Intel admits a load of its CPUs have Spectre v2 flaw that can't be fixed Intel has issued fresh "microcode revision guidance" that reveals it won’t address the Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it's too tricky to remove the Spectre v2 class of vulnerabilities. The new guidance, issued April 2, adds a “stopped” status to Intel’s “production …
Yep, exactly! And for those of us that kept those CPUs specifically because the ME could be disabled, Intel should need to either provide replacement ME-free CPUs or fund the full cost of replacing their broken CPU with something that is ME/PSP free and in a similar performance class.
Or, you know, just release their microcode signing keys and source, then let us have at fixing it....
Depends on the definition of faulty I suppose.
Car analogies are always a good bet on a downvote, but let's say a car maker were hauled over the coals for using glass in their windows. That glass can be smashed and used to gain access to the car and have a good rummage around the glove box.
Would the manufacturer be liable in the same way? After all, the window served its purpose just fine until someone decided to unearth the hidden weakness in it, much like these CPU bugs.
Still, common sense has no place in the US legal system.
It's a non-obvious vulnerability that comes about because of fundamental features of how the chips work.
So I'd say it's like suing a car company over carjackings, because they made cars that had to stop at traffic lights.
Another way to get a lot of down votes is to point out 2nd and 3rd order effects people don't want to hear.
Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees, and/or raise the cost of the next computer you purchase by a couple of hundred dollars.
As security professionals, you should all understand and identify risk management based decisions; and be intelligent enough to understand it. This is done by all corporations all the time. Including the one you work for.
Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees,
And?
and/or raise the cost of the next computer you purchase by a couple of hundred dollars.
You think that releasing a microcode update for each of the "wontfix" CPUs on the list (the ones they promised had fixes incoming) is going to add that much the cost of my next computer? How do you figure that?
The last computer I bought (Dec 2017) cost less than a couple hundred dollars as it was, but even if it was a high-end desktop instead of a Chromebook-spec Windows laptop (well, used to be a Windows laptop), that figure is still pretty ridiculous. Microcode updates are a regular part of development for a given CPU; mine have received several over the course of their lives, as OS updates.
You think issuing just one more microcode update for a CPU that has already had several over its lifetime is going to cost that much?
Also, why would Intel's difficulties have anything to do with the cost of an AMD system? 'Cause, fsck Intel if they're not going to stand behind their products OR keep their word.
"Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees"
Yeah, right, this is just like how all the companies immediately gave their employees raises and created new jobs when the Trump tax cuts for the rich and corporations went through. It didn't happen. They did stock buy back instead.
Struggling for a good car analogy because most things that fail can be fixed/replaced with new or recycled parts.
However let us invent some metal fatigue problem which has a potential to cause a chassis failure in cars over 10 years old which could only be rectified by a new body shell.
How likely is it that the manufacturer would (as some commentards seem to be suggesting) provide a brand new body shell (from a non-existent production line right back to the steel maker) or failing that a brand new car?
Consumer law is unlikely to try and enforce this because the vehicle has lasted a reasonable time. Any compensation would probably be limited to the current trade in value (prior to the discovery of the fault).
So what is the street value of a mid specification Core 2 Duo (or quad) system? That is, processor, memory and motherboard?
If Intel really cared they might do a scrappage deal where if you handed in a motherboard, processor and memory then you would get say 50 UKP off a brand new configuration. Or hand in a complete laptop and get similar off a brand new one.
Restarting a production line for old chips with a different silicon density and different leg count so you can replace chips like for like - that is, several generations where the pin numbers and locations have been deliberately changed to force you to buy a new motherboard with a different socket - is obviously not feasible. What happens to old silicon foundries anyway, when the next generation of fabrication hardware is installed?
Free replacement isn't going to happen for reasons above (plus probably many others) and a scrappage scheme to get you to buy the latest i9 is in effect rewarding Intel for designing vulnerable processors.
