How to test MDS (Zombieload) patch status on Windows systems

PowerShell script tells you if your Windows OS is safe from MDS attacks.

Earlier this week a group of academics and security researchers disclosed a new type of vulnerability class impacting Intel CPUs -- named Microarchitectural Data Sampling (MDS) attacks.

Similar to the now infamous Meltdown and Spectre flaws from last year, MDS attacks allow threat actors to retrieve data that is being processed inside Intel CPUs, even from applications an attacker's code wouldn't normally interact.

Four MDS attacks have been revealed today, with Zombieload considered the most dangerous of them all:

  • CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) [codenamed Fallout] 
  • CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS) [codenamed RIDL] 
  • CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS) [codenamed Zombieload, but also RIDL] 
  • CVE-2018-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM) [codenamed RIDL]

To safeguard systems, users must install Intel CPU microcode updates, but also OS-level updates. Microsoft, along with other OS makers, have already released OS patches today.

Intel has released microcode updates to motherboard and OEM firmware vendors already, and they should be made available to users as part of OEM firmware updates in the future.

Last year, Microsoft released a PowerShell script to help system administrators detect if Meltdown and Spectre patches have installed and are working correctly.

Today, Microsoft updated that same script to support the new MDS attacks, which just like the Meltdown and Spectre vulnerabilities, are also flaws in the speculative execution process, and can be detected the same way.

Below are the steps to download and use the PowerShell script, as well as information to the way results should be interpreted.

1) Open a PowerShell terminal with admin rights. You can do this by clicking the Start button, searching for "Windows PowerShell," right-clicking the option, and selecting "Run as Administrator."


2) In the PowerShell terminal, enter "$SaveExecutionPolicy = Get-ExecutionPolicy".

This will save your current PowerShell execution policy (access rights) to a variable, so you can restore it later.

3) In the PowerShell terminal, enter "Set-ExecutionPolicy RemoteSigned -Scope Currentuser". Don't forget to enter "Y" and then press Enter. If that doesn't work, replace Currentuser with Unrestricted.

4) In the PowerShell terminal, enter "Install-Module SpeculationControl". This command will download and install Microsoft's speculative execution status check script.

5) In the PowerShell terminal, enter "Get-SpeculationControlSettings". This will produce a report like the following:


Sections A and B are practically the same, with section A providing a reasonable explanation of what's currently installed on the system. But for clarity, we've pulled Microsoft's explanations for each of these three checks.

MDSWindowsSupportPresent or "Windows OS support for MDS mitigation is present"

"This line tells you if the Windows operating system support for the Microarchitectural Data Sampling (MDS) operating system mitigation is present. If it is True, the May 2019 update is installed on the device, and the mitigation for MDS is present. If it is False, the May 2019 update is not installed, and the mitigation for MDS is not present."

MDSHardwareVulnerable or "Hardware is vulnerable to MDS"

"This line tells you if the hardware is vulnerable to Microarchitectural Data Sampling (MDS) set of vulnerabilities (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12139). If it is True, the hardware is believed to be affected by these vulnerabilities. If it is False, the hardware is known to not be vulnerable."

MDSWindowsSupportEnabled or "Windows OS support for MDS mitigation is enabled"

"This line tells you if the Windows operating system mitigation for Microarchitectural Data Sampling (MDS) is enabled. If it is True, the hardware is believed to be affected by the MDS vulnerabilities, the windows operating support for the mitigation is present, and the mitigation has been enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation has not been enabled."

6) In the PowerShell terminal, enter "Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser" to restore your system's original PowerShell execution policy. If you want to be safe, just use "Set-ExecutionPolicy -ExecutionPolicy Restricted".

If patches have not been installed, the team of security researchers who uncovered the MDS attacks recommend disabling the Simultaneous Multi-Threading (SMT) feature on Intel CPUs will significantly reduce the impact of all MDS attacks.

More vulnerability reports: