Intel has issued updated microcode to help protect its newer processors from Spectre security exploits.

The Santa Clara, Calif.-based company’s new microcode updates – which impact its newer chip platforms, such as Kaby Lake, Coffee Lake, and Skylake – have been released to OEM customers and partners.

“This represents our 6th, 7th and 8th Generation Intel Core product lines as well as our latest Intel Core X-series processor family. It also includes our recently announced Intel Xeon Scalable and Intel Xeon D processors for data center systems,” said Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel, in a statement.

Spectre and Meltdown, which account for three variants of a side-channel analysis security issue in server and desktop processors, could potentially allow hackers to access users’ protected data.

While Meltdown breaks down the mechanism keeping applications from accessing arbitrary system memory, Spectre tricks other applications into accessing arbitrary locations in their memory. The security flaws, which were first disclosed by Google Project Zero in early January, impact an array of processors on the market, including those from Intel, ARM and AMD.

The company initially released patches addressing the Spectre and Meltdown vulnerabilities in January, but later yanked its patches for the Variant 2 flaw – both for client compute and data center chips – after acknowledging that they caused “higher than expected reboots and other unpredictable system behavior.”

And while Intel last week announced it was re-issuing fixes for several Skylake-based platforms, the company had not given further details for its other newer processors – including Kaby Lake and Coffee Lake – until Tuesday.

In addition to its newer Skylake, Kaby Lake and Cannon Lake platforms, Intel said in the post that it has “now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it.” The chip giant also updated its scheduling around microcode updates for Spectre and Meltdown, showing that it is currently in the beta phase of production for updating certain models of its Ivy Bridge, Sandy Bridge, Haswell, and Gladden platforms.

Intel has been looking to step up its security game on the heels of Google Project Zero’s discovery of Meltdown and Spectre. Last week the company launched a new bug bounty program focused specifically on side channel vulnerabilities similar to Spectre and Meltdown, with potential awards for disclosures totaling up to $250,000. Also last week, Intel released a new whitepaper detailing Google’s software fix for Spectre, called Retpoline.

“The new microcode will be made available in most cases through OEM firmware updates. I continue to encourage people to always keep their systems up-to-date,” said Shenoy in the statement.

Categories: Hacks, Privacy, Vulnerabilities

Comment (1)

  1. John S
    1

    My concern is that the solutions only address the initial discovery POC for both MeltDown and Spectre. Already there are other POC being shown to try and get around these hardware flaws. Its conceivable that this will be a ongoing issue with a hardware issue that is not going away. I personally would like to see a ability to just defeat this hardware flaw and accept the speed penalty in trade for a safer processor. In general I think we will eventually go down that path anyway only at a slower pace. The fact that older CPU’s haven’t even received any firmware mitigation means they either have more issues with performance penalties, or they are simply more vulnerable. At this time, they are more vulnerable and it appears that some might never get firmware updates. OEM’s are typically bad at supporting older hardware not currently being sold. I do not see this changing even for a Spectre issue.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>