01-09-2018 , 09:45 PM
https://www.howtogeek.com/338801/how-to-...d-spectre/ How to Check if Your PC Is Protected Against Meltdown and Spectre
by Chris Hoffman on January 9th, 2018
Warning: Even if you’ve installed patches from Windows Update, your PC may not completely protected from the Meltdown and Spectre CPU flaws. Here’s how to check if you’re fully protected, and what to do if you aren’t.
To fully protect against Meltdown and Spectre, you’ll need to install a UEFI or BIOS update from your PC’s manufacturer as well as the various software patches. These UEFI updates contain new Intel processor microcode that adds additional protection against these attacks. Unfortunately, they aren’t distributed via Windows Update—unless you’re using a Microsoft Surface device—so they must be downloaded from your manufacturer’s website and installed manually.
How to Check if Your PC Is Protected
RELATED ARTICLE
How Will the Meltdown and Spectre Flaws Affect My PC?
Microsoft has made available a PowerShell script that will quickly tell you whether your PC is protected or not. Running it will require the command line, but the process is easy to follow.
On Windows 10, right-click the Start button and select “Windows PowerShell (Admin)”. On Windows 7 or 8.1, search the Start menu for “PowerShell”, right-click the “Windows PowerShell” shortcut, and select “Run as Administrator”.
Type the following command into the PowerShell prompt and press Enter to install the script on your system
Install-Module SpeculationControl
If you’re prompted to install the NuGet provider, type “y” and press Enter. You may also have to type “y” again and press Enter to trust the software repository.
The standard execution policy will not allow you to run this script. So, to run the script, you will first save the current settings so you can restore them later. Then you’ll change the execution policy so the script can run. Run the following two commands to do this:
$SaveExecutionPolicy = Get-ExecutionPolicy
Set-ExecutionPolicy RemoteSigned -Scope Currentuser
Type “y” and press Enter when you’re asked to confirm.
Then, to actually run the script, run the following commands:
Import-Module SpeculationControl
Get-SpeculationControlSettings
You will see information about whether your PC has the appropriate hardware support. In particular, you’ll want to look for two things:
The “Windows OS support for branch target injection mitigation” refers to the software update from Microsoft. You’ll want this to be present to protect against both Meltdown and Spectre attacks.
The “hardware support for branch target injection mitigation” refers to the UEFI firmware/BIOS update that you’ll need from your PC manufacturer. You’ll want this to be present to protect against certain Spectre attacks.
So in the screenshot below, the command tells me that I have the Windows patch, but not the UEFI/BIOS update.
This command also shows whether your CPU has the “PCID peformance optimization” hardware feature that makes the fix perform more speedily here. Intel Haswell and later CPUs have this feature, while older Intel CPUs don’t have this hardware support and may see more of a performance hit after installing these patches.
To reset the execution policy to its original settings after you’re done, run the following command:
Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser
Type “y” and press Enter when prompted to confirm.
How to Get the Windows Update Patch for Your PC
If “Windows OS support for branch target injection mitigation is present” is false, that means your PC hasn’t yet installed the operating system update that protects against these attacks.
To get the patch on Windows 10, head to Settings > Update & security > Windows Update and click “Check for updates” to install any available updates. On Windows 7, head to Control Panel > System and Security > Windows Update and click “Check for updates”.
If you’re using a system with an AMD processor, you may not see the update at the moment. The update is causing problems on some machines with certain AMD processors, so Microsoft has “temporarily paused” issuing the update all systems with AMD processors. Check back for the update in the future.
If no updates are found, your antivirus software may be causing the problem, as Windows won’t install it if your antivirus software isn’t yet compatible. Contact your antivirus software provider and ask for more information about when their software will be compatible with the Meltdown and Spectre patch in Windows. This spreadsheet shows which antivirus software has been updated for compatibility with the patch.
How to Get the UEFI/BIOS Update for Your PC
If “hardware support for branch target injection mitigation” is false, you’ll need to get the UEFI firmware or BIOS update from your PC’s manufacturer. So if you have a Dell PC, for example, head to Dell’s support page for your model. If you have a Lenovo PC, head to Lenovo’s web site and search for your model. If you built your own PC, check your motherboard manufacturer’s website for an update.
