Ever since we published our earlier article today on Microsoft releasing out-of-band Windows updates to address the Meltdown and Spectre CPU flaws, we've been getting non-stop requests for clarification and support in installing these patches.
An editorial-form article is probably not the best format to give advice, so we're going to present a simple, dumbed-down, step-by-step article on how to get these updates and navigate Microsoft's overly complicated announcement.
There are four Microsoft help pages that we used to compile this information, which you may also want to read, just in case:
2) Guidance for Windows Server users
3) Security advisory ADV180002 (contains KB numbers for update packages)
4) Update compatibility warning for users with third-party anti-virus software
The key and most important sentence on all these pages is:
What does this mean?
It means that if you go to the Windows Update section of your Windows operating system and you press "Check for updates," if something comes up, you're safe to install it.
Windows update packages (KB numbers) are available here. A different KB number will appear, depending on your operating system and hardware platform.
If nothing comes up, that means Windows has detected the presence of an incompatible anti-virus (AV) application on your system.
The whole mess with anti-virus programs
Microsoft says that during tests, it detected some anti-virus programs causing BSOD crashes that prevented computers from booting after the installation of the Meltdown and Spectre patches.
The company says it instructed anti-virus vendors to modify their products and create a registry key on customers' computers when they've confirmed or updated their products so not to crash Windows PCs post-Meltdown/Spectre updates.
Microsoft says that currently, whenever users want to update Windows, its update system will check for that registry key on users' PCs.
If the key exists, the Windows update process will believe the anti-virus software received an update to support the Meltdown and Spectre patches, and install the proper OS updates as well.
This is where things get messy. Some AV companies have said they don't plan to create that registry key, some said they cannot "technically" create that key, while others will ship updates in the following days.
This Google Docs file contains a list of the responses from some AV companies.
In simple terms, most AV users will have to wait, as most AV companies have promised to update their products and automatically add the registry key.
The simplest way to go about this is if you can go to the Windows Update section every day and press the "Check for updates" button and you'll receive the update after your AV product creates that registry key.
If you're one of the unlucky souls whose AV company doesn't plan to add that registry key, this is a .reg file Bleeping Computer put together to automatically create the following registry key for you.
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
We'll display this in red so it sticks out. Do not run the .reg file unless you've confirmed with your AV vendor that they're compatible with the Meltdown and Spectre patches.
Once you've run the file or added the registry key manually, your PC will receive the patches for the Meltdown and Spectre vulnerabilities.
How can you check the status of the patches?
Microsoft has also released a set of Powershell one-liners that you can use to check if your PC installed the updates properly, or if you need additional firmware updates.
When starting PowerShell, make sure you start it with Admin privileges so that you can install the required modules.
The Powershell command below will download and install a Powershell module for testing for the Meltdown and Spectre flaws.
Install-Module SpeculationControl
If you run the command and get execution errors, you might need to adjust your Powershell execution policy. Run the following command:
Set-ExecutionPolicy Bypass
Now, you know can run a second Powershell command that actually checks your system:
Get-SpeculationControlSettings
Google says that not all CPUs are vulnerable to the Meltdown and Spectre flaws, but if the result will look like this, with lots of red-colored text, then you're CPU and OS are vulnerable to these attacks. Most likely, it looks like this.
The next step is to press the "Check for updates" button until you receive a Meltdown/Spectre patch. As explained above, this might take a few days for some users with "problematic" anti-virus software.
After the updates, you'll need to run the Get-SpeculationControlSettings again. There are two possible scenarios.
The most common scenario is the following result:
The image means that your system received patches for the Meltdown bug, but has received incomplete patches for the Spectre bug.
This was to be expected, as Google said yesterday that Spectre is harder to exploit, but also harder to patch.
What the red text means is that you need additional chipset firmware updates. Microsoft and Google say that OEMs will need to provide users with these additional firmware updates to complete the Windows OS-level Spectre patches. Depending on your computer's age, some OEM might not make these firmware updates available, meaning you'll be stuck with an incomplete Spectre patch.
If your laptop/desktop/server vendor has provided extra chipset firmware updates, you can get them from their official sites, install them, and complete the patch.
If everything is OK, all checks will appear in green-colored text, like so:
When the output is all green and each item is set to True, as shown above, then you are now protected from these attacks.
