Tuesday, April 3rd 2018

Intel Stops Development, Deployment of Spectre Microcode Update for Several CPU Families

Intel on their latest Microcode Revision Guidance Guide has apparently stopped development of mitigations for some of its processor families that still haven't been updated to combat the threat of Spectre. The odyssey for the return to form of security on Intel products has been a steep, and a slow one, as the company has struggled to deploy mitigations for speculative code execution on its processor families that run it. Updates for some families of products, however - such as Penryn, Wolfdale, Bloomfield and Yorkfield, among others - are apparently not going to get an update at all.
The state on the "Production Status" for mitigations for these families has been updated from their "Planning" or "Pre-Beta" state that can be found on Intel's March 6th 2018 Microcode Revision Guidance Guide, to a new, previously unseen "Stopped" state in their latest version of the Guide, published on April 2nd.
The reasons for this "Stopped" state, as Intel puts it, are that "After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons including, but not limited to the following: a) Micro - architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE - 2017 - 5715 ); b) Limited Commercially Available System Software support; c) Based on customer inputs, most of these products are implemented as "closed systems" and therefore are expected to have a lower likelihood of exposure to these vulnerabilities."

If any one system with this vulnerability does get exploited via a method that could be averted by the implementation of a now "Stopped" patch, though, Intel should start reeling in those lawyers back into the fold. Sources: Microcode Revision March 6th, Microcode Revision April 2nd, Thanks @ User Digitama!
Add your own comment

46 Comments on Intel Stops Development, Deployment of Spectre Microcode Update for Several CPU Families

#1
ikeke
From pentest perspective this is quite interesting.

So legacy systems inside network are most likely unpatched and I find legacy systems to be the most apparent attack vector. Right after marketing, ofcourse :)
Posted on Reply
#2
RejZoR
What this means is that Intel evaluated that companies or businesses still using these "old" processors will most likely upgrade to their newer "secure" processors. Why spend money making security if others can spend money buying your newer products. Win win for Intel.
Posted on Reply
#3
HD64G
Anticustomer practise applied again by Intel as usual. But since most buy their products after all those years of them behaving like this, ehy should they change their stance? They were forced to make 6 core cpus for the masses and lower their cpu prices ONLY after Ryzen came to market after all.
Posted on Reply
#4
windwhirl
Not surprising they are not supporting Core 2-era and older processors, nor some of the early Core i series. In fact, I can't really disagree with it. They are old products (most of them 10 years old or more). It makes sense, since someone keeping those systems running does it mostly for compatibility issues with newer hardware or software, not for security reasons.
Posted on Reply
#5
Easo
I was surprised when those were actually on the list first. But yeah, this is both understandable (10+ years old CPUs are... old and not exactly commong anymore) and despicable.
Posted on Reply
#6
_JP_
Me (+ a lot of other people):

windwhirl said:
Not surprising they are not supporting Core 2-era and older processors, nor some of the early Core i series. In fact, I can't really disagree with it. They are old products (most of them 10 years old or more). It makes sense, since someone keeping those systems running does it mostly for compatibility issues with newer hardware or software, not for security reasons.
I have several Core 2 Duo machines running daily at home some 1st gen Core i at work. Not for compatibility reasons, but because they just work fine. I'm not into being pushed for an upgrade in this way.
Posted on Reply
#7
trparky
RejZoR said:
What this means is that Intel evaluated that companies or businesses still using these "old" processors will most likely upgrade to their newer "secure" processors. Why spend money making security if others can spend money buying your newer products. Win win for Intel.
windwhirl said:
Not surprising they are not supporting Core 2-era and older processors, nor some of the early Core i series. In fact, I can't really disagree with it. They are old products (most of them 10 years old or more). It makes sense, since someone keeping those systems running does it mostly for compatibility issues with newer hardware or software, not for security reasons.
To those who say that they are upset about Intel not supporting these older chips I have to ask... at what point do you have to cut off support? Five years of support is really generous in terms of both hardware and software support. If you get ten years? Great! You were extremely lucky but like with any trip to the casino, your luck will eventually run out.
Posted on Reply
#8
RejZoR
One thing is general support, something else is rare exceptions like this one. And when a vulnerability is reaching so far in the past, shit needs to be fixed. At least Nehalem should still be supported since this is the oldest HEDT that still matters. Core 2 can be skipped though.
Posted on Reply
#9
Gasaraki
I'm actually surprised that they even looked at these processors. Some of these are 10+ years old. I'm using an early Xeon but I'm not complaining. This is realistic.
Posted on Reply
#10
R-T-B
Where's Westmere in this? I have one such system somewhere...
Posted on Reply
#11
windwhirl
R-T-B said:
Where's Westmere in this? I have one such system somewhere...
Page 16. Westmere EX & Westmere EP. Production
Posted on Reply
#12
Assimilator
@Raevenlord You could at least link to Intel's page regarding this: https://newsroom.intel.com/microcode