Once you’ve found the support page for your PC, head to the Driver Downloads section and look for any new versions of the UEFI firmware or BIOS. You need a firmware update that contains the “December/January 2018 microcode” from Intel. If you don’t see one, check back in the future for your PC’s update if it isn’t yet available. Manufacturers need to issue a separate update for each PC model they’ve released, so these updates may take some time.
RELATED ARTICLE
How to Check Your BIOS Version and Update it
Once you’ve downloaded the update, follow the instructions in the readme to install it. Usually this will involve putting the update file on a flash drive, then launching the update process from your UEFI or BIOS interface, but the process will vary from PC to PC.
Intel says it will release updates for 90% of processors released in the last five years by January 12, 2018. But, after Intel has released those processor microcode updates, manufacturers will still need to package them up and distribute them to you. It’s unclear what will happen with older CPUs.
After you’ve installed the update, you can double-check and see whether the fix is enabled by running the installed script again. It should show “Hardware support for branch target injection mitigation” as “true”.
You Also Need to Patch Your Browser (and Maybe Other Applications)
The Windows update and BIOS update aren’t the only two updates you need. You’ll also need to patch your web browser, for example. If you use Microsoft Edge or Internet Explorer, the patch is included in the Windows Update. For Google Chrome and Mozilla Firefox, you’ll need to ensure you have the latest version—these browsers automatically update themselves unless you’ve gone out of your way to change that, so most users won’t have to do much. Initial fixes are available in Firefox 57.0.4, which has already been released. Google Chrome will receive patches starting with Chrome 64, which is scheduled for release on January 23, 2018.
RELATED ARTICLE
How to Keep Your Windows PC and Apps Up to Date
Browsers aren’t the only piece of software that needs to be updated. Some hardware drivers may be vulnerable to Spectre attacks and need updates as well. Any application that interprets untrusted code—like how web browsers interpret JavaScript code on web pages—needs an update to protect against Spectre attacks. This is just one more good reason to keep all your software up to date, all the time.
Image Credit: Virgiliu Obada/Shutterstock.com and cheyennezj/Shutterstock.com
by Chris Hoffman on January 9th, 2018
Warning: Even if you’ve installed patches from Windows Update, your PC may not completely protected from the Meltdown and Spectre CPU flaws. Here’s how to check if you’re fully protected, and what to do if you aren’t.
To fully protect against Meltdown and Spectre, you’ll need to install a UEFI or BIOS update from your PC’s manufacturer as well as the various software patches. These UEFI updates contain new Intel processor microcode that adds additional protection against these attacks. Unfortunately, they aren’t distributed via Windows Update—unless you’re using a Microsoft Surface device—so they must be downloaded from your manufacturer’s website and installed manually.
How to Check if Your PC Is Protected
RELATED ARTICLE
How Will the Meltdown and Spectre Flaws Affect My PC?
Microsoft has made available a PowerShell script that will quickly tell you whether your PC is protected or not. Running it will require the command line, but the process is easy to follow.
On Windows 10, right-click the Start button and select “Windows PowerShell (Admin)”. On Windows 7 or 8.1, search the Start menu for “PowerShell”, right-click the “Windows PowerShell” shortcut, and select “Run as Administrator”.
Type the following command into the PowerShell prompt and press Enter to install the script on your system
Install-Module SpeculationControl
If you’re prompted to install the NuGet provider, type “y” and press Enter. You may also have to type “y” again and press Enter to trust the software repository.
The standard execution policy will not allow you to run this script. So, to run the script, you will first save the current settings so you can restore them later. Then you’ll change the execution policy so the script can run. Run the following two commands to do this:
$SaveExecutionPolicy = Get-ExecutionPolicy
Set-ExecutionPolicy RemoteSigned -Scope Currentuser
Type “y” and press Enter when you’re asked to confirm.
Then, to actually run the script, run the following commands:
Import-Module SpeculationControl
Get-SpeculationControlSettings
You will see information about whether your PC has the appropriate hardware support. In particular, you’ll want to look for two things:
The “Windows OS support for branch target injection mitigation” refers to the software update from Microsoft. You’ll want this to be present to protect against both Meltdown and Spectre attacks.