Once you're done, remember to set the Powershell execution police back to a restricted mode, which may be useful in mitigating malware attacks that use Powershell to run malicious commands.
Set-ExecutionPolicy Restricted
Comments
Exnor - 6 years ago
Thanks for the info. Good article (the AV list is quite useful) .
Occasional - 6 years ago
Haven't had a chance to run through this yet; but thanks to CC, LA and BC for offering this attempt to clarify what they (and most of us), realize is a dynamic, sometimes contradictory, and hastily cobbled together set of recommendations - for an extremely broad spectrum of use-cases. I'm sure their ears will be ringing with people complaining about their bleeping computer!
julise - 6 years ago
When I ran the Powerscript I got this info
"You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are
you sure you want to install the modules from 'PSGallery'?"
What it means is it safe?
thanks
Starkman - 6 years ago
The article says,
"The simplest way to go about this is if you can go to the Windows Update section every day and press the "Check for updates" button and you'll receive the update after your AV product creates that registry key.
If you're one of the unlucky souls whose AV company doesn't plan to add that registry key, this is a .reg file Bleeping Computer put together to automatically create the following registry key for you.
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
We'll display this in red so it sticks out. Do not run the .reg file unless you've confirmed with your AV vendor that they're compatible with the Meltdown and Spectre patches."
Looking at the portion in red: only install the .reg key if the AV vendor is compatible with Meltdown and Spectre. I'm totally lost here. How can the .reg key Bleeping gives us be compatible with the AV vendor?
I'm assuming what this really means is that we are to install this .reg if our particular AV vendor is NOT going to produce anything to update/patch Meldtdown / Spectre. Is that what this means?
Thanks.
simplemann - 6 years ago
Starkman, the .reg need only be applied if your AV is compatible but will not be providing the reg update. Microsoft is only looking for that reg in order to allow you to install the patch.
Starkman - 6 years ago
Gotcha. The next question, then, is in that I have the free version of Avira, and it's a well-known antivirus software, how can I know if the free version of Avira is compatible; they don't offer a way means of contacting them, as far as I can tell, unless you have the paid version.
Thanks again.
Demonslay335 - 6 years ago
According to the AV spreadsheet by Gossi, Avira v15.0.34.17 is compatible and should apply the registry key. Make sure to update it all the way and check their own statement.
https://www.wilderssecurity.com/threads/bork-tuesday-any-problems-yet.370217/page-147#post-2728947
Starkman - 6 years ago
"According to the AV spreadsheet by Gossi, Avira v15.0.34.17 is compatible and should apply the registry key. Make sure to update it all the way and check their own statement.
https://www.wilderssecurity.com/threads/bork-tuesday-any-problems-yet.370217/page-147#post-2728947"
Well, apparently, it updated. So I guess we're good. I just don't know how to check the version of the free edition, though, but it's all good.
backfolder - 6 years ago
Madre mia! Why don't MS add that reg key via their update?
Dragongirl - 6 years ago
What generation CPUs by Intel/AMD are affected ? I have a 2nd generation Intel i5 in my laptop, is it affected by this loophole ?
Starkman - 6 years ago
"What generation CPUs by Intel/AMD are affected ? I have a 2nd generation Intel i5 in my laptop, is it affected by this loophole ?"
I believe pretty much all of the basic CPUs (e.g., i3, i5, i7, etc.)
Dragongirl - 6 years ago
That doesnt exactly ansnwer my question; does this mean my laptop is possibly affected by this or not ? I know yes its an i5, but its a Second Generation i5, not a 8th or 7th or whatever generation they're coming out with now. Are older generations affected ?
curmudgeon67 - 6 years ago
My understanding is that the flaws are present in nearly all CPUs built since the 1990s. Meltdown applies mostly to Intel CPUs. Spectre applies in some form to everything with "speculative execution." So TL;DR your G2 i5 is affected. However, it won't be patched. The Windows and Linux patches for Meltdown might be applied, but Intel will do nothing because (reading between their press release lines) it's more than 5 years old. Plus, the OEM of your laptop would have to provide the firmware fixes, and nobody will provide that for a computer more than 3-5 years old. I certainly don't expect it, for instance, from Gigabyte for my 10-year-old desktop even though the CPU has the features implicated. I'll be happy at this point if MS keeps supporting Win10 on it.
