cancel
Showing results for 
Search instead for 
Did you mean: 

How-to: Patch Meltdown and Spectre

Khaosd
Level 7
First things first, this guide is assuming the following:

1) You are using the Asus Maximus Hero VIII
2) You are on Windows 10 x64

If you are not using the same mobo, the few links i provided below pointing to the ASUS website will allow you to select your actual mobo's model, which in turn will also let you select the OS you're on. I'll also provide information on the various MS updates below for the various OSes.

As a last resort, things shouldn't be too hard to source for considering how large a scale these two exploits are currently, so google.

Also, take note I update whenever I am aware of the news, hence some steps may be redundant (eg. perhaps BIOS 3703 already updated the ME firmware). However I will follow exactly how I did it from start to end to ensure that it should work for you, like how it did for me.

So here goes:

Miscs.

First I updated Chrome and Firefox. Yep they too have taken measures to defend against meltdown and spectre, I assume the rest of the browsers should have caught on as well by now, so do remember to check for updates.

1. ME firmware + Interface

**The following fixes 8 critical vulnerabilities found in a review right before Spectre and Meltdown was announced, as such, this technically does not address Spectre and Meltdown, but imho, is equally an important fix. (Read more here: http://www.eweek.com/security/intel-patches-management-engine-for-critical-vulnerabilities)

Asus released updates for the ME firmware + Interface, this can be found here: https://www.asus.com/sg/Motherboards/MAXIMUS-VIII-HERO/HelpDesk_Download/

Firmware: http://dlcdnet.asus.com/pub/ASUS/mb/LGA1151/Z170-A/MEUpdateTool_UI_20171103_TP.zip
Interface: http://dlcdnet.asus.com/pub/ASUS/mb/03CHIPSET/Consumer_11.7.0.1040.zip

If you are using a different Mobo, you can just click on 'FIND ANOTHER MODEL >' right below the mobo's name. Once found, go search under Drivers and Tools.

Note the above are not the latest however they should suffice. To verify whether you are protected: https://downloadcenter.intel.com/download/27150?v=t

Just download and run the DiscoveryTool.GUI

2. Windows Update

Windows released a critical update. This should be auto updated if you'd never changed any windows policy or settings. To be sure, you can search for it in your add remove programs to see whether the following has been installed:

**Please note back when this update was released it conflicted with a few Anti Virus programs, you can see where your AV is right now: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/edit#gid=0 , it should be Y Y to ensure maximum compatibility.

*** There has been some controversy on how MS is handling the issue with setting the registry keys, however i leave it up to you to do your own research and weigh the consequences.

Windows 10 — KB4056892 (issued 1/3/18)
Windows 8.1 and Server 2012 R2— KB4056898 (issued 1/3/18)
Windows 7 SP1 and Server 2008 R2 SP1 — KB4056897 (issued 1/3/18)


Source & Direct download link if update not found: https://blog.barkly.com/meltdown-spectre-patches-list-windows-update-help#OS-updates

Now if you use AI SUITE 3, installing this update will break all the old versions. You can download the newer version(Beta) that fixes this issue, here: https://rog.asus.com/forum/showthread.php?98800-AI-Suite-3-Beta-Version-3-00-10-user-test-report-thr...

Note: Those who use AI SUITE 3 and have a tendency to update and/or reinstall may be aware it can be a beach to remove it completely. I will provide another guide below on how to do a clean install of AI SUITE 3.

3. Bios

Lastly, Asus release Bios 3703 for the ASUS Maximus Hero VIII, which originally was uploaded wrongly (2018/1/12 was for the Alpha), now I just checked and it seems like the download has been corrected: https://www.asus.com/sg/Motherboards/MAXIMUS-VIII-HERO/HelpDesk_Download/ (it should be dated 2018/1/15)

Regardless, if you are using a different Mobo, you can just click on 'FIND ANOTHER MODEL >' right below the mobo's name. Once found, go search under Drivers and Tools.

FYI, Asus Advisory on the various mobos and bios available: https://www.asus.com/News/V5urzYAT6myCC1o2

Final Check (Windows 10 PowerShell method)

**Although Win7 has PS, the steps to launch it is not so obvious, so I will suggest using a few 'checker' software available out there.

Now once that's done, you should be ready. Next is to do a check on whether everything's green:

1) Right click Start > Windows Powershell (Admin)

2) Type: Install-Module SpeculationControl , if prompted, Y

3) Type: Set-ExecutionPolicy RemoteSigned, if prompted, Y

4) Type: Import-Module SpeculationControl

5) Type: Get-SpeculationControlSettings

After which a bunch of information will show, Not to worry, just make sure that there are no red lines, everything should be green. Once that's done:

6) Type: Set-ExecutionPolicy Restricted

You can close Powershell now.

Post-Notes

Some say the windows update and / or the bios causes a drop in performance (Intel claims an 8% drop for 6 Gen 6700k: https://newsroom.intel.com/editorials/intel-security-issue-update-initial-performance-data-results-c...), I personally don't really feel anything... As a matter of fact, after updating the bios and oc-ing my CPU, I was able to reach 100mhz more on my OC. but yeah, I guess your mileage may vary.

Lastly, everything regarding Spectre and Meltdown as of now is still developing, and my guide is just the first few stepping stones for you. I may or may not update this post in future, considering I'm seeing more and more guides that are more concise and detailed. As such should this guide be not updated, with your experience going through my guide and with a little bit of googlefu, the follow ups should be a piece of cake.

If you still need a hand tho: https://blog.barkly.com/meltdown-spectre-patches-list-windows-update-help

I recommend them since they don't bury you in technical jargons, and most of my research was assisted by reading their article.

