Monday, January 08, 2018

PowerShell: Checking for the Meltdown and Spectre CPU Flaws

You have probably already heard about the Meltdown and Spectre flaws in the Intel CPUs.  The flaw has existed in the chips since 1995.  This flaw also effects any OS that uses the Intel chips that are effected, so it's not just Windows, this also effects Linux and the MacOS.

On January 3, 2018, Microsoft released an out-of-band Windows updates to address the Meltdown and Spectre flaws.  It is worth noting that these patches should be tested on machines before deploying it to a full environment.  There have been posts about incompatibilities found with AMD processors and some anti-malware packages.

Microsoft has four help pages of guidance for client and server:

Microsoft has instructed anti-malware vendors to modify their products and create a specific registry key on customers' computers to confirm that their products won't crash the PCs if the patches are installed.
"The compatibility issue arises when antivirus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors that are caused by incompatible antivirus applications, Microsoft is only offering the Windows security updates that were released on January 3, 2018, to devices that are running antivirus software that is from partners who have confirmed that their software is compatible with the January 2018 Windows operating system security update."

Meltdown and Spectre Flaws Diagnostics

To check if you have the anti-malware compatible registry key:
REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat /v cadca5fe-87d3-4b96-b7fb-a231484277cc
If you want to test the state of a computer if it has been patched or not, you can use a PowerShell module/cmdlet that Microsoft has created to test for the existence of the flaw and patch.

  • Download and install a Powershell module: Install-Module SpeculationControl
  • Run the following PowerShell command: Get-SpeculationControlSettings
Note: If you can't run the commands, you might need to change the PowerShell security level: Set-ExecutionPolicy RemoteSigned -Scope Currentuser 

No comments: