Intel Stops Development, Deployment of Spectre Microcode Update for Several CPU Families

[Raevenlord]

Intel on their latest Microcode Revision Guidance Guide has apparently stopped development of mitigations for some of its processor families that still haven't been updated to combat the threat of Spectre. The odyssey for the return to form of security on Intel products has been a steep, and a slow one, as the company has struggled to deploy mitigations for speculative code execution on its processor families that run it. Updates for some families of products, however - such as Penryn, Wolfdale, Bloomfield and Yorkfield, among others - are apparently not going to get an update at all.





The state on the "Production Status" for mitigations for these families has been updated from their "Planning" or "Pre-Beta" state that can be found on Intel's March 6th 2018 Microcode Revision Guidance Guide, to a new, previously unseen "Stopped" state in their latest version of the Guide, published on April 2nd.



The reasons for this "Stopped" state, as Intel puts it, are that "After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons including, but not limited to the following: a) Micro - architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE - 2017 - 5715 ); b) Limited Commercially Available System Software support; c) Based on customer inputs, most of these products are implemented as "closed systems" and therefore are expected to have a lower likelihood of exposure to these vulnerabilities."

If any one system with this vulnerability does get exploited via a method that could be averted by the implementation of a now "Stopped" patch, though, Intel should start reeling in those lawyers back into the fold.

View at TechPowerUp Main Site

 

[ikeke]

From pentest perspective this is quite interesting.

So legacy systems inside network are most likely unpatched and I find legacy systems to be the most apparent attack vector. Right after marketing, ofcourse

 

[RejZoR]

What this means is that Intel evaluated that companies or businesses still using these "old" processors will most likely upgrade to their newer "secure" processors. Why spend money making security if others can spend money buying your newer products. Win win for Intel.

 

[HD64G]

Anticustomer practise applied again by Intel as usual. But since most buy their products after all those years of them behaving like this, ehy should they change their stance? They were forced to make 6 core cpus for the masses and lower their cpu prices ONLY after Ryzen came to market after all.

 

[windwhirl]

Not surprising they are not supporting Core 2-era and older processors, nor some of the early Core i series. In fact, I can't really disagree with it. They are old products (most of them 10 years old or more). It makes sense, since someone keeping those systems running does it mostly for compatibility issues with newer hardware or software, not for security reasons.

 

[Easo]

I was surprised when those were actually on the list first. But yeah, this is both understandable (10+ years old CPUs are... old and not exactly commong anymore) and despicable.

 

[_JP_]

Me (+ a lot of other people):

Not surprising they are not supporting Core 2-era and older processors, nor some of the early Core i series. In fact, I can't really disagree with it. They are old products (most of them 10 years old or more). It makes sense, since someone keeping those systems running does it mostly for compatibility issues with newer hardware or software, not for security reasons.

I have several Core 2 Duo machines running daily at home some 1st gen Core i at work. Not for compatibility reasons, but because they just work fine. I'm not into being pushed for an upgrade in this way.

 

[trparky]

What this means is that Intel evaluated that companies or businesses still using these "old" processors will most likely upgrade to their newer "secure" processors. Why spend money making security if others can spend money buying your newer products. Win win for Intel.

Not surprising they are not supporting Core 2-era and older processors, nor some of the early Core i series. In fact, I can't really disagree with it. They are old products (most of them 10 years old or more). It makes sense, since someone keeping those systems running does it mostly for compatibility issues with newer hardware or software, not for security reasons.

To those who say that they are upset about Intel not supporting these older chips I have to ask... at what point do you have to cut off support? Five years of support is really generous in terms of both hardware and software support. If you get ten years? Great! You were extremely lucky but like with any trip to the casino, your luck will eventually run out.

 

[RejZoR]

One thing is general support, something else is rare exceptions like this one. And when a vulnerability is reaching so far in the past, shit needs to be fixed. At least Nehalem should still be supported since this is the oldest HEDT that still matters. Core 2 can be skipped though.

 

[Gasaraki]

I'm actually surprised that they even looked at these processors. Some of these are 10+ years old. I'm using an early Xeon but I'm not complaining. This is realistic.

 

[R-T-B]

Where's Westmere in this? I have one such system somewhere...

 

[windwhirl]

Where's Westmere in this? I have one such system somewhere...

Page 16. Westmere EX & Westmere EP. Production

 

[Assimilator]

@Raevenlord You could at least link to Intel's page regarding this: https://newsroom.intel.com/microcode

Where's Westmere in this? I have one such system somewhere...

The server (Westmere-EP, Westmere-EX, Westmere-WS) and laptop (Arrandale) parts do have patches available. The remaining members of that family are outta luck.

 

[Captain_Tom]

What this means is that Intel evaluated that companies or businesses still using these "old" processors will most likely upgrade to their newer "secure" processors. Why spend money making security if others can spend money buying your newer products?

The greater question is: Why would anyone upgrade to Intel after finding out they have been using insecure hardware for years, and AMD's product line was secure the entire time?