Good luck!


Windows 10: How to clean uninstall AI SUITE 3 and install the Beta

**should work on windows 7 as well

***I've encountered issues with AVIRA a few years ago, I suggest disabling it or any antivirus when you are installing the new AI SUITE 3 in step 8, should you encounter any issues.

Ai Suite is useful (to me), but it can be a real sore in the butt to remove and get it to work properly after a reinstall or update, I've personally done alot of research, reformat, re-installation to get to, what I feel is the cleanest and trouble free steps to get AI SUITE working. I now offer it to those who are having issues, although with all its quirks, I won't be surprised if you say my methods don't work. If so, I'm sorry I can't help more:

1) Uninstall the old AI SUITE 3, Restart your computer

2) Ctrl + Shift + Esc > head over to Services tab, sort by Description and, assuming you only have AI SUITE 3 installed, stop EVERYTHING with the word 'ASUS' (2 to 4 services usually), if not, you will have to find out which services are related to AI SUITE 3. Restart your computer

*If you are using Windows 7, you may be getting ALOT of "ATK_CMD stopped working" popups once desktop shows, ignore. (Windows 10 will have this error but it can only be seen in Reliability Viewer)

3) Go to C program files and delete the ASUS folder (assuming you only have AI SUITE 3 installed)

4) Show hidden folders and go to C program data and delete the ASUS folder (assuming you only have AI SUITE 3 installed)

5) Run CCleaner

6) Restart your computer, smash Delete (or any key that goes to BIOS), reset everything to optimized default, save and exit. Power down.

7) open up your case and hit the clr_cmos button, if unsure, check manual.

😎 Restart Computer, hit F1 if prompted, Save and restart computer. download the new AI SUITE beta (Link above), Install USING SETUP.exe INSTALL OF ASUSSETUP.exe!

Now AI SUITE 3 should work without issues, hopefully.
32,044 Views
46 REPLIES 46

Loaded_Glove
Level 7
Wonderful guide that will certainly be a welcome sight for those like me who aren't uber technical and get nervous doing these types of updates!

I have just 1 question after browsing 1 of your links, which of these do I dl? The delta AND the cumulative or... ? http://www.catalog.update.microsoft.com/Search.aspx?q=KB4056892

Thanks in advance!

~update~

Rather than wait for confirmation, I just installed the cumulative. Ran the ashampoo checker and it says I am fully secure.
Thanks again for the useful guide!

bcx01
Level 7
Thanks for the guide.

A few questions. Do I need to download and install the previous BIOS/UEFI patches to secure myself against other vulnerabilities? How do I patch against Intel ME?

Loaded Glove wrote:
Wonderful guide that will certainly be a welcome sight for those like me who aren't uber technical and get nervous doing these types of updates!

I have just 1 question after browsing 1 of your links, which of these do I dl? The delta AND the cumulative or... ? http://www.catalog.update.microsoft.com/Search.aspx?q=KB4056892

Thanks in advance!

~update~

Rather than wait for confirmation, I just installed the cumulative. Ran the ashampoo checker and it says I am fully secure.
Thanks again for the useful guide!


Good to hear, sorry I couldn't reply earlier. But just fyi, in future if necessary: http://news.softpedia.com/news/windows-10-gets-first-delta-updates-in-addition-to-cumulative-updates...

bcx01 wrote:
Thanks for the guide.

A few questions. Do I need to download and install the previous BIOS/UEFI patches to secure myself against other vulnerabilities? How do I patch against Intel ME?


Question 1: No just the latest will do.

Questions 2: not sure if i understand your question correctly, do you mean how do you update Intel ME? you can look at no. 1 of my guide above for more info. if you are not using the hero VIII then please click on Find another model below the mobo's name https://www.asus.com/sg/Motherboards/MAXIMUS-VIII-HERO/HelpDesk_Download/

They should be found under 'BIOS' and 'Chipset' category.

If your model does not carry the updates, then it's best to check with ASUS directly on this.

Note: The ME update does not specifically address Spectre and Meltdown, only the BIOs and Windows Update does. However, it is in my very humble opinion that the 8 critical vulnerabilities be fixed if found in your system, hence I address it in my guide(for more info on this 8 crit vulnerabilities: http://www.eweek.com/security/intel-patches-management-engine-for-critical-vulnerabilities). Though on hindsight, I should edit it to state that so as to avoid any confusions.

thanks 🙂

bcx01
Level 7
The link http://www.eweek.com/security/intel-patches-management-engine-for-critical-vulnerabilities isn't working

So downloading the latest patch for my motherboard (Maximus VIII Hero) will patch the Intel ME vulnerability too or is there another patch to download and install

bcx01 wrote:
The link http://www.eweek.com/security/intel-patches-management-engine-for-critical-vulnerabilities isn't working

So downloading the latest patch for my motherboard (Maximus VIII Hero) will patch the Intel ME vulnerability too or is there another patch to download and install


The link is just for you to read up.

Anyway, yep. whatever is stated in my guide should keep your system up to date as of current.

bcx01
Level 7
How do I update the BIOS after downloading the file? It's a .CAP file

Nate152
Moderator
Hi bcx01

Put the bios file on a usb flash drive, insert the flash drive into a usb port.

Go into the bios and go to the Tool tab and select EZ Flash Utility, find your flash drive and click on it. You should see the new bios, click on it and it will ask you if you want to update, click yes.

bcx01
Level 7
I've updated it accordingly to OP's guide and I have two "False", how do I correct these issues?

70705