Checking and patching your Microsoft Windows computer for Meltdown and Spectre

Overview

A Google team named Project Zero in mid 2017 identified vulnerabilities with many Intel, AMD and ARM CPU’s that allow speculative pre-processing of code to be abused. Speculative pre-processing aids performance which is why it exists. However when used maliciously it would allow an attacker to use JavaScript in a webpage to access memory that could contain information present in a users environment such as key strokes, passwords and personal sensitive information.

A very good overview on the how (and a little of the why) is summarised in a series of tweets by Graham Sutherland here.

Mitigation/Patching

In the January Security updates Microsoft have provided updates to protect its operating systems (Windows 7 SP1 and later). More on this below. They have also provided a PowerShell Module to inspect and report on the status of a Windows operating system.

What you are going to need to do is patch your Windows Operating System and update your computers firmware (BIOS).

Using an Administrative PowerShell session on a Windows workstation with Windows Management Framework 5.x installed the following three lines will download and install the PowerShell module, import it and execute it to report on the status.

Install-Module SpeculationControl
Import-Module SpeculationControl
Get-SpeculationControlSettings

The output below shows that the operating system does not contain the updates for the vulnerability.

PowerShell Check.PNG

Obtaining the Windows Security Updates

Microsoft included updates for its operating systems (Windows 7 SP1 and newer) on January 3 2018 in the January update as shown below.  They can be obtained from the Microsoft Security Portal here. Search for CVE-2017-5715 to get the details.

Patch1.PNG

Go to the Microsoft Update Catalog to obtain the update individually.

The quickest and easiest though is to press your Windows Key, select the Gear (settings) icon, Update & Security, Windows Update.

Update & Security.PNG

Check status, install the updates, and restart your Windows computer.

Windows Update.PNG

Speculation Control Status

After installing the updates and restarting the computer we can run the check again. It now shows we are partially protected. Protected for Meltdown but partially protected for Spectre. A BIOS update is required to complete the mitigation for Spectre.

Rerun Powershell Check.PNG

For me I obtained the latest BIOS for my laptop from the manufacturers support website. If you are also on a Lenovo Yoga 910 that is here. However for me the latest Lenovo firmware doesn’t include updates for this vulnerability. And my particular model of laptop isn’t listed as being affected. I’ll keep checking to see if that changes.

Summary

In Microsoft environments your patching strategy will get you most of the way with the Microsoft January Security updates. BIOS updates to your fleet will take additional planning and effort to complete.