So what can we do (advise users) about Spectre Threats right now ?


So I get paranoid, and have run Steve Gibson tool as advised on Windows Weekly. (All Clear on my two year old SurFace Pro 4 on both Meltdown and Spectre, which is kinda impressive) But on my two desktops, I have Spectre Warning, Hardware BIOS not Updated on both machines. This is on a 3 month old MSI X99 A modern Motherboard, as well as as on a 5 year old ASUS Motherboard. The ASUS site is not very helpful on anything related to the supporting motherboard BIOS, let alone supporting my legacy Motherboards. And the MSI site suggests a Bios update may be available, but is too arcane to understand. The MSI LiveUpdate desktop tool, only suggests driver updates, no BIOS.

Basically I would think there is going to be a lot of vulnerable motherboards/BIOS out there to spectre,. Especially as Steve Gibson tool has told us. But none of these BIOS updates instructions are clear and obvious. No simple desktop utility that can be executed by normal people. So how are we to advise all the normal people about protecting their systems against this Spectre ?

I don’t many people, including myself, can afford to simply replace all their machines just cos Intel screwed up and Motherboard manufacturers not able to update 5 year old motherboard bios..

Comments (5)

5 responses to “So what can we do (advise users) about Spectre Threats right now ?”

  1. lvthunder

    If there is no BIOS update to install then there isn't much you can do except know there is a chance someone could hack you and steal random data or replace the machine with something else. I think I'm done with ASUS motherboards because they aren't making (or announced one way or another) a update for my Z97 boards. I have between 10-15 of them here at the office.

  2. mattbg

    I have a couple of Asus motherboards and the latest one was updated quite swiftly but the other Z87-based one last had a BIOS update in 2014 so I am not expecting much on that front. Agree that it's a reputational issue for ASUS if they won't pass through an important CPU microcode update for marketing reasons.

    The issue of the registry key that blocks the Windows part of the fix is important, though. I have a Windows Server 2012 R2 installation (running on the same above Z87 system) on which I've never installed any AV and it was not getting the patch because of the missing QC registry key. Once I manually added it, the update came through.

    Although I'm not clear on how easy this issue is to exploit and then use in a meaningful way, it is concerning that these vulnerabilities are (1) so difficult to explain and (2) require patching at so many different levels.

    Microsoft has promoted good practices with security updates over the years that will pay off here but I have no idea how often most people check for system BIOS updates nor how consistently system vendor tools for applying system-level updates are used or made available.

  3. jimchamplin

    Unpatched machines are going to be an issue for people like me, who rely on a healthy used PC market. There's a chance that it will mean a lot of nice boxes are about to get super cheap, but more likely it's probably going to ruin used PC buying as folks stop purchasing pre-owned machines that can't be patched and places start going out of business.

    Yay. Just fscking yay.

  4. jwpear

    For the typical consumer, I don't see this as being all that much different than any other threat.

    I think the main thing to tell folks is to make sure they allow Microsoft (or whomever their OS manufacturer is) to apply all patches routinely, update their browser routinely, use a reputable, updated antivirus (such as Windows Defender if using Windows), and follow good hygiene when browsing the net, checking email, downloading, etc. If they're more technical, suggest they check with their machine/motherboard manufacturer for a BIOS update.

    If they have an old machine, say five or more years old, and they can afford it, they should think about replacing it. That's a tough decision, if it is still performing well. This is a dilemma I have.

    My primary desktop, which I use for development, is about five years old. It has what was a high end, quad core CPU and still outpaces many newer CPUs. Only the fastest of desktop CPU's outperform it today (at least before microcode patches, should I ever receive). It would cost me roughly $900 to replace the motherboard, CPU, RAM, and new copy of Windows 10 Pro to achieve something equivalent. That's with a drop from an i7 to a quad core i5. Would be more if I went with another i7. I have a mid-level Dell laptop and a SP3, so spending $900 at this time is a bit hard to justify. However, both are dual core processors and have limited disk space, so they're not quite fit for a daily development machine.

    I'd love to see PassMark publish some updated benchmarks showing how the patches impact the performance of the processors. I have relied on their benchmarks for years to understand and compare the performance of processors before making hardware purchases. I want to know how the 7th and 8th gen processors compare with the patch before I consider replacing my desktop CPU.

  5. Polycrastinator

    This is an issue I'm bumping into both personally and professionally. Right now, I'm figuring mitigation is the right answer: we can patch Windows, we can install ad blockers (so many exploits come in through ads now), and we can install BIOS updates where available, but lots of folks just won't get them, and that's a problem. But there are no active exploits in the wild, and the data leak that occurs in unpatched systems is slow and untargeted. You'll get 2k a second, but you don't know which 2k. Maybe the jackpot and you'll get passwords, but more likely you'll end up with garbage. So I don't think this is actually a huge concern for most endpoint users.

    As with another commenter here, my primary desktop is older and I doubt I'll be seeing a BIOS update. For me, replacing CPU, motherboard, RAM, and perhaps CPU cooler will likely run $650, and it's out of my budget right now. I built that computer to last a long, long time, and spent money to get that result. To have that go away because my motherboard vendor won't update is absolutely galling.