied to the letter.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#4 rqt

rqt

  • Members
  • 389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:21 AM

Posted 12 January 2018 - 03:55 AM

Just for information I downloaded a BIOS update for a Dell OptiPlex 9020 on 10th January & having installed it the system is now Meltdown / Spectre protected (I didn't check for this beforehand, but previous BIOS was installed mid 2017 so would presumably have been vulnerable)



#5 Rocky Bennett

Rocky Bennett

  • Members
  • 2,755 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Mexico, USA
  • Local time:12:21 AM

Posted 12 January 2018 - 07:00 AM

Just for information I downloaded a BIOS update for a Dell OptiPlex 9020 on 10th January & having installed it the system is now Meltdown / Spectre protected (I didn't check for this beforehand, but previous BIOS was installed mid 2017 so would presumably have been vulnerable)

 

 

What date was the new BIOS firmware created?


594965_zpsp5exvyzm.png


#6 rqt

rqt

  • Members
  • 389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:21 AM

Posted 12 January 2018 - 07:19 AM

BIOS released 2nd January 2018 / last updated 9th January 2018 according to Dell UK website (OptiPlex 9020 BIOS version A21)



#7 MadmanRB

MadmanRB

    Spoon!!!!


  • Members
  • 3,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:No time for that when there is evil afoot!
  • Local time:02:21 AM

Posted 12 January 2018 - 10:28 AM

Just take note of the updates as some have been known to cause BSOD's on some systems and prepare any backup media.

Sure its one thing to be wanting to be protected and its another to have your system cough up blue screens.

This issue has lots to do with the kernel and like all kernel issues it can have side effects such as system instability which for me is actually more of a concern than the issue it is trying to patch.

Keep in mind the kernel is the thing that acts as the middleman between your hardware and software thus why this issue is a big mess.

The kernel will need patching and with the way windows is designed that makes things very hard to do because like the big dumb idiots they are Microsoft tied everything to the user interface and file managers and everything else directly to the kernel (this is why i think it failed so badly on mobile).

I really wish Microsoft made windows more modular like how it is on linux (the backbone of things like android, Tivo, chromebooks and many other smart devices) and OSX, would make this far easier to deal with.


Edited by MadmanRB, 12 January 2018 - 10:31 AM.

You know you want me baby!

Proud Linux user and dual booter.

Proud Vivaldi user.

 

ljxaqg-6.png


#8 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,678 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:02:21 AM

Posted 12 January 2018 - 11:01 AM

BIOS released 2nd January 2018 / last updated 9th January 2018 according to Dell UK website (OptiPlex 9020 BIOS version A21)

 

I would suspect that this is the BIOS/UEFI patch for the Spectre and Meltdown issues.   Still, I'd definitely check back several weeks from now to see if anything else is forthcoming.  

 

The dates are correct to suggest that this is what the update is meant to address, but because it's so prompt it could also have been something that was "in the pipeline" that just so happened to be pushed out on those two dates.  There should also be some sort of documentation available telling you what the changes in that update were intended to address no matter when a given update comes out.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#9 Xsara

Xsara
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kenmore, WA
  • Local time:10:21 PM

Posted 12 January 2018 - 06:30 PM

If you have the most recent version BIOS installed, then your BIOS is up to date. There is nothing more for you to do with BIOS for now.

BIOS could care less and has no idea what version of Windows you are running. Windows does not load when you go into BIOS.


I do not have the most recent BIOS and the new version will not install. After calling ASUS yesterday they are investigating this. From my earlier post:

 

My motherboard is an ASUS P6X58D-E and it was purchased about 7 years ago when I built this PC. The BIOS version is 0405 (0803 is the newest, from 11/2017). I downloaded version 0803 today and tried to install it but when I click AsusSetup.exe I see "Does not support this Operating System : WNT_6.2P_64". Presumably, this is because the BIOS are written for Windows 7 and not 10 (this is just a guess). 

p.s. Just curious - what did they tell you at the How-To Geek forum?

 

How-To Geek does not have a forum.



#10 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,678 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:02:21 AM

Posted 12 January 2018 - 06:39 PM

Xsara,

 

         Regardless of the misgivings you may or may not have about specific advice you've received, I will reiterate that BIOS/UEFI is 100% independent of the operating system chosen to run over it.   BIOS = Basic Input-Output System, which is firmware used to control the motherboard which, in turn, interfaces with both the OS above it and all sorts of I/O devices attached to it.

 

         There is no such thing as BIOS/UEFI written for a given operating system.  It is written for hardware/chipsets.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#11 Xsara

Xsara
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kenmore, WA
  • Local time:10:21 PM

Posted 12 January 2018 - 06:50 PM

Side topic: Out of curiosity, I downloaded and ran Intel's SA-00086 Detection tool and the results say that I "may be vulnerable, either the Intel MEI/TXEI driver is not installed (available from your system manufacturer) or the system manufacturer does not permit access to the ME/TXE from the host driver."

 

I know that SA-00086 is not directly related to Meltdown / Spectre (that is SA-00088, which they do not have a detection tool https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr ), but I was curious to see if SA-00086 could possibly be fixed with a BIOS update.

 

Download SA-00086 Detection tool at MajorGeeks 

http://www.majorgeeks.com/files/details/intel_sa_00086_detection_tool.html#comment-3704290479



#12 Xsara

Xsara
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kenmore, WA
  • Local time:10:21 PM

Posted 12 January 2018 - 06:57 PM

Brian, I do have an understanding of what BIOS is and is used for. It is interesting that ASUS has no explanation as to why version 0803 will not install on my machine. 

 

Also, I have no "misgivings" re specific advice that has been offered. I appreciate all opinions.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users