Intel has halted patches for an array of older chips that would protect them against the Spectre vulnerability, according to a recent microcode update.
The microcode update shows that its older products – including Wolfdale, Bloomfield, Clarksfield, Gulftown, Harpertown, Jasper Forest, SoFIA 3GR, and Yorkfield – will no longer receive patches.
“We’ve now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google Project Zero,” said Intel in a statement to Threatpost. “However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.”
According to the Intel’s microcode update, “after a comprehensive investigation of the microarchitectures and microcode capabilities for… products, Intel has determined to not release microcode updates for these products for one or more reasons.”
Some of these possible reasons, according to Intel’s microcode update, include:
• Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
• Limited Commercially Available System Software support
• Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
The Spectre and Meltdown defects, which account for three variants of a side-channel analysis security issue in server and desktop processors, were identified earlier this year and could potentially allow hackers to access users’ protected data. Meltdown breaks down the mechanism keeping applications from accessing arbitrary system memory, while Spectre tricks other applications into accessing arbitrary locations in their memory.
Intel has been pushing out patches for its chips over the past few months after the vulnerabilities were revealed. As of this week the rest of Intel’s chips in its microcode update – beyond its older chips that won’t receive patches – are listed as in “Production,” meaning that patches have been issued for them – with the exception of Intel’s Coffee Lake lineup, which is listed as a “Production Candidate.”
Tim Woods, VP of technology alliances at FireMon, told Threatpost that Intel may have ceased plans to patch these chips due to the inability of its partners to push out updates, as well as architectural challenges that block practical implementation of an update.
“Regardless of Intel’s reason, their posture underscores the critical importance of an organization to take ownership of the security of their infrastructure,” he said. “This entails looking at physical security, cloud-based assets, network, server, and desktop assets. In the case of Intel’s resistance to finding a suitable patch for the Spectre vulnerability, it may be that those affected systems must be replaced.”
The Spectre and Meltdown security flaws were first disclosed by Google Project Zero in early January and impact an array of processors on the market, including those from Intel, ARM and AMD. Intel, for its part, has issued several microcode updates to help safeguard its chips from the security flaws. In February, the Santa Clara, Calif.-based company issued these patches for both newer chip platforms, like Kaby Lake, Coffee Lake and Skylake; as well as older processors, including Broadwell and Haswell chips.
Meanwhile, in March, Intel introduced hardware-based protections to its new chips to protect against the Spectre and Meltdown flaws that rocked the silicon industry when the vulnerabilities were made public in early 2018. Intel said designed a new set of CPU design features that work with the operating system to install “virtual fences” protecting the system from speculative execution attacks that could exploit a variant of the Spectre flaw.
“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,” Brian Krzanich, CEO of Intel, said in a recent March blog post. “Think of this partitioning as additional “protective walls” between applications and user privilege levels to create an obstacle for bad actors.”
