Tip: Make Sure Your PC is Safe from Meltdown and Spectre

Posted on January 17, 2018 by Paul Thurrott in Hardware, Windows, Windows 10 with 40 Comments

Tip: Make Sure Your PC is Safe from Meltdown and Spectre

Security expert Steve Gibson has done it again. His latest utility, InSpectre, can check your PC to see whether it is adequately protected from the recent Meltdown and Spectre security vulnerabilities.

You need this. So head on over to Steve’s GRC website and download InSpectre.

Put simply, InSpectre does three things: It determines whether your PC is vulnerable to Meltdown and Spectre. It checks to see what the performance impact is from the fixes you have installed. And it lets you toggle off those fixes, on the fly, if you need the full performance of your PC.

I ran InSpectre on my current desktop PC, an HP EliteOne all-in-one, and found that I was protected against Meltdown but not Spectre. And that my performance was “good,” which makes sense since I’m running the latest OS version on recent Intel hardware.

Steve’s utility noted that my vulnerability to Spectre was due to my BIOS/firmware not being updated.

So I checked with the HP Support Assistant and, sure enough, there was a BIOS update.

So I installed it, rebooted, and checked with InSpectre again. And now my PC is secure.

Get this now. And follow its advice. Seriously.

 

Tagged with ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (42)

42 responses to “Tip: Make Sure Your PC is Safe from Meltdown and Spectre”

  1. Avatar

    webdev511

    Yeah I'm thinking it's long odds that Asus (or anyone) will be updating Bios for the Intel x79 based boards. BOO!

  2. Avatar

    Jacob Klein

    For those that want to update the Intel Microcode on their own, in Windows, you can! And it's easily uninstallable too --- read on! PS: I tried to fix the formatting, but couldn't figure out how, sorry.


    Original source of info:

    http://forum.notebookreview.com/threads/how-to-update-microcode-from-windows.787152/


    VMware CPU Microcode Update Driver

    https://labs.vmware.com/flings/vmware-cpu-microcode-update-driver


    Intel Microcode

    https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?v=t

    (Note: If the webpage says a newer version is available, use that!)


    AMD Microcode

    https://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode

    Alternatively, see "microcode" links at the RIGHT of these pages:

    https://packages.debian.org/stable/admin/amd64-microcode

    https://packages.debian.org/testing/admin/amd64-microcode

    https://packages.debian.org/unstable/admin/amd64-microcode


    HWiNFO64

    https://www.hwinfo.com/


    To Install:

    1) Use software (like HWiNFO64) to make a note of the current Microcode version.

    2) Extract "VMware CPU Microcode Update Driver" contents into a folder of your choice, for this demo we'll call it uCode.

    3) Copy the latest Intel Microcode file, microcode.dat, into the uCode folder.

    4) Copy the 6 latest AMD Microcode files, microcode_amd*.bin, into the uCode folder.

    5) Run install.bat as Administrator

    - The microcode files and driver will be copied to the Windows\System32\Drivers folder.

    - The driver will be executed and micro code updated if the microcode files contain a newer version.

    6) If successful, will say "Install completed with code 0."

    7) Reboot the PC

    8) Verify the updated Microcode version:

    - Method 1: Use software (like HWiNFO64)

    - Method 2: Event Viewer -> Windows Logs -> System, filter for Event Source "cpumcupdate"


    To Update:

    1) Use the Uninstall instructions, without restarting.

    2) Use the Install instructions, with restarting.


    To Uninstall:

    1) Extract "VMware CPU Microcode Update Driver" contents into a folder of your choice, for this demo we'll call it uCode.

    2) Run uninstall.bat as Administrator

    3) Reboot the PC

    4) Verify the Microcode is not being updated by the service:

    - Method 1: Event Viewer -> Windows Logs -> System, filter for Event Source "cpumcupdate" - You should see no Event Logs since the reboot.

  3. Avatar

    skane2600

    Isn't Gibson a rather controversial figure in the tech community?

  4. Avatar

    Oasis

    Good Luck with Dell. They don't list my Inspiron 3847 Desktop W7/ i5-4440. This machine isn't even 4 years old. Is there a list of which Intel CPUs they are going to do fixes for?

  5. Avatar

    red.radar

    Lenovo P51 - all patched up.


    thanks Paul, great and simple utility.

  6. Avatar

    eeisner

    Steve Gibson may be a bit extreme, but he gets it done. Thanks for the heads up, Paul.

  7. Avatar

    Gavin Groom

    My older laptop has no new BIOS updates, so it seems I'm vulnerable to Spectre till I get a new machine.

  8. Avatar

    jimchamplin

    Yes. Because Lenovo will soooooo release a patch for my 2009/2010-era box ?

  9. Avatar

    ZeroPageX

    Cool utility. Unfortunately, many motherboards will not have BIOS updates released, even from a few years ago. Intel released microcode updates for Linux which is a nice alternative for those people who run Linux, but for some reason, Microsoft is not doing this. So, I guess those of us who don't have a brand new machine are hosed. :-\

  10. Avatar

    wright_is

    My ThinkPad is good, my Ryzen 7 is party good - no hardware fix for Spectre yet.

  11. Avatar

    Stooks

    Personally I would not install any of these patches for a while.


    First there is no known threat. Even if there is all it could do is peak into those pipelines on the CPU to get bits of information. It would take a long time to MAYBE find some info that is worth anything, days and days.


