Intel's Spectre Patch Rollout Will Skip Some Processors
Intel's guidance publication for April indicates that it isn't planning to release microcode updates for some of its processors to prevent Spectre attack methods.
Researchers first disclosed Spectre back in January as one of two attack methods affecting most processors. The computer industry as a whole has been collaborating to issue both microcode and operating system updates to address the vulnerabilities.
Last month, Intel CEO Brian Krzanich claimed that Intel had "released microcode updates for 100 percent of Intel products launched in the past five years" to ward off Spectre and Meltdown attacks.
Intel has now changed its plans somewhat. The notice is tucked away in its "Microcode Revision Guidance" document, dated April 2 (PDF). Intel has stopped working on microcode updates for the following processors (typically Intel Core or Intel Xeon chips), as listed by their code names:
- Jasper Forest
- SoFIA 3G-R
The release dates for these processors, as listed by code name, are shown in this Intel table.
The explanation for the stopped work is located in the guidance document's "legend." Intel claims to have come to its decision "after a comprehensive investigation" of the products' capabilities.
There are three possible reasons why no microcode will be released for these processors, according to Intel:
- Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
- Limited Commercially Available System Software support
- Based on customer inputs, most of these products are implemented as "closed systems" and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
The "Variant 2" reference is to one of two Spectre attack methods, and Intel is suggesting that it doesn't have a practical fix for it on these chips. For organizations, that announcement likely means that replacing these chips could be the only assurance of security. Spectre, though, is thought to be a difficult attack to pull off. The researchers who discovered the Spectre and Meltdown attack methods had indicated that they weren't aware of active attacks using those methods, but that claim was made back in January.
Intel's reference to limited software support perhaps suggests that partners aren't collaborating on issuing updated drivers for these chips. The microcode is supposed to be tested first by Intel's OEM partners before public release, and perhaps that's not happening for these chips.
Lastly, Intel seems to be suggesting that these chips aren't used in systems connected to the Internet. Typically, malware needs to get added to a system before the Spectre and Meltdown attacks can be executed. While such malware might get installed through an Internet connection, it obviously can be physically installed on a system, too.
The change in Intel's guidance was noticed last week in an article by Threat Post, a site that focuses on security issues. An Intel spokesperson told Threat Post that it wasn't providing microcode updates for "older platforms" because of "limited ecosystem support and customer feedback."
The older platform claim may be generally true, although one chip that won't get a firmware update, code-named "SoFIA 3G-R," was first released back in Q4 2016.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.