Warning: Even if you’ve installed patches from Windows Update, your PC may not completely protected from the Meltdown and Spectre CPU flaws. Here’s how to check if you’re fully protected, and what to do if you aren’t.
To fully protect against Meltdown and Spectre, you’ll need to install a UEFI or BIOS update from your PC’s manufacturer as well as the various software patches. These UEFI updates contain new Intel or AMD processor microcode that adds additional protection against these attacks. Unfortunately, they aren’t distributed via Windows Update—unless you’re using a Microsoft Surface device—so they must be downloaded from your manufacturer’s website and installed manually.
Update: On January 22, Intel announced that users should stop deploying the current UEFI firmware updates due to “higher than expected reboots and other unpredictable system behavior”. Intel now says you should wait for a final UEFI firmware patch that’s been properly tested and won’t cause system problems.
If you did install a UEFI firmware update from your manufacturer, you can download a patch from Microsoft to make your PC stable again. Available as KB4078130, this patch disables the protection against Spectre Variant 2 in Windows, which prevents the buggy UEFI update from causing system problems. You only need to install this patch if you’ve installed a buggy UEFI update from your manufacturer, and it isn’t being automatically offered via Windows Update. Microsoft will re-enable this protection in the future when Intel releases stable microcode updates.
To check whether you’re fully protected, download the Gibson Research Corporation’s InSpectre tool and run it. It’s an easy-to-use graphical tool that will show you this information without the hassle of running PowerShell commands and decoding the technical output.
Once you’ve run this tool, you’ll see a few important details:
You can see a human-readable explanation of exactly what’s going on with your PC by scrolling down. For example, in the screenshots here, we’ve installed the Windows operating system patch but not a UEFI or BIOS firmware update on this PC. It’s protected against Meltdown, but needs the UEFI or BIOS (hardware) update to be fully protected against Spectre.
Microsoft has made available a PowerShell script that will quickly tell you whether your PC is protected or not. Running it will require the command line, but the process is easy to follow. Thankfully, Gibson Research Corporation now provides the graphical utility Microsoft should have, so you don’t have to do this anymore.
If you’re using Windows 7, you will first need to download the Windows Management Framework 5.0 software, which will install a newer version of PowerShell on your system. The script below won’t run properly without it. If you’re using Windows 10, you already have the latest version of PowerShell installed.
On Windows 10, right-click the Start button and select “Windows PowerShell (Admin)”. On Windows 7 or 8.1, search the Start menu for “PowerShell”, right-click the “Windows PowerShell” shortcut, and select “Run as Administrator”.
Type the following command into the PowerShell prompt and press Enter to install the script on your system
If you’re prompted to install the NuGet provider, type “y” and press Enter. You may also have to type “y” again and press Enter to trust the software repository.
The standard execution policy will not allow you to run this script. So, to run the script, you will first save the current settings so you can restore them later. Then you’ll change the execution policy so the script can run. Run the following two commands to do this:
$SaveExecutionPolicy = Get-ExecutionPolicy
Set-ExecutionPolicy RemoteSigned -Scope Currentuser
Type “y” and press Enter when you’re asked to confirm.
Then, to actually run the script, run the following commands:
You will see information about whether your PC has the appropriate hardware support. In particular, you’ll want to look for two things:
So in the screenshot below, the command tells me that I have the Windows patch, but not the UEFI/BIOS update.
This command also shows whether your CPU has the “PCID performance optimization” hardware feature that makes the fix perform more speedily here. Intel Haswell and later CPUs have this feature, while older Intel CPUs don’t have this hardware support and may see more of a performance hit after installing these patches.
To reset the execution policy to its original settings after you’re done, run the following command:
Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser
Type “y” and press Enter when prompted to confirm.
If “Windows OS support for branch target injection mitigation is present” is false, that means your PC hasn’t yet installed the operating system update that protects against these attacks.
To get the patch on Windows 10, head to Settings > Update & security > Windows Update and click “Check for updates” to install any available updates. On Windows 7, head to Control Panel > System and Security > Windows Update and click “Check for updates”.
If no updates are found, your antivirus software may be causing the problem, as Windows won’t install it if your antivirus software isn’t yet compatible. Contact your antivirus software provider and ask for more information about when their software will be compatible with the Meltdown and Spectre patch in Windows. This spreadsheet shows which antivirus software has been updated for compatibility with the patch.
Patches are now available to protect against Meltdown and Spectre on a wide variety of devices. It’s unclear if game consoles, streaming boxes, and other specialized devices are affected, but we know that the Xbox One and Raspberry Pi are not. As always, we recommend keeping up-to-date with security patches on all your devices. Here’s how to check if you already have the patch for other popular operating systems:
sudo sh spectre-meltdown-checker.sh
Linux kernel developers are still working on patches that will fully protect against Spectre. Consult your Linux distribution for more information about patch availability.
Windows and Linux users will need to take one more step, however, to secure their devices.
If “hardware support for branch target injection mitigation” is false, you’ll need to get the UEFI firmware or BIOS update from your PC’s manufacturer. So if you have a Dell PC, for example, head to Dell’s support page for your model. If you have a Lenovo PC, head to Lenovo’s web site and search for your model. If you built your own PC, check your motherboard manufacturer’s website for an update.
Once you’ve found the support page for your PC, head to the Driver Downloads section and look for any new versions of the UEFI firmware or BIOS. If your machine has an Intel processor in it, you need a firmware update that contains the “December/January 2018 microcode” from Intel. But even systems with an AMD processor need an update. If you don’t see one, check back in the future for your PC’s update if it isn’t yet available. Manufacturers need to issue a separate update for each PC model they’ve released, so these updates may take some time.
Once you’ve downloaded the update, follow the instructions in the readme to install it. Usually this will involve putting the update file on a flash drive, then launching the update process from your UEFI or BIOS interface, but the process will vary from PC to PC.
Intel says it will release updates for 90% of processors released in the last five years by January 12, 2018. AMD is already releasing updates. But, after Intel and AMD have released those processor microcode updates, manufacturers will still need to package them up and distribute them to you. It’s unclear what will happen with older CPUs.
After you’ve installed the update, you can double-check and see whether the fix is enabled by running the installed script again. It should show “Hardware support for branch target injection mitigation” as “true”.
The Windows update and BIOS update aren’t the only two updates you need. You’ll also need to patch your web browser, for example. If you use Microsoft Edge or Internet Explorer, the patch is included in the Windows Update. For Google Chrome and Mozilla Firefox, you’ll need to ensure you have the latest version—these browsers automatically update themselves unless you’ve gone out of your way to change that, so most users won’t have to do much. Initial fixes are available in Firefox 57.0.4, which has already been released. Google Chrome will receive patches starting with Chrome 64, which is scheduled for release on January 23, 2018.