 

[R-T-B]

The greater question is: Why would anyone upgrade to Intel after finding out they have been using insecure hardware for years, and AMD's product line was secure the entire time?

Performance? Fitness for application? Many reasons beyond one rogue security exploit which also had fallout on the AMD side with Spectre?

 

[windwhirl]

The greater question is: Why would anyone upgrade to Intel after finding out they have been using insecure hardware for years, and AMD's product line was secure the entire time?

Nothing is secure by nature. The only thing that happened here is that we found out a vulnerability that works on almost all processors made in the last 15 or 20 years.
Made worse by insider trading and the fact that Intel knew about these issues before they launched Coffee Lake.

 

[Hood]

My Haswell 4790K was not covered by any patch that I know of (other than the Microsoft KB4056892 patch for Meltdown). Asus didn't release new firmware for any Z97 boards, and apparently don't have any plan to going forward. So a lot of fairly new systems are still vulnerable to Spectre. I quote from this post on the ROG forum -
"I have i7 4790k @ 4.5Ghz and ASUS Z97 Maximus Vii Hero. I called ASUS customer support last week, and the customer supporter said they are not sure if the Z97 board will get new BIOS update for Spectre vulnerability and possibility no more BIOS update because my board and other ASUS Z97 boards are not in production anymore. But if ASUS released BIOS update for the X99 boards, than how come not Z97 board as well? Both chip support 4th and 5th gen CPU."
Asus is the top motherboard supplier in the world, so if they don't patch, I'm guessing no others will go further back than Skylake. Their list of laptops and pre-built machines that received BIOS updates only seems to cover Kaby Lake systems. https://www.asus.com/News/YQ3Cr4OYKdZTwnQK

 

[RejZoR]

The greater question is: Why would anyone upgrade to Intel after finding out they have been using insecure hardware for years, and AMD's product line was secure the entire time?

Why would anyone buy slow and ridiculously hot Prescott processors? Well, there's your answer. People are generally dumb. And those who are Intel fanatics think there is nothing better out there and they'll just buy Intel again even if it's the worst crap out there, just because it's Intel. Yeah, I'll never understand them either.

 

[trparky]

My Haswell 4790K was not covered by any patch that I know of (other than the Microsoft KB4056892 patch for Meltdown).

Theoretically speaking, as long as Intel releases the microcode update and Microsoft gets it your system will receive the microcode update regardless of whether or not your motherboard manufacturer creates an updated UEFI. Windows will simply load the microcode update at kernel initialization time.

 

[eidairaman1]

Nothing is secure by nature. The only thing that happened here is that we found out a vulnerability that works on almost all processors made in the last 15 or 20 years.
Made worse by insider trading and the fact that Intel knew about these issues before they launched Coffee Lake.

Yup the issue is them knowing about it and never fixing it in the first place...

 

[Hood]

Theoretically speaking, as long as Intel releases the microcode update and Microsoft gets it your system will receive the microcode update regardless of whether or not your motherboard manufacturer creates an updated UEFI. Windows will simply load the microcode update at kernel initialization time.

The MS patch covers Meltdown, but not Spectre. Confirmed by running InSpectre.exe from here - https://www.grc.com/inspectre.htm.

 

[trparky]

The MS patch covers Meltdown, but not Spectre.

Yes, I understand that but that's because the microcode update for anything but 6th generation and newer hasn't been released yet. When Intel does, Microsoft will get it and all Windows systems will get it.

 

[Raevenlord]

@Raevenlord You could at least link to Intel's page regarding this: https://newsroom.intel.com/microcode

Did you actually look at the source links that are on the piece, or just chose to skip them?

Edit1: In case you were only looking through Forum view, look at the piece through the main news interface, and you'll see the links and sources.

 

[Ubersonic]

Not surprising they are not supporting Core 2-era and older processors, nor some of the early Core i series. In fact, I can't really disagree with it. They are old products (most of them 10 years old or more).

Age is irrelevant.

They sold the CPUs, the CPUs are still in widespread use, the CPUs have a design flaw that needs correcting.

Intel are basically giving AMD free marketing here lol.

 

[TheinsanegamerN]

To those who say that they are upset about Intel not supporting these older chips I have to ask... at what point do you have to cut off support? Five years of support is really generous in terms of both hardware and software support. If you get ten years? Great! You were extremely lucky but like with any trip to the casino, your luck will eventually run out.

The 2004 ford ranger is 15 years old, yet ford still recalled them to replace airbags. Putting a bit of code into a windows update doesn't require nearly as much work. What excuse does intel have other then trying to squeeze more money out of people and being lazy?

Processors are not operating systems. If there is a hardware vulnerability, it needs to be patched. Especially for things like the core 2, which is still widely used and represents a large attack surface.

Not everyone is on the "replace hardware every 2 years' train. 5 years should be the bare MINIMUM for support of any kind, 10 years is getting closer. There is just no need to stop supporting old hardware when it still works.