The “hardware support for branch target injection mitigation” refers to the UEFI firmware/BIOS update that you’ll need from your PC manufacturer. You’ll want this to be present to protect against certain Spectre attacks.
So in the screenshot below, the command tells me that I have the Windows patch, but not the UEFI/BIOS update.
This command also shows whether your CPU has the “PCID peformance optimization” hardware feature that makes the fix perform more speedily here. Intel Haswell and later CPUs have this feature, while older Intel CPUs don’t have this hardware support and may see more of a performance hit after installing these patches.
To reset the execution policy to its original settings after you’re done, run the following command:
Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser
Type “y” and press Enter when prompted to confirm.
How to Get the Windows Update Patch for Your PC
If “Windows OS support for branch target injection mitigation is present” is false, that means your PC hasn’t yet installed the operating system update that protects against these attacks.
To get the patch on Windows 10, head to Settings > Update & security > Windows Update and click “Check for updates” to install any available updates. On Windows 7, head to Control Panel > System and Security > Windows Update and click “Check for updates”.
If you’re using a system with an AMD processor, you may not see the update at the moment. The update is causing problems on some machines with certain AMD processors, so Microsoft has “temporarily paused” issuing the update all systems with AMD processors. Check back for the update in the future.
If no updates are found, your antivirus software may be causing the problem, as Windows won’t install it if your antivirus software isn’t yet compatible. Contact your antivirus software provider and ask for more information about when their software will be compatible with the Meltdown and Spectre patch in Windows. This spreadsheet shows which antivirus software has been updated for compatibility with the patch.
How to Get the UEFI/BIOS Update for Your PC
If “hardware support for branch target injection mitigation” is false, you’ll need to get the UEFI firmware or BIOS update from your PC’s manufacturer. So if you have a Dell PC, for example, head to Dell’s support page for your model. If you have a Lenovo PC, head to Lenovo’s web site and search for your model. If you built your own PC, check your motherboard manufacturer’s website for an update.
Once you’ve found the support page for your PC, head to the Driver Downloads section and look for any new versions of the UEFI firmware or BIOS. You need a firmware update that contains the “December/January 2018 microcode” from Intel. If you don’t see one, check back in the future for your PC’s update if it isn’t yet available. Manufacturers need to issue a separate update for each PC model they’ve released, so these updates may take some time.
RELATED ARTICLE
How to Check Your BIOS Version and Update it
Once you’ve downloaded the update, follow the instructions in the readme to install it. Usually this will involve putting the update file on a flash drive, then launching the update process from your UEFI or BIOS interface, but the process will vary from PC to PC.
Intel says it will release updates for 90% of processors released in the last five years by January 12, 2018. But, after Intel has released those processor microcode updates, manufacturers will still need to package them up and distribute them to you. It’s unclear what will happen with older CPUs.
After you’ve installed the update, you can double-check and see whether the fix is enabled by running the installed script again. It should show “Hardware support for branch target injection mitigation” as “true”.
You Also Need to Patch Your Browser (and Maybe Other Applications)
The Windows update and BIOS update aren’t the only two updates you need. You’ll also need to patch your web browser, for example. If you use Microsoft Edge or Internet Explorer, the patch is included in the Windows Update. For Google Chrome and Mozilla Firefox, you’ll need to ensure you have the latest version—these browsers automatically update themselves unless you’ve gone out of your way to change that, so most users won’t have to do much. Initial fixes are available in Firefox 57.0.4, which has already been released. Google Chrome will receive patches starting with Chrome 64, which is scheduled for release on January 23, 2018.
RELATED ARTICLE
How to Keep Your Windows PC and Apps Up to Date
Browsers aren’t the only piece of software that needs to be updated. Some hardware drivers may be vulnerable to Spectre attacks and need updates as well. Any application that interprets untrusted code—like how web browsers interpret JavaScript code on web pages—needs an update to protect against Spectre attacks. This is just one more good reason to keep all your software up to date, all the time.
Image Credit: Virgiliu Obada/Shutterstock.com and cheyennezj/Shutterstock.com