Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

Just to clarify, as I think what I wrote was ambiguous- I agree 100% with kitz, I meant to say not "do nothing" but "make it configurable". :-)

[banger]

What MS Script is that?  Is there a link please?

Couldn't find the link to the MS page but the below link has all the info. Mind you getting the script to run is a minefield on its own as you might have to set execution policy to remotesigned for it to run in admin powershell.

https://betanews.com/2018/01/05/microsoft-powershell-meltdown-spectre-script/

[Chrysalis]

yeah if you set remotesigned to run it then disable again after

[highpriest]

What MS Script is that?  Is there a link please?

Here you go: https://www.powershellgallery.com/packages/SpeculationControl/1.0.2

[highpriest]

If you don't have PowerShell/WMF 5.x, there is a downloadable version available:

https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050

[broadstairs]

Just tried the downloadable version but it will not run on Windows 7 SP1 Home Premium, gave errors about manifest.

Stuart

[burakkucat]

A useful blog posting documenting the current (as of Jan 6, 2018) Meltdown and Spectre Linux Kernel Status by Greg Kroah-Hartman.

[banger]

@Kitz was the script useful to you?

[kitz]

I didn't get any further than the error message about running scripts and unauthorised access.  :/

As I know my i76700K is one of the affected... and since Windows successfully updated KB4056892 a couple of evenings ago I didn't bother messing any more :/

[Ronski]

Here's what mine says after applying the Windows Update.

Code: [Select]

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: True [not required for security]

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled           : True
So what does all that actually mean?

[renluop]

@Ronski What is the "mine" referring to in your last post?

[banger]

It means you need a BIOS update as your cpu microcode needs updating. What CPU are you running Ronski? MSI support have told me my motherboard isn't affected (too old) not sure I believe them.

[Ronski]

@Ronski What is the "mine" referring to in your last post?

It's referring to the results of running the previously mentioned script on my main PC. Although we have 6 desktop PC's, 1 laptop and a server here at home.

@Banger Yes I see it suggests a BIOS upgrade is required, but does it mean the Windows patch is not protecting this particular PC? I really need to read up to see just what the implications are and just how vulnerable we are.

This particular PC has an ASRock Fatal1ty X99M Killer 3.1 motherboard with an Intel i7-5820k, and there's no recent BIOS updates so I'll have to ask them.

[renluop]

Well it seems scripts are disabled, and seeing the comments I'm non too sure about the solutions offered.
Maybe I best leave it alone!

[niemand]

If using Chrome https://support.google.com/chrome/answer/7623121?hl=en-GB is probably a good idea. Comes with a hit on resources, naturally.

The patch will, however, prevent rogue Spectre-abusing scripts running on a browser and plundering the memory of other sites - it isolates every site and, indeed, frame, within its own process and the Spectre exploits as far as I'm aware cannot jump out of their own process context.

Meltdown received the coverage because it is, by a mile, worse in terms of impact and easier to exploit. Spectre can be mitigated to some extent through recompilation of binaries and ensuring appropriate isolation of workloads to processes.

EDIT: Microsoft have recently implemented something similar in MS Edge and IE 11. Grab those patches.