Deutsch
English
As a computer scientist, I deal with security vulnerabilities on a daily basis since the perfect operating system has just not been found yet - but this time I almost spilled my tea when I read the news. This issue was different and it affected the core of all computer calculations: the processor itself. And it wasn't just any processor that was vulnerable but practically all of them whether they were built into PCs, cellphones or servers all over the world. This time, the remedy wasn't a simple browser patch. Every operating system had become unsafe taking the wind right out of the sails of Apple users who like to point their fingers at the supposedly inferior security of Windows systems. They were all in danger. Even those who owned none of the CPUs listed couldn't just sit back and relax because the servers that host and process all of our data could also be affected. Read on to learn what happened and how manufacturers are dealing with the dire situation.
It all started with a good idea. To optimize processor performance, CPUs were designed to not only process currently required instructions but also predict and perform potential future calculations to save processing time (speculative execution). Picture a restaurant that has many regular customers. The cook already knows what they'll order so many meals can be prepared in advance. If, however, customers decide to change their order, the pre-made dishes have to be disposed of. Unfortunately, the garbage container isn't properly secured. Or maybe the no longer needed dish is taken by an unauthorized busboy or busgirl and it takes the cook a while to notice this mistake leaving them time to figure out the ingredients. Another option would be tricking the cook into preparing specific meals for later and trying to observe how they're made. Your processor operates in a similar fashion and pre-loads data, including sensitive information like passwords, for potential later use. If left unused, this data then ends up in the trash.
Historically, there was little incentive to specially secure the garbage dump as, back in the day, computers were isolated units in dedicated storage racks without sophisticated networking. That has changed drastically! Meltdown, which so far has mainly affected Intel chips, can be mitigated through software updates but only certain exploitations of Spectre can be stopped in this manner. Spectre affects potentially all processors and may ultimately require a hardware redesign to be fixed. In both cases malicious code has to be slipped onto the target machine, e.g. through email attachments or browser-based malware. If successful, the consequences would be disastrous as, according to Michael Schwarz from the Graz University of Technology, attackers would then be able to read and see everything that's happening on the PC including all user input.
Intel, AMD and ARM reportedly already knew about these vulnerability some 6 months ago which may explain why Intel CEO Brian Krzanich felt the need to sell every company share he could get his hands on back in November 2017 (some speculative execution on his part I guess)! It took a while for details on the actual threat and affected processors to come out and they were overshadowed by the usual appeasement tactics. But with continued research, more and more processors ended up on the blacklist. Hardware giant Intel was just the beginning. In the mobile space, the list now includes Qualcomm as well as ARM, whose chip designs are featured in almost all cellphones and tablets. AMD claims to be less affected (some researchers doubt this) but they're still rolling out updates. Roughly speaking, we may be talking about billions of affected devices. Apparently, the vulnerability has been around and built into processors since 1995 despite all later developments.
A lot is still unclear including whether there have been any actual attacks. What is unsettling though is that nobody would have noticed since they would have been untraceable for past and current security mechanisms. Skeptics have their doubts whether secret services really remained completely inactive since they've also known about the issue for months. Some experts even believe this was meant as a deliberate backdoor to circumvent common security mechanisms like passwords and encryption but that's mere speculation. What is clear is that criminals all over the world will now be trying to exploit these vulnerabilities hoping that devices will either receive late updates or no updates at all. Malware attacks like Wannacry and others have shown that even PCs in public institutions and companies are hopelessly outdated Ind insufficiently maintained. What will happen to the millions of Android cellphones that feature Qualcomm processors and outdated operating systems is anybody's guess.
So what can you do now? The Computer Emergency Response Team (CERT), often advisor to the US Department of Defense and the Department of Homeland Security, has put it quite frankly: immediately install all available updates and, if possible, replace the processor. The latter is not only expensive and requires some skill but there are also hardly any suitable alternatives available! All that's left is to ensure you're running the latest versions of your operating system, browsers and security software. This update hassle may not only cost you nerves but also system performance, however. After some reports claimed performance drops of up to 30%, it is now believed they will be somewhere in the range between 2% and 10%. Reason enough for many to file class action suits. Even so, you should still install patches as soon as they come out. The coming months will likely shed more light on this issue so stay tuned.
What I would like to know: how do you rate the manufacturers' current actions? Are you experiencing update issues as reported in some forums?
Right in the nick of time, Microsoft has released a checking routine that reveals whether your PC is vulnerable. Unfortunately, it's a script-like approach that requires a lot of manual fiddling which is why we've built Ashampoo Spectre Meltdown CPU Checker around it. The program requires no registration or installation and is free. You can find it here: Ashampoo Spectre Meltdown CPU Checker.If you receive an error that Powershell is missing, you’ll have to do things the hard way and enter everything manually. See here for details.
Here’s a tip for Windows 7 and Windows 8 users. You may need to install Windows Management Framework 5.1 if you don’t have it already. Get it here: https://www.microsoft.com/en-us/download/details.aspx?id=54616.
