Leading chip-maker Intel, which is under fire for flaws in processor design that rendered millions of computer and mobile devices vulnerable to security threats like Spectre and Meltdown, the company has issued a new updated Microcode Revision Guidance (MRG) report with a list of chipsets, which won't get security software patch.
In the new update, Intel has admitted that it won't be able to fix the Spectre v2 flaw in as many as 230 older chipset variants used in thousands of branded computers across the world.
Why Intel won't patch the bug in those processors anymore?
Based on an internal study and customer feedback, Intel has decided to stop releasing the microcodes to patch the security loopholes in devices [listed below] due to the following factors.
- Flawed micro-architectural characteristics in some chips prohibit any practical implementation of features to mitigate the Variant 2 (CVE-2017-5715) of the Spectre vulnerability
- Limited commercially available system software support
- Based on customer inputs, most of these products are implemented as "closed systems" and therefore are less likely to be exposed to these vulnerabilities
"We've now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google. However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback," Intel spokesperson said to International Business Times, India Edition.
On the bright side, the impact of the Intel's move will be very limited, as affected devices were manufactured and sold between 2007 and 2011, and some might not even be in use right now.
Also, Intel is very much committed to fix devices (more than 9 years old) affected by Spectre and Meltdown vulnerabilities. It has promised to update its MRG report with support details for more devices soon.
List of Intel chips not eligible for software patch for Spectre v2 vulnerabilities:
|Products name||Public name||CPU-ID||Platform ID||Prodcution status||PreMitigation Production MCU|
|Bloomfield||Intel® Xeon® Processor W3520, W3530, W3540, W3550, W3565, W3570, W3580||106A5||03||Stopped||0x1B|
|Harpertown Xeon C0||
|Harpertown Xeon E0||
|SoFIA 3GR||Intel® Atom® Processor x3-C3200RK, x3-C3230RK||506D1||02||Stopped||------|
|Wolfdale C0, M0 I||Intel® Core™ 2 Duo Processor E7200, E7300, E8190, E8200, E8300, E8400, E8500||10676||91||Stopped||0x612|
|Wolfdale E0, R0||
|Wolfdale Xeon C0||Intel® Xeon® Processor E3110, E5205, E5220, L5240, X5260, X5272||10676||04||Stopped||0x612|
|Wolfdale Xeon E0||Intel® Xeon® Processor E3110, E3120, E5205, E5220, L3110, L5215, L5240, X5260, X5270, X5272||1067A||44||Stopped||0xA0E|
|Yorkfield Xeon||Intel® Xeon® Processor L3360, X3320, X3330, X3350, X3360, X3370, X3380||10677||10||Stopped||0x70D|
For more information on chipsets eligible for Intel security updates, check here.
Here's how Spectre and Meltdown bugs make devices vulnerable
In January 2018, cybersecurity experts of Google Project Zero team discovered two deadly vulnerabilities—Spectre and Meltdown—in computers and mobile devices powered by Intel, AMD, ARM Holdings and other chipsets.
The Spectre and Meltdown take advantage of "speculative execution," a technique used by almost all modern processors (CPUs) to optimize performance.
For those unaware, the CPU, in its bid to increase the performance, predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory such as passwords, encryption keys, or sensitive information, including that of the kernel—from a less-privileged user process such as a malicious app running on a device.
Tests conducted by Google Project Zero research team, also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.
As of now, most of the computer makers Microsoft, Apple, and others -- in association with chip-makers Intel, AMD and ARM Holdings-- have released the software patch for most of their products.
Stay tuned. Follow us @IBTimesIN_Tech on Twitter for the latest news on cybersecurity.