Meltdown Spectre security vulnerabilities

Meltdown Spectre security vulnerabilities




Meltdown Spectre security vulnerabilities

As Intel, AMD, and other CPU manufacturers have started releasing firmware updates for processor models affected by the Meltdown and Spectre patches, those updates are now integrating these patches into BIOS/UEFI updates for affected PCs.

These BIOS/UEFI updates are to address the Meltdown and Spectre issues that have happened since the beginning of the year.

Software patches at the operating system level have largely mitigated the Meltdown flaw, but both Microsoft and the Linux community said a firmware fix would be necessary to fully address the Spectre vulnerability. WhizzleShamizzle. Meltdown and Spectre security vulnerabilities

Easily examine Windows hardware and software capability to prevent Meltdown and Spectre attacks – Download InSpectre

Updated October 29th 2018

Acer Acer only lists vulnerable desktop, notebook, and server products. Says it will release firmware updates for server products in March. No timeline for desktop and notebook products.
ASRock The ASRock site is a mess. There’s no central security advisory, and users will have to visit the “Latest BIOS Update” page and sift through the updates by hand. The good news is that there are a lot of recent BIOS releases containing Intel updates dated after the Meltdown and Spectre disclosure.
ASUS ASUS says it will release BIOS updates for affected products by the end of January.
Dell BIOS updates are available for some Dell desktop, notebook, and server products. The Dell security advisory contains several other links to various products types. You can use this page as the central hub to search for what you need.
Fujitsu BIOS updates are available for some products, but not all. The security advisory contains multiple links to various product types.
Gigabyte Motherboard provider Gigabyte has released BIOS updates. Users will have to access the advisory, click on the motherboard series name in the list of affected table, and check for a recent BIOS update on each motherboard product’s page.
HP BIOS updates are available for almost half of the HP products listed as vulnerable.
Huawei Huawei has only listed vulnerable products. Says an “investigation is still ongoing.”
Intel Intel has released updates for most NUC, Compute Stick, and Compute Card products.
Lenovo Lenovo has the best advisory yet, with detailed tables for all affected products, including download links and upcoming BIOS download availability for each one.
LG Nothing is available for LG at present, if it becomes available it will be updated
Panasonic Panasonic said it aims to release BIOS updates for vulnerable PC models starting the end of the month and continuing through February and March.
Microsoft Microsoft has released UEFI updates for Surface products.
MSI MSI has released BIOS updates.
Toshiba Toshiba has not released any BIOS/UEFI updates just yet. The company lists affected products and an approximate timeline when it hopes to have updates available.
Vaio Some BIOS updates are available. More to follow.

Meltdown and Spectre security vulnerabilities

Update to disable mitigation against Spectre, Variant 2


Notice: Applying this update will disable the Spectre variant 2 mitigation CVE-2017-5715 – “Branch target injection vulnerability.” Customers can apply this update to prevent unpredictable system behaviors, performance issues, and/or unexpected reboots after installation of microcode.

Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection) – specifically Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and then noted that situations like this may result in “data loss or corruption.” Our own experience is that system instability can in some circumstances cause data loss or corruption. On January 22, Intel recommended that customers stop deploying the current microcode version on affected processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential effect of the current microcode version, and we encourage customers to review their guidance on an ongoing basis to inform their decisions. WhizzleShamizzle

While Intel tests, updates and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing, this update has been found to prevent the described behavior in devices that have affected microcode. For the full list of affected devices, see Intel’s microcode revision guidance. This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you are running an affected device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” WhizzleShamizzle

Note Users who do not have the affected Intel microcode do not have to download this update.

We are also offering a new option – available for advanced users on affected devices – to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently through registry setting changes. The instructions for the registry key settings can be found in the following Knowledge Base articles:

Download Patch or directly from the Microsoft Catalog

Further updates will be added as they’re released.

Meltdown and Spectre security vulnerabilities

Leave a Reply