If you bought a retail bixed CPU on its own, perhaps. I would bet money 99.999% of people however opted for the substantially cheaper OEM tray part and have no course of action at all, they waived that at time of purchase of the system builder part
Actually, most of the CPUs I've bought new from retailers have been the retail version - they're practically the same cost and come with a cooler that's guaranteed to work (if perhaps not to be the most effective option).
My latest CPUs were second hand, though, as buying new Xeons is more than a little expensive for a non business user..
My latest CPUs were second hand, though, as buying new Xeons is more than a little expensive for a non business user..
Actually, ALL my CPUs these days are second-hand, because I haven't bought a NEW computer in years (most are scavenged systems, or handoffs when MSWin "advanced" to the point they were unusable for the standard home user. They run Linux just fine).
"oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."
Ah good, so my i7-920 is covered then? Oh, wait... Bugger.
That should teach me buying a CPU from a reputable vendor such as Intel. 'cause AMD supposedly was much worse at this lark.
> Dammit, I still have i7-920's in use. Fortunately, not on the public interwebs though. And now I'd better make sure they never are.
Fuck. Just checked, and my main gaming rig is on the list too. It's an Intel Core2 Extreme X9650. It does absolutely fine for the stuff I use, and there's no damn way it's "too slow", etc.
Intel, you'd better think again. You screw this up, it's on you to fix it.
The odds of Spectre causing a major security problem for a gaming rig are probably low. A far more likely scenario is an accidental backdoor in one of the games you play, or an intentional backdoor in a sketchy mod you install. If you want to be careful, do your banking on another system.
"oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."
Yeah, I was thinking about that line too... you know how we keep hearing about the tragic decline in PC sales? The reason is that the end of Moore's Law (such that it has been called) means that older kit stays usable much longer, and people are using it much longer. I certainly am, and I know several others running gear old enough to be on Intel's "wontfix" list. I think you might be surprised at how much old computer equipment is still in use-- and why not? For most computing tasks, older gear is still very usable today. We've reached a point that a great many people only replace PC gear when it stops working, not because it's too slow... they're like toasters or other commoditized items. If it works, keep using it until it doesn't.
It's purely anecdotal, but I pay attention to what gear people run when in discussion forums, whether it is pertinent to the thread at hand or just something listed in a signature file, and there is a LOT of old gear still being used today, including for web browsing (the most likely vector for most people to be affected by Spectre, via JavaScript).
It's purely anecdotal, but I pay attention to what gear people run when in discussion forums, whether it is pertinent to the thread at hand or just something listed in a signature file
Maybe El Reg could approach STEAM to see if they would allow access to their system spec sheet, as all of their players can load up their specs, and as a quick check, I can't think of anyone else of equivilent size who may have similar data sets
And almost all, if not all, of that kit will not be in use in such an environment where any of this matters.
None of it matters for any PC anywhere as long as the threat remains theoretical, but it remains to be seen if it will. My C2D Penryn laptop is assuredly in an environment where this could matter, browsing the web and what not...
Plenty of 2007-2011 cpu's still in use, my daughters system runs a Harpertown Xeon, and it doesnt lack anything against a current system for anything except modern, high end games and 4K video.
Equally, my parents still run a Core2 Duo E4xxx, although TBF, that is slower than a 3 legged tortoise.
In fact, only one PC in the family runs a cpu built after that date - and that is an AMD cpu anyway.
Sooo.... If this is a real thing, you might want to run. AMD brought in VP from Apple to drive the infrastructure needed for the K7 (Athlon). He had 0 appreciation for component validation. After 18 months, the director of validation (who had built the validation team at AMD) quit. So yeah, I don't think I would be in a hurry to buy Apple-designed cpus. (Bitter? Me?)
quite a few of those processors in use. I still have a Yorkfield core 2 quad (Q8200) in my HTPC so certainly not a "Closed System". With 4 GB ram, AMD HD7750 GPU and a Mint install it is still serviceable. Am I supposed to retire a perfectly adequate machine just because intel can't be bothered to fix a security flaw in their chips?
