Intel gives up patching some chips with Spectre flaws

Chipmaker deems some chips too tough to fix, advising of Spectre stability issues

The Spectre and Meltdown chip vulnerability saga continues today, with Intel admitting it can't or, rather, won't issue patches for some of its affected CPUs.

Spectre and Meltdown are two flaws found at the chip level that can lead to serious data breaches. As the problem is at the architecture level, it affects virtually all processors made within the past 20 years - not just from Intel but also other giants like ARM and potentially AMD.

While no exploit of either flaw has been seen in the wild, because the problem is so widespread it's considered one of the greatest information security problems of recent times.

Despite previous pledges to issue microcode updates that will fix the flaws, Intel is now backtracking when it comes to certain of its CPUs.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

In a revision notice published on Monday, the chipmaker now lists 16 microcode updates as "stopped", meaning that while patches have previously been released, Intel will no longer issue them. The company has also recommended admins and/or users stop using the updates as the mitigation for Spectre v2 contained within them causes stability issues.

The reasons Intel gave for stopping these updates vary, from the possibility that patching Variant 2 of Spectre is just too difficult based on the design of the chip in question, to limited availability of software support and the fact that some of the affected chips are powering 'closed systems' they're not connected to anything that could allow hackers to exploit them, so the risk is so small that administrators can avoid the fuss of implementing such a tricky update.

The affected chips cover a broad range of families, many of which were released around a decade ago and some of which have ceased production in the meantime, so it's hard to say how many systems will actually remain at risk due to this change. Affected chip families that won't be getting an update include Bloomfield, Bloomfield Xeon, Clarksfield, Gulftown, Harpertown Xeon C0, Hapertown Xeon E0, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale, Wolfdale Xeon, Yorkfield and Yorkfield Xeon. Intel's notice doesn't list which of these chip families it believes are too difficult to patch, and which present a low risk. 

On the other side of the coin, however, Intel has rolled back a previously issued "stopped" notice on four other patches as "subsequent testing by Intel has determined that these were unaffected by the stability issues and have been re-released without modification" - these are Skylake H/S, Skylake U/Y, Skylake U23e and Skylake Xeon E3.

A full list of the affected systems, plus what their patch status is, can be found here.

In a statement, the company said:"We've now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google. However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback."

Advertisement - Article continues below

Intel has a messy history of patching Meltdown and Spectre, botching an initial run of Skylake patches that resulted in performance slowdowns and rebooting issues, which it eventually rolled back and replaced with another set of patches in February. The vendor faces more than 30 lawsuits relating to the chip vulnerabilities.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020