back to article Intel admits a load of its CPUs have Spectre v2 flaw that can't be fixed

Intel has issued fresh "microcode revision guidance" that reveals it won’t address the Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it's too tricky to remove the Spectre v2 class of vulnerabilities. The new guidance, issued April 2, adds a “stopped” status to Intel’s “production …

Anonymous Coward

So since Intel have now confirmed that are unwilling to fix...

.....items faulty at time of sale then compensation/replacement with working item seems to be in order.

53
2
Bronze badge
Thumb Down

Re: So since Intel have now confirmed that are unwilling to fix...

Yep, exactly! And for those of us that kept those CPUs specifically because the ME could be disabled, Intel should need to either provide replacement ME-free CPUs or fund the full cost of replacing their broken CPU with something that is ME/PSP free and in a similar performance class.

Or, you know, just release their microcode signing keys and source, then let us have at fixing it....

35
2
Silver badge

Re: So since Intel have now confirmed that are unwilling to fix...

Depends on the definition of faulty I suppose.

Car analogies are always a good bet on a downvote, but let's say a car maker were hauled over the coals for using glass in their windows. That glass can be smashed and used to gain access to the car and have a good rummage around the glove box.

Would the manufacturer be liable in the same way? After all, the window served its purpose just fine until someone decided to unearth the hidden weakness in it, much like these CPU bugs.

Still, common sense has no place in the US legal system.

18
31
Silver badge

Re: So since Intel have now confirmed that are unwilling to fix...

More like all the cars have a keyless entry system with an alternate entry code of 1111.

50
3

Re: So since Intel have now confirmed that are unwilling to fix...

It's probably 0000, actually.

22
3
Anonymous Coward

Re: So since Intel have now confirmed that are unwilling to fix...

If you bought a retail bixed CPU on its own, perhaps. I would bet money 99.999% of people however opted for the substantially cheaper OEM tray part and have no course of action at all, they waived that at time of purchase of the system builder part

3
8

Re: So since Intel have now confirmed that are unwilling to fix...

Actually, I bought mine in a retail box, so I must be in the 0.001% , coincidentally I think there's an equal probability of me being able to get any kind of recompense from Intel or the vendor

26
0
Gold badge

Re: So since Intel have now confirmed that are unwilling to fix...

OoO processing came in around the early 90s. It took a quarter of a century to find the access code. I don't think 1111 does that justice. More like 0118 999 881 999 119 7253.

8
2
Silver badge

Re: So since Intel have now confirmed that are unwilling to fix...

You're right, car analogies don't work.

(Most)Cars have windows, the user is aware of this fact at the point of sale.

24
1
Silver badge

Re: So since Intel have now confirmed that are unwilling to fix...

You're right, car analogies don't work.

Oh, I don't know, it's not far off:

(Most)PCs have windows, the user is aware of this fact at the point of sale.

:)

30
0
Silver badge

Re: 0118 999 881 999 119 7253

So the same as the new phone number for the emergency services then?

12
0
Anonymous Coward

False analogy

The better car analogy would be what happened in the real world -- cars were sold with defective air-bags, years later manufacturers had to replace them.

19
0
Silver badge

Re: So since Intel have now confirmed that are unwilling to fix...

Actually, most of the CPUs I've bought new from retailers have been the retail version - they're practically the same cost and come with a cooler that's guaranteed to work (if perhaps not to be the most effective option).

My latest CPUs were second hand, though, as buying new Xeons is more than a little expensive for a non business user..

6
0
Bronze badge

Re: So since Intel have now confirmed that are unwilling to fix...

Another way to get a lot of down votes is to point out 2nd and 3rd order effects people don't want to hear.

Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees, and/or raise the cost of the next computer you purchase by a couple of hundred dollars.

As security professionals, you should all understand and identify risk management based decisions; and be intelligent enough to understand it. This is done by all corporations all the time. Including the one you work for.

