Windows 10: Windows Client Guidance against speculative execution vulnerabilities

This is the result I got after running all three command lines from PowerShell (Admin) Verification as per Shawn's tutorial (first page):





At one point after the second command line, I was asked if I wanted PowershellGet to install and import the NuGet provider now. I put Yes ("y"). After the third command line, I got the results seen at the bottom of the screenshot with three "false" lines and all the rest is labelled as "True". My confusion is about "Suggested actions" highlighted in the red square with a yellow arrow:

[Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.]

My PC is about two years old. I am on UEFI and in the suggestion they are talking about BIOS/Firmware. Does that mean they are using the terms Bios & UEFI interchangeably?. And how do I get that update from Intel. Can anyone chime in and show me the light at the end of the tunnel?

 

Hi,

UEFI is still a BIOS although an advanced one so, yes they use it interchangeably. Updates will crop up to "secure" OS and CPU's from either your OEM, Intel, AMD or Microsoft (for the OS part and possibly micro code for the cpu).

It's still early days as they're all still waking up from the season holidays and such. I'd keep an eye on my MB OEM if it were me and check for BIOS/UEFI updates on a regular basis.
Currently available micro code updates from Intel aren't fixing anything yet and I very much doubt that those updates could cover both Meltdown and Spectre vulnerabilities fully.

Cheeers, *Wink

 

Thanks a lot for your intervention. Really appreciate it. According to what you are saying, the best approach for now is to wait & see while checking for any updates regarding my MB OEM. If I understood correctly "Spectre" is only concerned with Intel processors and "Meltdown" with all the other processors as far as these speculative execution side-channel attacks may affect one's PC.

In the meantime, I found a link for Intel Detection Tool:

*Arrow Download Intel-SA-00086 Detection Tool

I am going to give it a try and see what gives.

Thanks again *Smile

 

Well, if this don't beat all. This is the kind of thing where I'd like to take all 3 machines, throw them in the garbage, and look for another hobby. The smart phone too. Get a cheapo dumb phone. If this can't get fixed I just may do that. *sarc Off to see if I can find a BIOS update I guess....

Oh and thanks for the article/tutorial, Shawn.

 

Hmmm.. that one does need some updating...seems all it has is the Win update fix.... firmware is non-compliant..

 

That was on my FCU partition. Below is my IP 17063 partition, which, of course, is the same BIOS, but they say we Insiders are running the latest security fixes? What a crock!

Absolutely nothing on the Asus site about this issue. Not in support or news. Zilch. I have this sinking feeling I won't be able to update this tower, nor my laptop BIOS. Probably at least half of us here will own boat anchors soon unless we get updates. If not, then these bass turd corporations will turn around and sell us more junk. Money sucking educated idiots, every one of them. *sarc

Gates had better step in on this issue to do something about it.

 

My posts are getting deleted at a rapid rate...so read quickly...

But totally agree... what goes around comes around...

...my last post here.

 

@Brink, can you please add the PowerShell command to restore things the way they were, before all this?

Is this the appropriate command?

Set-ExecutionPolicy Restricted -Scope Process -Force


Thank you.

 

[/quote] Using the Set-ExecutionPolicy Cmdlet

 

Eh... Okay, thank you... but... no time + not quite in the mood right now to try this new thing I meet, first time in my life, so... which command exactly returns the system the way it was before all this? And does the "-Scope Process -Force" part of the initial commands play any role?

Like, IF I will give "Set-ExecutionPolicy RemoteSigned" will it get applied OR will PowerShell complain due to the Scope Process Force?

@Brink, hello, please?

 

This PowerShell and the execution policies explained | JeffOps appears to explain the
-Scope” parameter and to my mind if we use the Process switch it will only alter the current process, so closing Powershell will cancel any changes.
I too would like confirmation of that.....

EDIT:
If you run all 3 steps in the OP of this thread, THEN close and Reopen Powershell, THEN ONLY run
Get-SpeculationControlSettings
WITHOUT running the previous 2 steps, it fails to run.
Run all 3 steps again and it works as illustrated so it looks like it does just affect the current process as i said above.

Actually, reading the first post it does say "Temporarily set PowerShell script execution policy"
And if you type Get-ExecutionPolicy when you first open Powershell it's Restricted
Run the first command "Set-ExecutionPolicy Unrestricted -Scope Process -Force" it goes to Unrestricted
Close and reopen Powershell and it's Restricted again

 

Okay, thank you, now I understand it is temporarily. It is OK now.

 

My understanding so far in all this is that the Windows Updates are only a tiny part of the puzzle and its solution, and that it will be future firmware updates that complete the fix... and I also assume that is the point we will see any performance impacts.

Is that a correct assumption ?

I looked at Dell and see they now have a dedicated page to this:

Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products | Dell US


I also see that as yet my Vostro 3750 doesn't make the list (maybe considered to old at 6 yrs).

Also, if a firmware update is the last piece of the puzzle then is it also correct to say that such an update can only be applied manually via a user searching the details out, or a user running a PC that is linked to and automatically supported by a manufacturer ?

I see that as a major issue where things can and will go wrong for some.

 

Seemingly, there will be lot of system that will not receive BIOS/EUFI updates. Most hardware, including the CPU, have a three years warranty. And of course, it is a limited warranty...

The chances are that hardware, where the warranty period expired, the updates will be scarce. OEMs, manufacturers, etc., would love to see you purchase a new system in this stagnating computer market. Even if purchasing a new system will not result in much of a performance increase over the existing one. Especially, if the new system does not have SSD drive and the old one with Sandy or Ivy Bridge CPU does....





That's on my W10 system that's EOL-ed; yes there is a better acronym for that...*Zip