We had only just finished welcoming in the new year when the next security bombshell hit the headlines. And it wasn’t only one flaw, but two. Nicknamed Meltdown and Spectre, the vulnerabilities originate from computer microprocessors. In terms of severity and number of people potentially affected, experts have likened them to 2014’s Heartbleed bug.
The bugs can attack all desktop operating systems, but in this article, we’re only going to focus on Windows. Let’s take a closer look at how the vulnerabilities work and how you can tell whether they have affected you.
Meltdown and Spectre: A Closer Look
Before we explain how to detect the two bugs on your own system, let’s take a moment to fully understand what the two vulnerabilities are and how they work.
The same group of security researchers were responsible for finding both the problems. At an elementary level, they are flaws in processor architecture (i.e. the transistors, logic units, and other tiny components that work together to make a processor function).
The flaw allows a would-be hacker to expose almost any data that a computer processes. That includes passwords, encrypted messages, personal information, and anything else you can think of.
Meltdown only affects Intel processors. Worryingly, the bug has been present since 2011. It uses part of the out-of-order execution (OOOE) process to change the cache state of a CPU. It can then dump the contents of the memory when it usually would be inaccessible.
Spectre can attack Intel, AMD, and ARM processors, and can thus also affect phones, tablets, and smart devices. It uses a processor’s speculative execution and branch prediction in conjunction with cache attacks to trick apps into revealing information that should be hidden within the protected memory area.
Spectre attacks need to be customized on a machine-by-machine basis, meaning they are harder to execute. However, because it’s based on an established practice in the industry, it’s also harder to fix.
Is Your Windows PC Affected by Meltdown and Spectre?
You need to assume you are affected by Spectre and that there’s little you can do about it. More on that later in this article.
But what about Meltdown? Thankfully, Microsoft has published a handy PowerShell script that you can run on your system. Follow the steps below and you can install and activate an additional module on your system. The results will indicate whether you need to take further steps.
First, run PowerShell as an administrator: press Windows key + Q or open the Start Menu, type PowerShell, right-click the first result (Windows PowerShell, desktop app) and select Run as administrator.
After PowerShell has loaded, follow these steps to find out whether your PC is affected by Meltdown. Note that you can copy-and-paste commands into PowerShell.
- Enter Install-Module SpeculationControl and press Enter to run the command.
- Confirm the NuGet provider prompt by entering a Y for Yes and hitting Enter.
- Do the same for the Untrusted repository prompt.
- When the installation has completed, type Import-Module SpeculationControl and press Enter.
- Finally, type Get-SpeculationControlSettings and hit Enter.
After you have run these commands, check the output result for the results — it will be either True or False.
If you see only True messages, congratulations, you are protected and don’t need to take any further action. If a False pops up, your system is vulnerable, and you need to take further action. Be sure to note the suggested actions shown in the results. As shown in the screenshot above, our test computer requires a BIOS/firmware update and yet has to install a patch provided through Windows Update.
How Can You Protect Yourself?
Do you want the good news or the bad news? Well, the good news is you can protect yourself against Meltdown… sort of. The bad is that it’s not a permanent solution and your computer will see a performance hit. Oh, and the other bit of bad news? You can’t protect yourself against Spectre.
To the company’s credit, Microsoft moved quickly to issue a patch for Meltdown. You can find it through the Windows Update tool (Settings > Update & Security > Windows Update > Check of updates). You need to download and install patch KB4056892 for Windows build 16299.
Troublingly, the patch is incompatible with some antivirus suites. It only works if your security software’s ISV has updated the ALLOW REGKEY in the Windows registry.
Pay attention to this thread. AV that do not set the #meltdown/#spectre compatibility reg key (whether because AV is broken, outdated, doesn't exist, etc) won't just not get the meltdown/spectre patches. They won't get /any/ updates, now or in the future. https://t.co/TykpphaxWL
— David Longenecker (@dnlongen) January 8, 2018
You should also update your browser. Google has patched Meltdown in Chrome 64 and Mozilla has updated Firefox in version 57. Microsoft has even patched the latest version of Edge. Check with your browser’s developer if you use a non-mainstream app.
Lastly, you need to update your system’s BIOS and firmware. Some computer manufacturers include an app within Windows so you can quickly check for such updates. If your PC manufacturer didn’t supply one, or if you deleted it, you should be able to find updates on the company’s website.
What About Spectre?
It won’t be a satisfactory answer for many people, but the current advice is to sit tight. Meltdown is the more immediate threat and is the easier of the two bugs for hackers to exploit.
Because of the way Spectre works, fixing it will require companies to completely redesign the way they build processors. That process could take years, and it could be decades until the current iteration of processors is entirely out of circulation.
Given the number of devices affected — potentially billions — a recall is out of the question. We’ll just have to live with the threat of a Spectre attack for years to come.
Do Meltdown and Spectre Worry You?
It’s understandable to feel worried. After all, our computers quite literally hold the keys to our lives.
But it’s also important to take solace from the facts. You are highly unlikely to be the victim of a Spectre attack. The time and effort a hacker needs to put in for an unspecified return make you an unattractive proposition.
And the big tech companies have known about the two issues since the middle of 2017. They’ve had plenty of time to prepare patches and respond in the best way they are able.
Despite the facts, do the Meltdown and Spectre threats still worry you? You can let us know your thoughts and opinions in the comments section below.