6
20

Re: So since Intel have now confirmed that are unwilling to fix...

I think a better car analogy would be if a car manufacturer released a car with a power window that would not go up thus allowing world+dog in.

4
0
Orv
Silver badge

Re: So since Intel have now confirmed that are unwilling to fix...

It's a non-obvious vulnerability that comes about because of fundamental features of how the chips work.

So I'd say it's like suing a car company over carjackings, because they made cars that had to stop at traffic lights.

0
14
Silver badge
Unhappy

Re: So since Intel have now confirmed that are unwilling to fix...

Struggling for a good car analogy because most things that fail can be fixed/replaced with new or recycled parts.

However let us invent some metal fatigue problem which has a potential to cause a chassis failure in cars over 10 years old which could only be rectified by a new body shell.

How likely is it that the manufacturer would (as some commentards seem to be suggesting) provide a brand new body shell (from a non-existent production line right back to the steel maker) or failing that a brand new car?

Consumer law is unlikely to try and enforce this because the vehicle has lasted a reasonable time. Any compensation would probably be limited to the current trade in value (prior to the discovery of the fault).

So what is the street value of a mid specification Core 2 Duo (or quad) system? That is, processor, memory and motherboard?

If Intel really cared they might do a scrappage deal where if you handed in a motherboard, processor and memory then you would get say 50 UKP off a brand new configuration. Or hand in a complete laptop and get similar off a brand new one.

Restarting a production line for old chips with a different silicon density and different leg count so you can replace chips like for like - that is, several generations where the pin numbers and locations have been deliberately changed to force you to buy a new motherboard with a different socket - is obviously not feasible. What happens to old silicon foundries anyway, when the next generation of fabrication hardware is installed?

Free replacement isn't going to happen for reasons above (plus probably many others) and a scrappage scheme to get you to buy the latest i9 is in effect rewarding Intel for designing vulnerable processors.

2
2
Silver badge

Re: So since Intel have now confirmed that are unwilling to fix...

Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees,

And?

and/or raise the cost of the next computer you purchase by a couple of hundred dollars.

You think that releasing a microcode update for each of the "wontfix" CPUs on the list (the ones they promised had fixes incoming) is going to add that much the cost of my next computer? How do you figure that?

The last computer I bought (Dec 2017) cost less than a couple hundred dollars as it was, but even if it was a high-end desktop instead of a Chromebook-spec Windows laptop (well, used to be a Windows laptop), that figure is still pretty ridiculous. Microcode updates are a regular part of development for a given CPU; mine have received several over the course of their lives, as OS updates.

You think issuing just one more microcode update for a CPU that has already had several over its lifetime is going to cost that much?

Also, why would Intel's difficulties have anything to do with the cost of an AMD system? 'Cause, fsck Intel if they're not going to stand behind their products OR keep their word.

3
2
Bronze badge

Re: So since Intel have now confirmed that are unwilling to fix...

"Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees"

Yeah, right, this is just like how all the companies immediately gave their employees raises and created new jobs when the Trump tax cuts for the rich and corporations went through. It didn't happen. They did stock buy back instead.

1
0
Bronze badge

Re: So since Intel have now confirmed that are unwilling to fix...

It's probably 0000, actually.

"1 2 3 4 5"

Because that's what Intel's CEO had as a combination on his luggage...

0
0
Bronze badge

Re: So since Intel have now confirmed that are unwilling to fix...

My latest CPUs were second hand, though, as buying new Xeons is more than a little expensive for a non business user..

Actually, ALL my CPUs these days are second-hand, because I haven't bought a NEW computer in years (most are scavenged systems, or handoffs when MSWin "advanced" to the point they were unusable for the standard home user. They run Linux just fine).

0
0
Silver badge
Meh

"Now all Intel has to do is..."

Make an effort, for a change.

Although I suspect that Intel will ride out this storm easily, because ... money, and end up being just as inept and anticompetitive as ever.