Dragongirl - 6 years ago
Oki dokie, this machine is 3 years old a refurb apparently with originally windows Vista Enterprize on it {Its now got Windows Seven Pro and Im very happy with it}
Much thanks!
Ble45pinNAmeFor___ - 6 years ago
I had trouble getting the Powershell module installed . . Once I'd managed it (via, eventually, downloading some package installer thing from Microsoft), Powershell tells me my system is unpatched - though I thought it was patched. For a moment, I thought that the instructions the bleepingComputer article provides were only for servers (see https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution) - but, no, they seem to be for desktops too (https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe). So now I am confused.
Doghen - 6 years ago
MS add this reg. file automatically if you run Windows Defender and Windows updates :)
Kimsland - 6 years ago
A cleaner option that most tech engineers once recommended was to:
Backup any important license keys in your Anti Virus or Internet Security application (if you don't have them already).
Backup any personal data (in case of system crash - from what I see it won't crash as it won't install unless compatible, but it is still recommended to always have backups).
THEN fully uninstall your Anti Virus or Internet Security application. Then Restart, disregarding any security messages about this momentarily.
FULLY install all MS updates, and obviously the MeltDown patches (obviously not AV products)
Once complete, Restart and check for MS updates again.
THEN re-install your Anti Virus or Internet Security application again.
In the 'old days' we generally all use to uninstall our antivirus applications first, especially on BIG MS security updates. Maybe those old days are gone? Or maybe that type of support is obsolete? Probably, as I've been away for a few years :)
julise - 6 years ago
I installed all patches. Could you help me to understand it please? am I protected or not
PS C:\WINDOWS\system32> Get-SpeculationControlSettings
>>
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID optimization is enabled: False
Suggested actions
* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
* Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698
BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : False
NikHill - 6 years ago
Mine is showing this after following the guide:
PS C:\WINDOWS\system32> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: False
Windows OS support for kernel VA shadow is enabled: False
Suggested actions
* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injectio
n mitigation.
* Install the latest available updates for Windows with support for speculation control mitigations.
* Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support
.microsoft.com/help/4072698
BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : False
KVAShadowWindowsSupportEnabled : False
What is the problem?
geek1025 - 6 years ago
Shouldn't you set the Set-ExecutionPolicy Bypass back to restricted when done? I think it opens up other holes.
Aura - 6 years ago
It is specified at the end (bottom) of the article.
kmruss77 - 6 years ago
Yes, seems VERY irresponsible to hand-hold everyone through the exact steps needed - but then to just drop the ball on telling people the exact command to set the Powershell Script Execution Policy BACK to the restricted mode it was on.
The command should be:
Set-ExecutionPolicy Restricted
And answer Y and enter to the prompt to change it.
Also, run:
Get-ExecutionPolicy
And confirm that the response comes back as:
Restricted
If it still says 'Bypass', you need to re-enter the 'Set-ExecutionPolicy Restricted' command and make sure to answer Y and enter to the prompt.
Also - I can see another huge problem brewing for people that followed instructions like this to 'check' themselves ... in that the next major exploit will be running PowerShell Scripts with the ExecutionPolicy accidentally left at 'Bypass' on SO many people's PC's. Sigh.
KR
DNA3e8 - 6 years ago
Install-Module seems to be ps5- how do I install with Enable-Module?
metoo2 - 6 years ago
What I find odd is that nowhere does it mention it's for Intel ,the word intel is nowhere to be found ? ,is it because this test is also for AMD ? need to know if this test is also for AMD cpu's .
metoo2 - 6 years ago
Please advise if this test is for both Intel and AMD cpu's ,Both the words Intel and AMD are nowhere to be found in this article so my guess is it's for both Intel and AMD ?
testa - 6 years ago
what do you mean by chipset firmware?
garryx - 6 years ago
Above worked to some extent for me, although I found this article after I struggled through it and put things together myself. Some of the following is not included above.
1. First I tried windows update and received nothing for 2018. I am on window 7 x64 and run Sophos endpoint standalone.
2. I checked and updated Sophos. The Sophos website and the version that I was at did not indicate I had the updated Sophos with the registry entry. Upon checking the entry with regedit with the intention of adding it I found it was there.
