OK, my long and sometimes odd adventures with Spectre and Meltdown patches are finally concluded. Eight of the nine systems here at Chez Tittel are now patched. That’s as far as I think I’ll ever get because my wife’s PC is built around a Jetway NF9G-QM77 mini-ITX motherboard. Its most current BIOS update is September 2017 from a company for which no word on Spectre/Meltdown updates is available. Thus, for my PCs now eight ninths patched for Spectre Meltdown is as far as I’ll get. It’s been a wild ride. I’d like to document it just a tad to explain what others should be going through, too. Or what they should expect to go through soon.
Steve Gibson’s Inspectre utility finally gives the T520 and its Sandy Bridge CPU a clean (but slow) bill of health.
Getting to PCs Now Seven Eighths Patched for Spectre Meltdown
It all started as we got back from our end-of-year skiing/snowboarding holiday just after New Year’s. Word on these vulnerabilities emerged as soon as January 2. But I didn’t find out until I returned to my desk on January 5. After driving back from the northeastern part of Colorado, I wasn’t ready to deal with a major security flaw. But there it was, and we all had to deal with it. It soon became apparent that Meltdown and Spectre Variant 1 could be handled via OS-level patching (all complete now, thank goodness). However, Spectre v2 required a firmware patch. Or, as it turned out, a series of firmware patches. That’s because the first set for Haswell and Broadwell patches caused as many problems as they were supposed to solve.
The Timeline from Discovery to (Mostly) Mitigated
Here’s a rough timeline for how things unfolded for my PCs, as far as those firmware updates went:
January 2018
Surface Pro 3 gets a firmware patch 2nd week (1 of 8)
Dell Venue Pro 11 gets a firmware patch late 2nd week (2 of 8)
On 1/15 Intel advises against applying firmware patches
February 2018
Not much happens with firmware patches
March 2018
Microsoft issues firmware patch for Skylake, Coffee Lake, Kaby Lake 3/8 (3 of 8)
Dell XPS27 (Haswell) gets a firmware patch 2nd week (4 of 8)
Asrock issues firmware updates for Haswell, Skylake, Coffee Lake, Kaby Lake 3/15 (5&6)
Lenovo issues firmware updates for Haswell, Ivy Bridge and Sandy Bridge 3/15 (7&8)
Hiccups and Lessons Learned
I have an issue with the Dell Venue Pro following its first semi-successful BIOS/UEFI update. It closed the Spectre v2 vulnerability but left the machine unable to reboot normally. I must pop the battery out and remove the power cord before the unit will boot after a shutdown or restart. Thus, I can’t apply the latest update to the UEFI. Among other things, it is supposed to address that very problem. I’m going to have to find and run a flash utility that works from an alternate boot.
That’s what I did with the two Lenovo laptops. Their Lenovo Windows Flash utility works only in Windows XP, Vista, 7 and 8. But I’m running Win10 on those machines. Fortunately, Lenovo also makes the update available in ISO form. It boots to alternate (optical) media and flashes the BIOS from DOS. Even though the Windows utility crashed my Win10 laptops, I eventually booted into DOS to flash them anyway. Along the way, I had to remember to reset boot to support both Legacy and UEFI modes. That’s because DOS is so old, it boots only in legacy mode. On the T520 that was how the machine was set; the X220 Tablet was “UEFI only.” I couldn’t boot to the optical disk until I made that change. Sigh.
One of the Asrock motherboards (Z170 Extreme 7+) delivered the update in a Windows-based flash executable. It was easy to apply. The other, a Z97 Killer Fatal1ty, required using the Instant Flash tool within UEFI. I had to format a USB flash drive to FAT32, unpack the ZIP file to that device, then run the tool from UEFI to apply that update. Took a while, but worked just fine.
No Hiccups Are Nice, Too!
Except for the issue with the Dell Venue Pro and the second UEFI/BIOS update, the Dells and the Surface were by far the easiest to deal with. The Dell Support utility checked for the updates, grabbed them as they became available, and applied them with zero muss and fuss. Ditto for the Surface Pro 3
All in all, while it took longer than I think any of us expected it to, the overall process wasn’t too horrible. Let’s hope this kind of thing doesn’t become too routine, either!