20
0

So if they can't fix them...

...with microcode, will they offer to replace them as they did with the defective Pentium FDIV hardware?

14
1

Soooooo. Intel Fanbois! How you like iNTEL iNSIDE now?

But then again. iBoyz and Girlz will still buy iNHeyal anyway.

2
26
Silver badge

Suggested title?

Exploitus interruptus? Damn, couldn't pull it off in time.

10
0
Flame

You b..... you just killed Bloomfield!

"oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."

Ah good, so my i7-920 is covered then? Oh, wait... Bugger.

That should teach me buying a CPU from a reputable vendor such as Intel. 'cause AMD supposedly was much worse at this lark.

25
0
Anonymous Coward

Re: You b..... you just killed Bloomfield!

Dammit, I still have i7-920's in use. Fortunately, not on the public interwebs though. And now I'd better make sure they never are.

2
0
Silver badge

Re: You b..... you just killed Bloomfield!

"oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."

Yeah, I was thinking about that line too... you know how we keep hearing about the tragic decline in PC sales? The reason is that the end of Moore's Law (such that it has been called) means that older kit stays usable much longer, and people are using it much longer. I certainly am, and I know several others running gear old enough to be on Intel's "wontfix" list. I think you might be surprised at how much old computer equipment is still in use-- and why not? For most computing tasks, older gear is still very usable today. We've reached a point that a great many people only replace PC gear when it stops working, not because it's too slow... they're like toasters or other commoditized items. If it works, keep using it until it doesn't.

It's purely anecdotal, but I pay attention to what gear people run when in discussion forums, whether it is pertinent to the thread at hand or just something listed in a signature file, and there is a LOT of old gear still being used today, including for web browsing (the most likely vector for most people to be affected by Spectre, via JavaScript).

4
0
Bronze badge

Re: You b..... you just killed Bloomfield!

"oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."

Oldies??? Hah, I'd be lucky to have anything that new. OK, my Dell OptiSux 390 is from 2012, so maybe I have *one* that will get updates.

0
0

Re: You b..... you just killed Bloomfield!

> Dammit, I still have i7-920's in use. Fortunately, not on the public interwebs though. And now I'd better make sure they never are.

Fuck. Just checked, and my main gaming rig is on the list too. It's an Intel Core2 Extreme X9650. It does absolutely fine for the stuff I use, and there's no damn way it's "too slow", etc.

Intel, you'd better think again. You screw this up, it's on you to fix it.

1
0
Bronze badge

Re: You b..... you just killed Bloomfield!

It's purely anecdotal, but I pay attention to what gear people run when in discussion forums, whether it is pertinent to the thread at hand or just something listed in a signature file

Maybe El Reg could approach STEAM to see if they would allow access to their system spec sheet, as all of their players can load up their specs, and as a quick check, I can't think of anyone else of equivilent size who may have similar data sets

0
0
Orv
Silver badge

Re: You b..... you just killed Bloomfield!

The odds of Spectre causing a major security problem for a gaming rig are probably low. A far more likely scenario is an accidental backdoor in one of the games you play, or an intentional backdoor in a sketchy mod you install. If you want to be careful, do your banking on another system.

0
0
Silver badge

Not in use...

2007 to 2011? I know of a lot of kit from that era still in use.

Heck, I have a Core2Quad Q6600 desktop and two Core laptops with i5 and i7 first generation chips in them that are still in use.

40
0
Silver badge

Re: Not in use...

I have a Lenovo T60 Thinkpad. Runs everything from Windows 2000 to 10, and various Linuxes. (Not all at once!)

14
0
Silver badge

Re: Not in use...

Yep, my main system whilst the latest is down is a Yorkfield Xeon (Core 2 Quad). Still totally viable for many purposes.

8
0

Re: Not in use...

And almost all, if not all, of that kit will not be in use in such an environment where any of this matters.

0
9
Silver badge

Re: Not in use...