    Also over on Neowin right now is post about how these BIOS updates from some vendors are causing un-expected reboots after the updates.


    Let AV software block the threats, if and when the come out. Let Intel and the PC maker come out with GOOD updates via a BIOS updates because this a is a HARDWARE issue. Personally avoid the Microsoft updates as long as possible as the have the potential to kill performance or if you have a AMD box, brick it.



    • Avatar

      NT6.1

      In reply to Stooks:


      I agree. My Windows 10 Anniversary version is updated. If there's a problem I could uninstall the security patch or clean install Windows. I'm not messing with firmware after all the reboots issues people are having.

  12. Avatar

    jwpear

    I'd like to see Intel offer a trade in program to get a discounted replacement processor. I think that's the right thing to do.


    I have a custom-built machine with an i7-3770 and an Intel motherboard. I'm guessing I won't see a Spectre patch for it. And even if I do, it is guaranteed to slow the machine. It's a perfectly good machine otherwise and probably would have carried me through several more years. The question now is whether to trust that I can keep malware off the machine that might try to leverage the Spectre vulnerability.

  13. Avatar

    Corbey

    Dell XPS 8900 tower from a couple of years ago with Skylake i7. Windows patched and BIOS updated. No problems.


    Thanks for this post, Paul!

  14. Avatar

    Dan1986ist

    Have to wait and hope that Dell releases bios updates for the Venue 8 Pro 5830 and the Venue 10 Pro 5056. And those tablets aren't even on Dell's list of affected devices.

  15. Avatar

    MattHewitt

    Thanks for posting this! This tool is great and makes things pretty straightforward.

  16. Avatar

    xapache

    Got to love the irony of Windows Defender indicating the site is unsafe....


    BTW Surface Book good to go.

  17. Avatar

    Skipper

    Windows defender smart screen is reporting that Steve's GRC website is unsafe

  18. Avatar

    Brazbit

    Windows Defender Smart Screen advises against following the link to grc.com due to it being a malicious software threat. Nice

  19. Avatar

    NoFlames

    You can also install a PowerShell module to check if you are running Windows.

    1. Press the Windows key and type PowerShell.
    2. Right click the PowerShell shortcut and select Run as Administrator.
    3. Type Install-Module SpeculationControl and press Enter.
    4. If you are prompted to install the NuGet provider, type Y and press Enter, and repeat if you are warned about installing from an untrusted repository.
    5. With the installation complete, type Import-Module SpeculationControl and press Enter.
    6. Type Get-SpeculationControlSettings and press Enter.


    Credit: https://betanews.com/2018/01/05/microsoft-powershell-meltdown-spectre-script/

    If it complains you may need to run the command Set-ExecutionPolicy RemoteSigned

  20. Avatar

    JanesJr1

    When I follow your link, Paul, I get a Windows Defender "red screen of death" with the following message:


    This website has been reported as unsafe

    www.grc.com



    We recommend that you do not continue to this website. It has been reported to Microsoft for containing threats to your computer that might reveal personal or financial information.

    Back to safety More information  


    Windows Defender SmartScreen

    • Avatar

      Martin Pelletier

      In reply to JanesJr1:

      On the GRC site :


      "BOGUS “SmartScreen” WARNING from Edge and IE11 Browsers

      Windows Defender “SmartScreen” appears to have decided that InSpectre is malware. This also happened briefly after the release of our Never10 utility. In this case, it is likely due to the fact that InSpectre's initial release was triggering anti-virus scanners due to the program's use of a specific registry key used to enable and disable the Meltdown and Spectre protections. The second release obscures its use of that (apparently worrisome) key and now appears to pass through most A/V without trouble. So we are hopeful that this SmartScreen false alarm will disappear soon.


      In the meantime, PLEASE do not get a copy of this program from any 3rd-party download site, since that one could actually be malicious. If you have any non-Microsoft web browser (Chrome, Firefox, Opera, etc.) you should be able to obtain and use InSpectre without trouble. If you have a friend who is using some other computer (Windows 7 has no problem with this either) ask them to grab it from here and send it to you. Since the program is only 122k (written in assembly language) it's feasible to eMail it."


      Seems that SmartScreen doesn't like optimized program made in assembly :)


  21. Avatar

    Polycrastinator

    Nice. I'm still waiting for an update for my Intel desktop board which is 6 years old at this point, so I'm wondering if I'm going to be waiting forever. A real shame, as the overclocked CPU in there is still fast in comparison to a lot of other things.

  22. Avatar

    smashie

    Well my XPS 13 has all been updated and good, no such luck for my older tower :/


    Still on the plus side I have got a new motherboard, CPU and ram on the way :)

  23. Avatar

    brettscoast

    Thanks for the heads up Paul going to get on this immediately Steve Gibson is one of the most respected foremost experts on tech security there is around. Excellent advice.

  24. Avatar

    Birraque

    Only fewer newest computers are receiving firmware updates. #FAIL

    Lenovo Yoga 2 Pro (Intel Core i7 4500U Haswell) isn't even listed under Lenovo Security Advisory LEN-18282 to be updated (NO ETA).

  25. Avatar

    tbsteph

    Spectre - No

    Performance - Slow


    Old computer? No, just a Surface 3. I'm sure the "fix" is in Satya's inbox ready to be implemented any time now :)

  26. Avatar

    jtf

    has anyone successfully got the command line "probe" to work with this tool?

Leave a Reply