R-T-B said:
Where's Westmere in this? I have one such system somewhere...
The server (Westmere-EP, Westmere-EX, Westmere-WS) and laptop (Arrandale) parts do have patches available. The remaining members of that family are outta luck.
Posted on Reply
#13
Captain_Tom
RejZoR said:
What this means is that Intel evaluated that companies or businesses still using these "old" processors will most likely upgrade to their newer "secure" processors. Why spend money making security if others can spend money buying your newer products?
The greater question is: Why would anyone upgrade to Intel after finding out they have been using insecure hardware for years, and AMD's product line was secure the entire time?
Posted on Reply
#14
R-T-B
Captain_Tom said:
The greater question is: Why would anyone upgrade to Intel after finding out they have been using insecure hardware for years, and AMD's product line was secure the entire time?
Performance? Fitness for application? Many reasons beyond one rogue security exploit which also had fallout on the AMD side with Spectre?
Posted on Reply
#15
windwhirl
Captain_Tom said:
The greater question is: Why would anyone upgrade to Intel after finding out they have been using insecure hardware for years, and AMD's product line was secure the entire time?
Nothing is secure by nature. The only thing that happened here is that we found out a vulnerability that works on almost all processors made in the last 15 or 20 years.
Made worse by insider trading and the fact that Intel knew about these issues before they launched Coffee Lake.
Posted on Reply
#16
Hood
My Haswell 4790K was not covered by any patch that I know of (other than the Microsoft KB4056892 patch for Meltdown). Asus didn't release new firmware for any Z97 boards, and apparently don't have any plan to going forward. So a lot of fairly new systems are still vulnerable to Spectre. I quote from this post on the ROG forum -
"I have i7 4790k @ 4.5Ghz and ASUS Z97 Maximus Vii Hero. I called ASUS customer support last week, and the customer supporter said they are not sure if the Z97 board will get new BIOS update for Spectre vulnerability and possibility no more BIOS update because my board and other ASUS Z97 boards are not in production anymore. But if ASUS released BIOS update for the X99 boards, than how come not Z97 board as well? Both chip support 4th and 5th gen CPU."
Asus is the top motherboard supplier in the world, so if they don't patch, I'm guessing no others will go further back than Skylake. Their list of laptops and pre-built machines that received BIOS updates only seems to cover Kaby Lake systems. https://www.asus.com/News/YQ3Cr4OYKdZTwnQK
Posted on Reply
#17
RejZoR
Captain_Tom said:
The greater question is: Why would anyone upgrade to Intel after finding out they have been using insecure hardware for years, and AMD's product line was secure the entire time?
Why would anyone buy slow and ridiculously hot Prescott processors? Well, there's your answer. People are generally dumb. And those who are Intel fanatics think there is nothing better out there and they'll just buy Intel again even if it's the worst crap out there, just because it's Intel. Yeah, I'll never understand them either.
Posted on Reply
#18
trparky
Hood said:
My Haswell 4790K was not covered by any patch that I know of (other than the Microsoft KB4056892 patch for Meltdown).
Theoretically speaking, as long as Intel releases the microcode update and Microsoft gets it your system will receive the microcode update regardless of whether or not your motherboard manufacturer creates an updated UEFI. Windows will simply load the microcode update at kernel initialization time.
Posted on Reply
#19
eidairaman1
The Exiled Airman
windwhirl said:
Nothing is secure by nature. The only thing that happened here is that we found out a vulnerability that works on almost all processors made in the last 15 or 20 years.
Made worse by insider trading and the fact that Intel knew about these issues before they launched Coffee Lake.
Yup the issue is them knowing about it and never fixing it in the first place...
Posted on Reply
#20
Hood
trparky said:
Theoretically speaking, as long as Intel releases the microcode update and Microsoft gets it your system will receive the microcode update regardless of whether or not your motherboard manufacturer creates an updated UEFI. Windows will simply load the microcode update at kernel initialization time.
The MS patch covers Meltdown, but not Spectre. Confirmed by running InSpectre.exe from here - https://www.grc.com/inspectre.htm.
Posted on Reply
#21
trparky
Hood said:
The MS patch covers Meltdown, but not Spectre.
Yes, I understand that but that's because the microcode update for anything but 6th generation and newer hasn't been released yet. When Intel does, Microsoft will get it and all Windows systems will get it.
Posted on Reply
#22
Raevenlord
News Editor
Assimilator said:
@Raevenlord You could at least link to Intel's page regarding this: https://newsroom.intel.com/microcode
Did you actually look at the source links that are on the piece, or just chose to skip them?