I have a Dell Optipex 760 desktop from around 2007 which after ditching the Vista install a bumping up the RAM to 4GB can happily run Linux Mint Mate and is used daily when working from home for office and internet tasks.
I have never been an Intel fan, perhaps because I grew up with Commodore computers (C64 then Amiga) and my first home built PC had an AMD K6. But this makes me even more determined not to give Intel any more money either direct or indirect by buying an system with an Intel CPU from a PC manufacturer.
This is typical Intel - "support? No, we don't care about anything that might cost us money. Besides, that part should have been replaced by now."
Also, anyone else noticed there's a lot of Xeons here? I'm wondering how many are in use in corporate servers. Or even government - replacement cycles in government tend to be longer than the private sector because if they're not the press start screaming about "taxpayer's money"...
"Also, anyone else noticed there's a lot of Xeons here? I'm wondering how many are in use in corporate servers. "
Went out shopping with my wife today. In Matalan I saw a 14" Dell CRT screen behind the checkout counter. No idea what it was plugged into though. It does make me wonder what state the rest of their IT kit is in.
Search for your CPU here https://ark.intel.com/search?q=
(it's not entirely accurate, despite being Intel, but is good enough).
Look up the product family in this document
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf
Patches are supplied as part of your operating system, so just apply the latest patches. For Unix based systems, upgrade to the latest patched release.
From what I have read Meltdown and Spectre are not being exploited in the wild and some of the 'fixes' (looking at you Slurp) are worse than do nothing at all. So the real question for older chips, what is the real risk of an exploit? Partly how difficult are they to exploit with a normal user configuration and how would the exploit be installed. I have seen opinions that say if hit it is real bad but it is very difficult to actually exploit.
So should the average user (or their informal IT department) maintain a watch and wait posture towards patching?
An accurate risk assessment will also impact any law suit as it currently stands as there has been no known attacks using the flaws.
Spectre is much lower risk than Meltdown, and difficult to exploit. That's not to say at some point someone won't find a method of making Spectre more exploitable, and then it becomes a larger issue.
Meltdown should definitely be patched as soon as possible, and is safer because it doesn't involve microcode updates, it's an OS patch.
Meltdown should definitely be patched as soon as possible, and is safer because it doesn't involve microcode updates, it's an OS patch.
Microcode updates can be delivered that way too. I'm not recommending any of the firmware patches for Spectre that have been released... just do it at the OS level. In Windows, I believe this requires downloading the microcode update directly from the Windows catalog, as it is not being delivered by Windows Update, for some reason. For Linux, of course that depends on the distro... I use Mint, so all I need to do is... nothing. It appears in the updates when it's ready.
...that is, of course, if the PC in question was not one of the ones that just got shit on by Intel, after they promised for months that a fix was incoming. My Braswell laptop already has a fix available (in the form of firmware, so no thanks), but my Core 2 Duo laptop is now "wontfix". Even though the C2D unit is far faster and more capable than the Braswell across the board, I guess it's obsolete, but the Braswell isn't.
Strangely, no one from Intel ever contacted me to ask whether my C2D laptop was "closed" to the internet; I guess I'm not one of the "customers" Intel talked about. I wonder who was.
None of these articles, El Reg or otherwise, ever mention that Intel motherboards are not going to receive BIOS updates because Intel burned its bridges with respect to support when it left the business, so users of Intel processors on Intel motherboards will not be receiving all of the Meltdown / Spectre updates.
..as opposed to other manufacturers, where they similarly also Cannot Be Arsed. Most OS will probably load the revised firmware quite early in the boot process, though, reducing the attack surface considerably.
BIOS wise you'd be wiser to worry more about addressing management engine issues.
To be fair, the reasons could also be:
4) We found out these fixes lead to a whack-a-mole situation for the older kit
5) We found out the fixes just plain don't work right (for some idiot reason)
6) Whilst testing the fixes, we discovered those old chips have a much more horrendous problem we'd rather not get into at this time. ;-|
"Most the CPUs listed above are oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use." is garbage and Reg authors/editors should get out in the real world.
