Only newer systems will get Intel firmware updates for Spectre chip flaw

Intel has said it will not issue patches to fix the Spectre vulnerability on 16 of its older processors.

Its decision is unlikely to affect mainstream systems, but users running older hardware or those using the non-patched processors in embedded hardware may find their systems remain open to attack.

In an update to its Microcode revision guidance document, published on 3 April, the company said: “After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined not to release microcode updates for these products.”

Affected processors include Bloomfield Core i7 and Xeon chips, Clarksfield i7, Gulftown i7 and Xeon chips, the Penryn family and Harpentown Xeon server chips.

The company said the microarchitectural characteristics of some of these processors preclude the practical implementation of a patch.

It claimed some of the processors were not commercially supported by system software. “Based on customer inputs, most of these products are implemented as ‘closed systems’ and therefore are expected to have a lower likelihood of exposure to these vulnerabilities,” said Intel.

Ondrej Kubovic, security awareness specialist at ESET, said Intel’s decision should only affect processors that are more than five years old. “We can only hope this will give Intel more space to concentrate on patching systems that are still widely used, and that only isolated and sparsely used systems will be left out of the patching loop.”

But just because a processor is considered old by the manufacturer, it may still be operational and running business-critical applications. The Windows operating system is limited to modern processors, but the Linux kernel can be compiled to run on older processor architectures. The availability of older Linux distributions means it is easy to run such systems, particularly for legacy applications.

Kubovic added: “These [processor] flaws enable attackers to harvest information, not to modify them. Therefore, if the system contains no personal or sensitive data, or is used for other purposes but not for browsing, it should be relatively secure. Also, users can improve their security by applying Meltdown and Spectre patches issued by the operating system, browser and other software developers.

“Of course, the safest thing to do is to replace the vulnerable hardware for newer non-vulnerable components. In case hardware replacement or patching is not possible, users can also airgap their system to stay out of an attacker’s reach.”

Processor firmware patching has been far from satisfactory. Intel released, then withdrew, patches and Microsoft’s patch opened up more vulnerabilities, according to security researcher Ulf Frisk. In a post on 27 March describing Total Metdown, an exploit he discovered in the Microsoft patch for Windows 7 and Windows Server 2008, Frisk wrote: “It stopped Meltdown but opened up a vulnerability way worse. It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well.”

Allan Liska, senior solutions architect at Recorded Future, said: “Total Meltdown, as it is being called, is a serious bug in Windows 7 and Windows 2008 that was introduced when Microsoft rushed to patch the Spectre and Meltdown vulnerabilities. The vulnerability gives any user on a system read/write access to all processes running on that system, irrespective of who the process owner is. This is an unfortunate side-effect of rushing to issue patches for complex software systems – the potential to introduce new vulnerabilities.”

While Intel, Microsoft and hardware manufacturers are obliged to continue to patch supported products, Intel’s decision not to patch legacy processors leaves older systems vulnerable to attack. Such systems may not be running in business systems or home computers, but embedded in the internet of things (IoT) devices.

Oded Comay, chief technology officer at ForeScout, said: “Even when a known vulnerability exists in a component, it can’t be fixed easily due to other considerations. In fact, a CPU vulnerability typically requires hardware changes to be fixed completely.

“We need to think differently about mitigating the risk these vulnerabilities pose to the organisation. Network segmentation comes to mind as a major technology that can help reduce the risk in many situations involving network attached devices.”

The challenge for the industry is that IoT devices with non-patched processors may be deployed across smart cities to control street lighting or traffic, embedded in industrial control systems or within smart devices in people’s homes, or even inside their home Wi-Fi router.

Some may run on dedicated networks, but many will use the public internet for low-cost connectivity. As such, securing the network may not be entirely feasible and replacement of the devices will often be impractical.