Meltdown and Spectre – My update experiences on Windows

I’m intending to keep adding to this post as I find out new things and update more devices. This is primarily to aid me in tracking things I’ve done, what’s changed, and what’s still to do. Hopefully others might find some of this useful too.

Work laptop

My work laptop is a Dell Latitude E7450 with an Intel Core i7-5600U CPU and is running Windows 10 LTSB 2016 (1607), Kaspersky Endpoint Security 10 10.2.5.3201 and MalwareBytes AntiMalware 1.80.2.1012.

Kaspersky is compatible with the Windows Security Update as of a database update released on 28th December 2017, and MalwareBytes is compatible as of a database update released on 4th Jan 2018.

Running multiple AntiMalware products potentially causes the “I am compatible” registry value to not work properly – one product might not be compatible but if the other is and sets the value you could end up with bluescreens after installing the security update. Luckily both mine are compatible, and one of other of them set the registry value, which I checked via RegEdit.
The presence of a DWORD value called cadca5fe-87d3-4b96-b7fb-a231484277cc and set to 0 indicates that the AntiVirus product is compatible with the update. Interestingly, my machine has that value, but it also has a subkey called cadca5fe-87d3-4b96-b7fb-a231484277cc and with the default value set to 0. I have other machine that only have Kaspersky on and these also have the value and the subkey present so I think it’s Kaspersky doing this not MalwareBytes.

I’ve installed the KB4056890 update on this machine (via WSUS) but it’s not rebooted yet. Prior to installing the update I ran the PowerShell command Get-SpeculationControlSettings and it returned the following:

PS Scripts:\> Install-Module SpeculationControl

Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
'PSGallery'?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): y
PS Scripts:\> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: False
Windows OS support for kernel VA shadow is enabled: False

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
 * Install the latest available updates for Windows with support for speculation control mitigations.
 * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : False
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : False
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled           : False

After a reboot, the above cmdlet now returns the following information:

> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID optimization is enabled: True

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
 * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled           : True

This machine is running the latest available BIOS from Dell, so I’ll have to wait for a new BIOS to be able to get the updated CPU microcode to enable the hardware support (I assume).

Home PC

This has an AMD FX-8350 CPU and is running Windows 10 1709, Windows Defender, and MalwareBytes 3.2.2.2029. It had not been switched on since 3rd Jan. I turned it on on the evening of 5th Jan, and after updating the database for MalwareBytes, the registry value to enable the Windows Update to install was not present. I then updated Windows Defender’s threat definitions, the version is now 1.259.1223.0 and this has now added the registry value. The subkey with the same GUID as the value is not present on this machine, so I think my earlier suspicions about this being added by Kaspersky are correct. It’s also interesting to note that MalwareBytes does not seem to add the registry value at all.

> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: False

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
 * Install the latest available updates for Windows with support for speculation control mitigations.
 * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : False
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired              : False
KVAShadowWindowsSupportPresent : False
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled           : False

Upon scanning for Windows Updates this machine found the 2018-01 update (KB4056892). After installing it, the cmdlet now shows:

> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: False

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
 * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired              : False
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled           : False

Useful links

Update 2018-01-10

Dell have now provided some pages with information about their efforts to deal with the problems:

  • Dell’s main Meltdown & Spectre page – this has an overview of the problem, and gives links to other pages with more specific information for PCs & thin client devices, Dell EMC hardware, VMware, and Pivotal.
  • Dell Consumer and Commercial product updates – this has BIOS versions or ETAs for new BIOS versions that will, in conjunction with OS updates, protect against Meltdown & Spectre. e.g. my E7450 laptop is due for a BIOS update to be released on 12th Jan 2018. Note that OS updates should be in place before the BIOS is updated.

Update 2018-01-16

Dell released a BIOS update for my E7450 work laptop on 12th Jan, version A18, which adds fixes for CVE-2017-5715 (one of the Spectre vulnerabilities) and various Intel Management Engine security issues (CVE-2017-5711 & CVE-2017-5712, CVE-2017-13077, CVE-2017-13078 & CVE-2017-13080). So this is a good thing to install ASAP.

Note that the SpeculationControl PowerShell module has been updated to version 1.0.4 since I first started this post, so you might want to do:

Update-Module -Name SpeculationControl -Force

Running Get-SpeculationControlSettings settings on my E7450 now results in the following:

PS Scripts:\> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]
For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629

Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: True [not required for security]


BTIHardwarePresent             : True
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : True
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled           : True

Which gives lots of green text, for each line that says “True”, which is nice.

It’s too early to tell if there’s any performance impact, but the machine so far (about an hour) is working fine.

I’ve also now disabled the option in the Dell BIOS called OROM Keyboard Access (found under Security), as this prevents access to the Ctrl-P preboot keypress to get into the Intel Management Engine.

Advertisements
This entry was posted in Hardware, Security, Windows and tagged , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

One Response to Meltdown and Spectre – My update experiences on Windows

  1. Tony S says:

    I think Malwarebytes might be the common factor, as had the same experience here – Avast and MB, reg key ok, Win Updates didn’t detect. Manual install of patch seems to have gone ok, will be interesting to see if WinUpdates run as normal next month.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s