3. Retried Windows Update. Still nothing.
4. Tried to run the powershell command. Get and error on the step RootModule = 'SpeculationControl.psm1' when running import-module. After much research downloaded and install Window Management Framework 5.0. Now I follow the steps and everything is false as expected.
4. Went to the windows update site and found the specific fix for Win 7 64 bit. Downloaded and installed that.
5. Now I get True for CVE-2017-5754.
6. Go and search Lenovo T460 and CVE-2017-5715. Download latest bios and install it.
7. Run Powershell and everything is now True.
jmwoods - 6 years ago
Guidance from the US Department of Homeland Security CERT…
https://www.us-cert.gov/ncas/alerts/TA18-004A
ItaJungleOutThere - 6 years ago
I tried using this setup, Mine turning out differences. After I places the Install-Module SpeculationControl. Get this Nugru thing ( lost track and not sure right spell but close tho). Yellow yes (Y) like needing to continue. Acting suspicious of getting it to install from something. So after type N. Get the red text stuff.
Now I think I'm in trouble now or should went ahead to do thru this other step after that round came up, took a chance to see if it fall thru the path, get this, do you want to go thru trusting this thing to continue, Yellow no (N). Now being stuck there. Had to get out and exit it. So is there something missing in details? or this a new one?.
Knaprigt - 6 years ago
What you're asked to fetch and install is Nuget (https://www.nuget.org/), which is needed for the rest of the installation. Despite the warnings it's an MS application and should be safe to install.
ItaJungleOutThere - 6 years ago
Hello, Yes, you're right and thank you for the word. (( was panicking and shock, hurry and stop before I ran into bigger messes than needed. I'd finally gotten thru. My AMD FX 4300, is being hit. But who know if AMD is actually going be doing anything about these since they really only want last 3 year processor. Like got jerk on about the graphic card,new HD7680, They no longer support as they tell me. So ended up going up to RX550. Got a New Dell and it with Newest Intel Processor, Not going fire it up yet till this get fixes. Seem that AMD scanner doesn't do very good job scanning.And again, I'm really suspicious about Five major Company and tied in with Microsoft. Since they run to Microsoft being Master Key of control. They're the main key and controlling. It going be all about $$$$ involves!!!! Good for Stock Marketing and deep hurt for Consumer!!!
curmudgeon67 - 6 years ago
Question for the house: I got the Windows update installed on older computers (G1 i5, Core2 Extreme). The powershell check comes up as expected. However, what I'm seeing suggests that the Windows update actually does NOTHING unless the firmware fixes come through, which will never happen with those older chips. So ... for those with deeper knowledge ... does the Windows update actually do ANYTHING to mitigate the hazard, or does it only enable Windows to support firmware-patched chips? IOW for our old chips was it worth installing at all? I suspect the answer is yes, it was worth installing FOR THE OTHER STUFF THAT WAS IN THE PACKAGE not necessarily for the Meltdown fix.
EDIT: I just found out that MS will block all further Win10 updates if this (Jan 3 2018) update isn't done. So whether it actually does something for Meltdown or not, it's worth applying. Answered part of the question. Still wondering whether it actually does anything for Meltdown absent firmware patches.
ItaJungleOutThere - 6 years ago
Mine still hitted with RED TEXT, Guess going have to wait tomorrow as they going releases it on the 9th. Been staying running updates all day, been several run through, scanning. Still no improvement. Been trying get with AMD, Cyberpower,PC, HP and see if there going be any new bios/Firmware. as my calling for. Have a BAD feeling this. They want to go and buy today PC!! So it'll help Stock Marketing and more $$$ in their pocket!!! Do you think they got the time and going be wasting $$$ of going back to redo these Million and Millions of PC, Laptop,Etc. ???
ItaJungleOutThere - 6 years ago
I'm curious about something., is this on right track ? 0x00000000 (0) ? Isn't this supposes tobe 0x00000000 instead?
NoSubstitute - 6 years ago
For some reason my CurrentUser kept saying Unrestricted, so I had to run this command specifically.
Set-ExecutionPolicy -Scope CurrentUser Restricted