I figured out my 'execution loop' problem. I had turned on Meltdown protection which apparently really, really, really can degrade performance for older CPU's of which mine is one. I eventually realized that EVERYTHING was running painfully slowly so I turned off the Meltdown protection today and voila, things run normally now including the SpectreMeltdown Checker. Will have to see if I can get a new machine here I think .... there is also no BIOS/firmware update for my CPU either.
My SpectreMeltdownChecker goes into an execution loop that you can not even kill in Task Manager because it keeps starting and stopping and starting and stopping too fast to select then click end process. AND it creates another file update_ash.exe in same folder. It also spawns another process 'update_ash' that toggles on and off with the SpectreMeltdownChecker process. I had to reboot my machine to stop it! I used another tool, InSpectre that says I am not vulnerable to Meltdown, and I AM vulnerable to Spectre, which I expected since there is no BIOS update available for my DELL CPU Intel Core2 Duo E8400. I am running Windows 7, SP1. I do have WMF 5.1 installed. Is anybody else having this problem?
I don't know how reliable is the "Checker" application because if I run it at work on my (i3-4160 & MSI B85M-E45) computer that's on a freshly formated Windows 10 since the "Fall Update" well I get the (Could not find the powershell executable) error message for unknown reasons.
If I try at home on my brand new 2000$ computer of Christmas 2017, it says I am vulnerable to both even though I did the bios update for my (MSI Krait Gaming Z370) that came out 1-2 weeks ago. That should have fixed the Spectre vulnerability, while I know I am still to Meltdown because the OS update isn't being offered to me by Windows Update because of my stupid anti-virus based on Bitdefender but modified by my ISP which is prolly not compatible yet?
Our results are based on Microsoft’s checking routine which appears to be the best option currently available. Even with the latest BIOS updates, your machine may still be vulernable especially if you’re running an outdated browser. Skeptics even claim the Spectre exploit can never be fully fixed but only mitigated.
@Sven Krumrey 2018/01/1804:17 pm
Recognized by the antivirus as malware. :(
-----------------
Your antivirus software gives a false positive!
The creator Steve Gibson is a respected software developer.
Gibson Research Corporation
Read this:
-----------------
BOGUS “SmartScreen” WARNING from Edge and IE11 Browsers
Windows Defender “SmartScreen” appears to have decided that InSpectre is malware. This also happened briefly after the release of our Never10 utility. In this case, it is likely due to the fact that InSpectre's initial release was triggering anti-virus scanners due to the program's use of a specific registry key used to enable and disable the Meltdown and Spectre protections. The second release obscures its use of that (apparently worrisome) key and now appears to pass through most A/V without trouble. So we are hopeful that this SmartScreen false alarm will disappear soon.
In the meantime, PLEASE do not get a copy of this program from any 3rd-party download site, since that one could actually be malicious. If you have any non-Microsoft web browser (Chrome, Firefox, Opera, etc.) you should be able to obtain and use InSpectre without trouble. If you have a friend who is using some other computer (Windows 7 has no problem with this either) ask them to grab it from here and send it to you. Since the program is only 122k (written in assembly language) it's feasible to eMail it.
Thanks for the info! I've just run the program through multiple antivirus engines and it seems to be a false positive indeed.
I can't get this Ashampoo Spectre Meltdown CPU Checker to work!?
This tool works perfectly: “InSpectre”
Recognized by the antivirus as malware. :(
This did not work
Turn off the power?
when I run your tool on Windows 10, I get the following errors without any additional details:
"Error during the vulnerability check"
Is there any way for me to get more details about why the check failed?
--
The only two things I can think of is that either my virus checker is blocking the check or my power shell is a problem. The PC does have power shell, but when I manually start it, I see a message that it cannot load the PSReadline module.
As an extra test, I ran your checker in a CMD window thinking I might get more error details, but no error messages were echo'd to the command window.
My operating system and browsers are all up to date, but I still want to run your checker tool to see if there is anything else I am missing.
Thank you for you time.
There seem to be some Windows-related Powershell issues. In some cases, firewall settings prevent a launch or antivirus programs interfere with general access or updates. As already described, we’re relying on a Microsoft component so our options are limited. Even the manual approach can to lead to issues which only Microsoft’s support can solve.
W10 v16299.192: "Could not find the powershell executable".
One of the causes why this happens is to have the environment variable of temporary files for example in
"D:\Installed Programs\TEMP". There can be no spaces on the route. I have changed it to "D:\TEMP" and it works. They have to fix the program to be compatible with all users.
I still get the "Could not find the powershell executable." message? Really would like this check working.
Win7 x64 Intel CPU
Windows Management Framework 5.1 (KB3191566) installed
We’ll release an updated version today so you might want to check it out later. One of our customers pointed out a possible issue and hit the mark!
Thank You,
I have 3 computers and only the slowest one has permanent
connection to the Internet, with no important data on it.
Use Windows Defender for my Emails and Internet
Browsing. Only stupid people showing off suffer from
Internet attacks.
Gerhard
Thanks for the article and the Ashampoo checker. I trust Ashampoo, but if I heard about this from another source I might not trust the information or the checker. There are too much ransomware and scams out there.
It’s a regular Ashampoo program that uses our digital signature. Feel free to give it a go. :)
The checker check but stay checking for hours! Without result.
