Meltdown and Spectre – The Next Chapter
Meltdown and Spectre, the twin vulnerabilities affecting Intel and many other processors, has been a moving target. Patches followed by “unpatches” when those patches caused computers to reboot randomly. Then there were the software patches that slowed down computers by from 5% to 30%.
The process of mitigating these vulnerabilities has been way more complicated than we usually see. But there is hope.
So what can you do? Here are some answers –
First a tool – a free tool – to see what patches have been installed. Google (or any other search tool) “INSPECTRE”. Look for the entry from Gibson Research Corp at GRC.Com – in Google it is usually the first entry. Download it and it will tell you, in English, if you are vulnerable or protected.
For Meltdown, there is a simple Windows (and other OS) patch that vendors have released. Install the patch, run Inspectre to test and you are safe from Meltdown.
Spectre is the bad boy.
The problem that Spectre exploits is a decision that Intel and others made two decades ago. It isn’t so much a bug as a design decision that had unanticipated side effects. What this means is that fixing it means fixing the firmware inside the chip itself.
There are several variants of Spectre, some worse than others. Intel has released patches for almost all of their chips, but getting them to install them is the challenge. These patches to the chip usually require you to to get a very specific patch for your model of computer from the computer’s manufacturer.
But there is some good news.
Intel just announced that they will be selling a new “generation” of the chip later this year with the firmware patch already in place. It appears a bit confusing at this point because they are 8th generation chips, but 8th generation chips without the patch started shipping last year. But, they will be shipping new versions of the 8th generation processors (what they will be called is not clear) that come with patches already installed (see announcement here).
But more exciting is the fact that Microsoft has started releasing patches to fix the firmware inside the chips. Turns out Windows has always been able to do this but due to the hundreds of chips that Intel has released, Microsoft rarely if ever releases a patch that uses this capability. This is an exception.
Microsoft has released a fix, KB4090007, but there is a catch. Of course.
First, the patch only works if you are running Windows 10 and only if you are running the Windows 10 Fall Creators Update. I guess that is to entice you to upgrade.
Second, you have to go find the patch and download it. It will NOT be coming to a Windows Update near you any time soon.
Finally, it only patches certain select chips listed in the article behind the KB link above. You need to know the chip model you are running. Luckily, the newest version of Inspectre will tell you that information. Then you can go to the knowledge base article linked above to see if your chip is one that Microsoft can patch. If it is, manually download the patch and install it. Once done, the Inspectre software should show that you are protected.
Microsoft is supposed to be adding more chips to the list over time and hopefully, will create a fix for Windows 8 and Windows 7, since both of these are supposedly still supported. Just not yet. Second class citizens.
Not simple and not complete, but it is progress.