Look at MS OS share from any source.
Look at Missing CPU types in April "Guidance" and you find PDF doesn't even cover all CPU models w/ Meltdown and Spectre problems.
Most systems running XP, Vista and Win7/8/8.1 have "old" Intel CPU and won't get a New BIOS. Most Running XP and some w/ Win7 are people down/up graded Vista systems and see little reason to replace them. Most won't buy New Intel products just to fix Meltdown and Spectre either. Note that Intel CPU bugs go back to a least Pentium FDIV bug that also never got fixed. Intel offered replacements but few knew of this and fewer bothered to get them.
Dell et al had no intention to offer BIOS updates most or all system over 2-5 years old and now have an easy way out because Intel won't bother making new MCU for most of them.
OS patches? Funny. Not. Many Win7 alone have not patch since 12-17 because MS patch failed and fix patches for that also failed. Most Linux users haven't patch for this either.
How many of these have found their way into military systems via the popular "commercial-off-the-shelf" method of reducing costs, how many of them are still in mission-critical applications, how many in administrative apps, and what vulnerabilities might those involve, if any?
As I keep pointing out, there is a notices on the inside cover of the instruction manual, "This product is not approved for use with information classified CONFIDENTIAL or higher." (CONFIDENTIAL is the lowest formal classification level.)
So, if anyone did use it, they would be facing a Courts Martial.
Intel is really only on the hook for stuff that is supported, the warranties are usually just a few years (I see in the case of embedded they may support up to 7 years on extended support).
So chips outside of this window should not expect fixes. While it'd be nice if they got fixed it's not reasonable to expect to get support past the support window unless you have a special agreement with Intel for extended support.
I just stopped a support case for a firewall product yesterday for example. I had had the issue reproduce about once every 2 weeks for almost a year now(unable to reproduce on demand). Workaround is to reboot the unit(happens on both units in HA pair). Product ran fine for a good 4+ years without this condition until a particular software version was installed early last year(took 4-8 weeks for problem to be discovered at which point rollback was not practical, older software was end of life anyway). Vendor unable to find the cause yet alone find a resolution. Support for the product officially ends in about two weeks. Fortunately the decision was made to shut down the site that the affected product is operating in within the next month so I won't have to deal with it anymore.
But the point is I know when support for the product was ending, and while I certainly am frustrated they could not make any meaningful progress on the issue for just over a year at this point, I'm not expecting them to support past the support window.
You'd have every right to be upset if you reported the Meltdown issue to Intel within the warranty/support period of their product and they did not produce a fix. But that is not the case with all of the chips they are not going to fix(I haven't tried to check to see if any of their extended support embedded chips with 7 years won't be fixed if they were released in 2011).
If you REALLY feel you are that much of a target or have that lax of habits with regards to pretty safe computing then you should upgrade the hardware.
The thing is Warranty != Law. As this is a proven issue with the chips since day one, not a result of age, if taken to court Intel could still be in hot water.
How long Intel say they warrant the product is largely irrelevant when we can prove that people actually expect to be able to use these CPUs for much longer. People don't buy a product expecting it to die the day the warranty ends, they buy it expecting it to the last the average life span of products already out there.
"Dr. David Patterson quick-marched an audience of about 200 pizza-sated engineers through a half-century of computer design on March 15. He spoke from the podium in a large conference room in building E at Texas Instruments’ Santa Clara campus during an IEEE talk titled “50 Years of Computer Architecture: From Mainframe CPUs to DNN TPUs and Open RISC-V.” It’s a history of accidental successes and potholes, sinkholes, and black holes that swallow entire architectures."
Well, my main day to day box is a WONTFIX too. Dual 3Ghz e5450's in a HP xw6600 chassis with 64Gb of ram and a pair of nvidia gfx cards, all running linux and cuda etc for hashing work and virtual machine instances and compiling binaries.