HP ENVY 750 win 10
Hi again,
On my test machine (Dell 3020M), the AShampoo checker gave me:
Before applying the Microsoft January 2018 patches: Vulnerable to spectre, Vulnerable to Meltdown
After applying the Microsoft January 2018 patches: Vulnerable to spectre, Safe to Meltdown
After applying the Dell BIOS update: Vulnerable to spectre, Safe to Meltdown
Whereas the Microsoft PowerShell test only went "full green" for the CVE-2017-5715/5754 after both the OS patches AND the BIOS update were applied.
My concern is that since the AShampoo test doesn't show any difference between applying the BIOS update or not, users may think there's really no benefit in updating their BIOS.
Thanks again,
Hello,
thanks for your comment.
Sven is off sick for the rest of the week. He will get back to you and answer your comments as soon as he is well again. Best, Mel
I personally think there can be no 100% protection against Spectre at present. We either choose to believe the results, which are based on Microsoft’s test routine, or we don’t. As described on the hint page, I recommend installing all available updates including BIOS updates. I did the same with my notebook at home and only after the BIOS update did the tool report my system to be no longer vulernable. This doesn’t seem to be the case with all machines though. Only Microsoft can tell exactly what data is being read and processed here.
Thank you for the tool, easier to check than with the microsoft powershell procedure.
But just for my ease of mind:
I tried to run it in a PC that has very restricted internet access, and the machine tried to contact cdn1.ashampoo.net, then the test kept rolling forever in "checking".
I had to give full internet access to the machine to get it to run the test successfully. Then on subsequent tries with the internet blocked again I got "Error during the vulnerability check".
Why? Is it pulling something from the PowerShell Gallery, or an updated vulnerable CPU list, or?
One more question: Does it actually try to perform a side-channel access, or it relies in checking what the processor make/model is and if OS patches are in place?
Thanks again,
No need to worry. :) Prior to execution, the program always scans for updates to ensure you’re running the latest version including the Microsoft-based test routine. Since this is still a fairly new issue, new updates are still coming out to fix any remaining issues. Microsoft seems to be doing the same.
Thanks for this information. I have checked my laptop using the Ashampoo download and find that Spectre is a problem but Meltdown has a green tick. I suspect that there will be more on this shortly, but hope not to be told my laptop, tablet and phone have to be replaced.
!
Hi Sven
Another article about a subject wich shows the complete disregard manufacturers have for we consumers. You asked the question as to the manufacturers reaction and that was plain to see in Intel's CEO reaction - offload the shares asap before every sap in the world was told about it. If you or I did the same, we would probably end up in court. It never ceases to amaze me the disdain in which the consumer is held and how these people get away with it. I'm afraid that the phrase, "nil desperandum", will now be withdrawn from my vocabulary. As for the technical aspect I couldn't really care because I'm sure that, in the coming months and years, we will be bombarded with the news of many more defects and, per usual, no one will be held to account.
Keep up the good work
Kevin (a thoroughly dissatisfied Yahoo user)
ps: if there is anything you feel to be libellous in my post, please don't publish as I am broke.
I have a new (4 weeks old) Asus 15" laptop with Intel i7. I have been extremely impressed with the speed increase over my previous Sony laptop. But immediately after the Microsoft update last week, I found it to be considerably slower. In particular, I use that works with Word 2016 to input Chinese. I type in Hanyu Pinyin, it then inserts into Word the Chinese characters with pinyin above it. It was working very fast before, but now I have to wait maybe 2 seconds for it to think about every character and input it to Word. Makes typing a slow job, but I suppose that's the price for security! Thanks for your good work. David
The joy of computers.....
Internal component malfunctions, viruses, spam, scams, hackers, vulnerabilities = continuous updates required, et al.
If 'the' computer were any other form of machine with the same problems it would have been scrapped many years ago. :-)
Mine says "Could not find the powershell executable," then runs forever.
Creepy.
No sweat. Even if the program doesn't work it won't harm your machine. :) We're currently working on an update and maybe it'll work for you then.
Ashampoo Spectre Meltdown CPU Checker
Win 10 error: "fails to find power shell executable"
and will not run ...
Thank you for the CPU Checker. I note from the exe Properties the version is 1.0.0.7. I think you need to show the version on the product page (and in the GUI). Should you update it, we can know. A changelog would be nice, too. Unless, of course, if you can verify this will be the only version. Keep up the great work!
I'm wondering how long it will be before Intel comes out with a consumer cpu that isn't affected by this? I was thinking of replacing my dekstop pc but am now holding off until I know more.
hi
vulnerable seystem Spectre
@Sven Krumrey 2018/01/1111:45 am
Bummer. :( We’d even unshelfed a couple of old PCs that could execute the program after that. We’ll continue to look into this issue. Let’s hope Microsoft hasn’t thrown a spoke in our wheel there. Until then, I can only suggest you try the manual way as outlined in the article linked above.
-------------------------------------------------------------
The Speculation Control Validation PowerShell Script (SpeculationControl.zip) is zero byte so that manual solution doesn't work, yet.