News

Intel Drops Some Processors from Spectre Patch Rollout

• By Kurt Mackie
• April 04, 2018

Not all Intel processors will receive microcode updates that would protect them against Spectre-based attacks, according to a new document from the chip maker.

Spectre, which affects most processors, was one of two attack methods disclosed by security researchers in January. Since then, the computer industry as a whole has been collaborating to issue both microcode and operating system updates to address the vulnerabilities.

Last month, Intel CEO Brian Krzanich claimed that Intel had "released microcode updates for 100 percent of Intel products launched in the past five years" to ward off Spectre and Meltdown attacks.

Intel has now changed its plans somewhat. The notice is tucked away in its "Microcode Revision Guidance" document, dated April 2 (PDF). Intel has stopped working on microcode updates for the following processors (typically Intel Core or Intel Xeon chips), as listed by their code names:

• Bloomfield
• Clarksfield
• Gulftown
• Harpertown
• Jasper Forest
• Penryn/QC
• SoFIA 3G-R
• Wolfdale
• Yorkfield

The release dates for these processors, as listed by code name, are shown in this Intel table.

The explanation for the stopped work is located in the guidance document's "legend." Intel claims to have come to its decision "after a comprehensive investigation" of the products' capabilities.

There are three possible reasons why no microcode will be released for these processors, according to Intel:

• Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
• Limited Commercially Available System Software support
• Based on customer inputs, most of these products are implemented as "closed systems" and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.

The "Variant 2" reference is to one of two Spectre attack methods, and Intel is suggesting that it doesn't have a practical fix for it on these chips. For organizations, that announcement likely means that replacing these chips could be the only assurance of security. Spectre, though, is thought to be a difficult attack to pull off. The researchers who discovered the Spectre and Meltdown attack methods had indicated that they weren't aware of active attacks using those methods, but that claim was made back in January.

Intel's reference to limited software support perhaps suggests that partners aren't collaborating on issuing updated drivers for these chips. The microcode is supposed to be tested first by Intel's OEM partners before public release, and perhaps that's not happening for these chips.

Lastly, Intel seems to be suggesting that these chips aren't used in systems connected to the Internet. Typically, malware needs to get added to a system before the Spectre and Meltdown attacks can be executed. While such malware might get installed through an Internet connection, it obviously can be physically installed on a system, too.

The change in Intel's guidance was noticed this week in an article by Threat Post, a site that focuses on security issues. An Intel spokesperson told Threat Post that it wasn't providing microcode updates for "older platforms" because of "limited ecosystem support and customer feedback."

The older platform claim may be generally true, although one chip that won't get a firmware update, code-named "SoFIA 3G-R," was first released back in Q4 2016.