I have never really thought "oh this box is too old, I'll give it a tech refresh" apart from slapping a ssd in at one point because it just works & when we compared it against newer stuff it manages just fine. Only now it has to just work in a airgapped private network, or throw away my investment in the entire machine itself (wont take a motherboard from a later chipset), the ram (matched to the cpu's) and while we're at it we might as well upgrade to apu's. So thats half a grand for a newer box down the toilet then. Thanks intel for crapping on what was a couple of generations ago your top of the line kit to save a tiny percent in costs for the people to work on all your cockups, not just the ones that your currently milking.
Next server room buildout I'm involved with, I'll be bringing up intel's handling of this for sure. And I wont be buying intel's again for my personal machines by choice.
"So how many holes and hack points do you create per hour on that lovable hunk-o-junk o'yours ?"
What makes you think this person doesn't have their software up to date? I have a HP xw4600 which works great. All my software is completely up to date. And Windows 10 runs better now than the versions of Windows that were released at the time I bought the computer.
Not everyone is into throwing their money away on unnecessary upgrades and filling landfills with e-waste.
I'm hoping they were asking how many vulnerabilities do I develop per day. Sorry, I don't have a metric for that you can put in a spreadsheet to decide how to crank the hamster wheel HR want to put all our staff* on.
Latest shiny is for all those cool kids who game on their pc's isn't it? for computational loads it copes rather well.
If you meant how out of date is it? I'm assuming from the idiocy you are a PHB, but the packages were updated last night by cron if that helps.
It's not a 'couple of generations ago' though, is it? That's a Harpertown CPU from 2007, discontinued 2010 and is Core2 (Penryn) architecture based.
If I'm really generous and only count the overall architectures that's seven generations ago.
If EP/EX etc variants are included add on at least another five chip variants (which I'd be inclined to do as EP chips do tend to include reasonable additional features rather than being a basic re-spin of a desktop chip).
You don't have to airgap it, you need to decide if Spectre variants are a large enough risk to isolate the system. Meltdown is patched by the OS, so as long as it isn't exploited prior to the OS being loaded..
Also, I know a Penryn era CPU does support virtualisation, and your xw6600 hopefully has working vt-d (the xw4600 certainly doesn't, it's in the BIOS but broken), but you're missing SLAT (EPT/RVI) as it's pre Nehalem. That really does limit both the products that can be used and the possible performance as SLAT is a pre-requisite for many virtualisation systems.
(I should know, my backup system is using the really oddball X38 derived S3210 chipset, which is Core 2, supports VT-d, and ECC DDR2. I also have a system built around an xw4600 motherboard, which would be great if the BIOS wasn't incompletely implemented)
I use the 6600 as a vm host using vmware/virtual box and use a completely different machine for browsing with a kvm for when doing research, as er, it can end up in some less salubrious places quite often so that's even more critical to stay on top of & I'll have to uplift that because its running a ivybridge 2127U but that's not a big loss, any cheap box will do for that, its just a glorified web browser + vpn client host. I'm still a bit annoyed that the 6600 needs isolating and its instances not allowed to route out as a fix though as to upgrade to something more modern but capable takes what I consider a not insignificant* sum of money.
But, yeah, hands up, I'm being super grouchy, I have to make some investment in new kit because of someone else's mess. I know the nuances and I'm just going to have to suck it up and pass this cost onto my clients. But when it comes to SME's, you try telling 9/10ths of the world they need to landfill their devices because there's a unpatched flaw in the cpu they use on the machine and they absolutely must be able to use facebook and twitter while at their desk. And are all the affected machines going to go to landfill or end up in corporate disposal for the next decade?
I personally think intel should have ate the extra dev + test costs as a goodwill gesture and supported the mess they made, rather than apparently trying to turn it into a profit op to drive new cpu purchases to replace the ones they already sold you. Even if they prioritized the newer arches first it would have kept more options open longer term. At the end of the day, they made this mess with their product, washing their hands isn't going to take all of the compromised product out of the second user ecosystem for years.