And almost all, if not all, of that kit will not be in use in such an environment where any of this matters.

None of it matters for any PC anywhere as long as the threat remains theoretical, but it remains to be seen if it will. My C2D Penryn laptop is assuredly in an environment where this could matter, browsing the web and what not...

4
0
Silver badge

As above

Plenty of 2007-2011 cpu's still in use, my daughters system runs a Harpertown Xeon, and it doesnt lack anything against a current system for anything except modern, high end games and 4K video.

Equally, my parents still run a Core2 Duo E4xxx, although TBF, that is slower than a 3 legged tortoise.

In fact, only one PC in the family runs a cpu built after that date - and that is an AMD cpu anyway.

17
0
Anonymous Coward

Might be another reason ..

.. why Apple is talking about making their own CPUs based on AMD architecture ..

It's not been a fun week for Intel, has it? And it's only Wednesday :)

16
2

Re: Might be another reason ..

After the SSL MITM and root no password buffoonery, it will be interesting to see what screw ups Apple manage to build in to their silicon.

14
1
Anonymous Coward

Re: Might be another reason ..

Rather offtopic, but I'll bite: yet, they still don't screw up on the scale of some other, software only setups who really ought to know better by now..

2
1
Bronze badge

Re: Might be another reason ..

Sooo.... If this is a real thing, you might want to run. AMD brought in VP from Apple to drive the infrastructure needed for the K7 (Athlon). He had 0 appreciation for component validation. After 18 months, the director of validation (who had built the validation team at AMD) quit. So yeah, I don't think I would be in a hurry to buy Apple-designed cpus. (Bitter? Me?)

2
0
Anonymous Coward

Re: Might be another reason ..

OK, so tell us why you really quit? :)

1
0
Silver badge
FAIL

I think there are still...

quite a few of those processors in use. I still have a Yorkfield core 2 quad (Q8200) in my HTPC so certainly not a "Closed System". With 4 GB ram, AMD HD7750 GPU and a Mint install it is still serviceable. Am I supposed to retire a perfectly adequate machine just because intel can't be bothered to fix a security flaw in their chips?

12
0
Silver badge

I have a Dell Optipex 760 desktop from around 2007 which after ditching the Vista install a bumping up the RAM to 4GB can happily run Linux Mint Mate and is used daily when working from home for office and internet tasks.

I have never been an Intel fan, perhaps because I grew up with Commodore computers (C64 then Amiga) and my first home built PC had an AMD K6. But this makes me even more determined not to give Intel any more money either direct or indirect by buying an system with an Intel CPU from a PC manufacturer.

8
1

This is typical Intel - "support? No, we don't care about anything that might cost us money. Besides, that part should have been replaced by now."

Also, anyone else noticed there's a lot of Xeons here? I'm wondering how many are in use in corporate servers. Or even government - replacement cycles in government tend to be longer than the private sector because if they're not the press start screaming about "taxpayer's money"...

12
0
Silver badge

"Also, anyone else noticed there's a lot of Xeons here? I'm wondering how many are in use in corporate servers. "

Went out shopping with my wife today. In Matalan I saw a 14" Dell CRT screen behind the checkout counter. No idea what it was plugged into though. It does make me wonder what state the rest of their IT kit is in.

1
0

But how do we patch?

I'm no Intel expert, and all I really have is a model number of my CPU. So:

1) How do I know which family/class my CPU is in? Is there a look up table somewhere?

2) How do I apply any relevant microcode patch?

2
0
Silver badge

Re: But how do we patch?

Search for your CPU here https://ark.intel.com/search?q=

(it's not entirely accurate, despite being Intel, but is good enough).

Look up the product family in this document

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

Patches are supplied as part of your operating system, so just apply the latest patches. For Unix based systems, upgrade to the latest patched release.

2
0

Re: But how do we patch?

1. Use the Gibson Research Inspectre utility.

2. Pray that MS expand KB4090007

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018