Edit1: In case you were only looking through Forum view, look at the piece through the main news interface, and you'll see the links and sources.
Posted on Reply
#23
Ubersonic
windwhirl said:
Not surprising they are not supporting Core 2-era and older processors, nor some of the early Core i series. In fact, I can't really disagree with it. They are old products (most of them 10 years old or more).
Age is irrelevant.

They sold the CPUs, the CPUs are still in widespread use, the CPUs have a design flaw that needs correcting.

Intel are basically giving AMD free marketing here lol.
Posted on Reply
#24
TheinsanegamerN
trparky said:
To those who say that they are upset about Intel not supporting these older chips I have to ask... at what point do you have to cut off support? Five years of support is really generous in terms of both hardware and software support. If you get ten years? Great! You were extremely lucky but like with any trip to the casino, your luck will eventually run out.
The 2004 ford ranger is 15 years old, yet ford still recalled them to replace airbags. Putting a bit of code into a windows update doesn't require nearly as much work. What excuse does intel have other then trying to squeeze more money out of people and being lazy?

Processors are not operating systems. If there is a hardware vulnerability, it needs to be patched. Especially for things like the core 2, which is still widely used and represents a large attack surface.

Not everyone is on the "replace hardware every 2 years' train. 5 years should be the bare MINIMUM for support of any kind, 10 years is getting closer. There is just no need to stop supporting old hardware when it still works.
Posted on Reply
#25
trparky
TheinsanegamerN said:
The 2004 ford ranger is 15 years old, yet ford still recalled them to replace airbags.
Yes, but a car tends to cost a hell of a lot more than a computer.
TheinsanegamerN said:
5 years should be the bare MINIMUM for support of any kind, 10 years is getting closer.
I agree on the five years part but ten years? Oh come now, that's pushing it. Cheap computers can be had for really cheap these days. I live in the United States so a quick trip to say... Walmart will get you not the greatest system but it will at least get you upgraded to something newer than a Core 2 Duo which if you ask me it's a wonder how the hell it still works for today's demanding Internet. Going to CNN or Fox News alone will bring that Core 2 Duo to its knees considering just how much crap is loaded on those sites. And YouTube? Good luck with that. You're gonna to need it. Facebook? That site will positively put the knife into that Core 2 Duo system.
Posted on Reply
Add your own comment