*i.e. its mine and I've got short arms and deep pockets
Ivy Bridge has already had a firmware update released for it? 2127U is CPUID 306A9 which is in 'production' state - i.e. allegedly firmware is already out.
This is still a little overblown, well, at least until a worst exploit is found.
Meltdown is a solved problem, aside from the extra money needed to cope with the drop in speed of specific cloud compute instances..
Spectre is a risk assessment, not dissimilar to deprecation of SSL. Certain SSL ciphers are horrendously insecure and need retiring, others might be an issue at some stage. Spectre isn't a problem *yet* for most people. However the day may come when someone finds a reliable exploit that can be easily used by the script kiddies, and at that point it may suddenly be necessary to retire hardware.
I have more sympathy for the general public than small SMEs. Even the small SMEs if they have any business sense write down their computers in three years or less, then sweat the assets. Given that we're talking about unsupported products being more than around six years old they are well and truly worthless from an accounting point of view at this point. If the SME hasn't budgeted for a replacement of their kit, they aren't doing their job.
Well in the last month my Windows 8.1 crashed due to hard drive problems, denied from being able to boot, none of the emergency provisions would work no PBR, WinRE or boot disk could save me. I turned to Linux, well after what seemed like a NTP zero day hack from a *joker.ntp on April the first, or something like that (thanks Folks, haha - you'll get yours), my hard primary drive with Ubuntu Studio on it went belly up and Mint Mate 18.3 started to disobey orders and act up So I then reinstalled Windows8.1 from a downloaded 4.3gb start disk .
What does this have to do with Meltdown or Spectre - well it F*cked any updates, fixes or anything else I already had received and all I know now is that Ctl +P at boot time will not allow me to access the Intel Processor
Left me feeling like disconnecting anything of value from the internet entirely and using a cheep tablet from Aldi to brows the subscriptions and get the news.
Holding purveyors of defective products accountable is precisely what class action lawsuits are for. In this case where Intel knowingly compromised the security of all of their products by disregarding command security protocol, their should be a very high price to encourage better judgment in the future. Intel should be fined no less than 100 billion dollars and made to provide defect free replacement components and cash to all who were bilked into buying these defective goods at premium prices.
"Most the CPUs listed above are oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."
Yeah, right. We've over 100 Wolfdales in daily use at the school where I work - and that's not unusual for schools in general. I guess they'll just carry on in their vulnerable state until they die...
The author of the article made it seem like CPUs older than 2011 weren't in use that much. So, it isn't that big of a deal if they aren't patched. I have an Intel Core Duo 3+ GHz that may be that old. I have had it for years, and it has continued to work fine. Performance hasn't been an issue at all. In fact, I think Windows 10 runs better on it, than the older Microsoft garbage. I'm not looking forward to being forced into upgrading a system that has been totally solid and problem free. Some of us don't feel the need to throw out perfectly good hardware for upgrades we don't need or want every couple years. I hope that there continues to be at least a software patch for it.
"Most the CPUs listed above are oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."
Shows how they have zero comprehension of how their market works. You hear TONS of people saying they are still using Core 2 CPUs, because unless you are a content creator or gamer its "good enough". I know at least two people myself.
I also have a Core 2 as a server at a friends house, its more than powerful enough for the job so not even close to EOL. There are a LOT of Atoms of various ages used for small form factor PCs and crucially mid-range routers
My router is one of the last Intel motherboards based on Atom so I'm out of luck on all sides it seems, the CPU isn't even on that guidance list despite being NEWER than some of the ones that are. :/
Seems the best recourse to mitigate the potential attack vector of any speculative unfixable exploit is to... Uninstall Windows, because undoubtedly the first in-the-wild exploits we find will surely be delivered through some cobbled together `Registry Cleaner 5000.exe' or Java-required webapp. Linux might even get some action through the usual SSH sniffers and other server security holes.
So does using a BSD make me theoretically invulnerable...?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
