Intel admits a load of its CPUs have Spectre v2 flaw that can't be fixed Intel has issued fresh "microcode revision guidance" that reveals it won’t address the Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it's too tricky to remove the Spectre v2 class of vulnerabilities. The new guidance, issued April 2, adds a “stopped” status to Intel’s “production …
From what I have read Meltdown and Spectre are not being exploited in the wild and some of the 'fixes' (looking at you Slurp) are worse than do nothing at all. So the real question for older chips, what is the real risk of an exploit? Partly how difficult are they to exploit with a normal user configuration and how would the exploit be installed. I have seen opinions that say if hit it is real bad but it is very difficult to actually exploit.
So should the average user (or their informal IT department) maintain a watch and wait posture towards patching?
An accurate risk assessment will also impact any law suit as it currently stands as there has been no known attacks using the flaws.
Spectre is much lower risk than Meltdown, and difficult to exploit. That's not to say at some point someone won't find a method of making Spectre more exploitable, and then it becomes a larger issue.
Meltdown should definitely be patched as soon as possible, and is safer because it doesn't involve microcode updates, it's an OS patch.
Meltdown should definitely be patched as soon as possible, and is safer because it doesn't involve microcode updates, it's an OS patch.
Microcode updates can be delivered that way too. I'm not recommending any of the firmware patches for Spectre that have been released... just do it at the OS level. In Windows, I believe this requires downloading the microcode update directly from the Windows catalog, as it is not being delivered by Windows Update, for some reason. For Linux, of course that depends on the distro... I use Mint, so all I need to do is... nothing. It appears in the updates when it's ready.
...that is, of course, if the PC in question was not one of the ones that just got shit on by Intel, after they promised for months that a fix was incoming. My Braswell laptop already has a fix available (in the form of firmware, so no thanks), but my Core 2 Duo laptop is now "wontfix". Even though the C2D unit is far faster and more capable than the Braswell across the board, I guess it's obsolete, but the Braswell isn't.
Strangely, no one from Intel ever contacted me to ask whether my C2D laptop was "closed" to the internet; I guess I'm not one of the "customers" Intel talked about. I wonder who was.
None of these articles, El Reg or otherwise, ever mention that Intel motherboards are not going to receive BIOS updates because Intel burned its bridges with respect to support when it left the business, so users of Intel processors on Intel motherboards will not be receiving all of the Meltdown / Spectre updates.
..as opposed to other manufacturers, where they similarly also Cannot Be Arsed. Most OS will probably load the revised firmware quite early in the boot process, though, reducing the attack surface considerably.
BIOS wise you'd be wiser to worry more about addressing management engine issues.
To be fair, the reasons could also be:
4) We found out these fixes lead to a whack-a-mole situation for the older kit
5) We found out the fixes just plain don't work right (for some idiot reason)
6) Whilst testing the fixes, we discovered those old chips have a much more horrendous problem we'd rather not get into at this time. ;-|
"Most the CPUs listed above are oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use." is garbage and Reg authors/editors should get out in the real world.
Look at MS OS share from any source.
Look at Missing CPU types in April "Guidance" and you find PDF doesn't even cover all CPU models w/ Meltdown and Spectre problems.
Most systems running XP, Vista and Win7/8/8.1 have "old" Intel CPU and won't get a New BIOS. Most Running XP and some w/ Win7 are people down/up graded Vista systems and see little reason to replace them. Most won't buy New Intel products just to fix Meltdown and Spectre either. Note that Intel CPU bugs go back to a least Pentium FDIV bug that also never got fixed. Intel offered replacements but few knew of this and fewer bothered to get them.
Dell et al had no intention to offer BIOS updates most or all system over 2-5 years old and now have an easy way out because Intel won't bother making new MCU for most of them.
OS patches? Funny. Not. Many Win7 alone have not patch since 12-17 because MS patch failed and fix patches for that also failed. Most Linux users haven't patch for this either.
How many of these have found their way into military systems via the popular "commercial-off-the-shelf" method of reducing costs, how many of them are still in mission-critical applications, how many in administrative apps, and what vulnerabilities might those involve, if any?
As I keep pointing out, there is a notices on the inside cover of the instruction manual, "This product is not approved for use with information classified CONFIDENTIAL or higher." (CONFIDENTIAL is the lowest formal classification level.)
So, if anyone did use it, they would be facing a Courts Martial.
Intel is really only on the hook for stuff that is supported, the warranties are usually just a few years (I see in the case of embedded they may support up to 7 years on extended support).
So chips outside of this window should not expect fixes. While it'd be nice if they got fixed it's not reasonable to expect to get support past the support window unless you have a special agreement with Intel for extended support.
I just stopped a support case for a firewall product yesterday for example. I had had the issue reproduce about once every 2 weeks for almost a year now(unable to reproduce on demand). Workaround is to reboot the unit(happens on both units in HA pair). Product ran fine for a good 4+ years without this condition until a particular software version was installed early last year(took 4-8 weeks for problem to be discovered at which point rollback was not practical, older software was end of life anyway). Vendor unable to find the cause yet alone find a resolution. Support for the product officially ends in about two weeks. Fortunately the decision was made to shut down the site that the affected product is operating in within the next month so I won't have to deal with it anymore.
But the point is I know when support for the product was ending, and while I certainly am frustrated they could not make any meaningful progress on the issue for just over a year at this point, I'm not expecting them to support past the support window.
You'd have every right to be upset if you reported the Meltdown issue to Intel within the warranty/support period of their product and they did not produce a fix. But that is not the case with all of the chips they are not going to fix(I haven't tried to check to see if any of their extended support embedded chips with 7 years won't be fixed if they were released in 2011).
If you REALLY feel you are that much of a target or have that lax of habits with regards to pretty safe computing then you should upgrade the hardware.
The thing is Warranty != Law. As this is a proven issue with the chips since day one, not a result of age, if taken to court Intel could still be in hot water.
How long Intel say they warrant the product is largely irrelevant when we can prove that people actually expect to be able to use these CPUs for much longer. People don't buy a product expecting it to die the day the warranty ends, they buy it expecting it to the last the average life span of products already out there.
"Dr. David Patterson quick-marched an audience of about 200 pizza-sated engineers through a half-century of computer design on March 15. He spoke from the podium in a large conference room in building E at Texas Instruments’ Santa Clara campus during an IEEE talk titled “50 Years of Computer Architecture: From Mainframe CPUs to DNN TPUs and Open RISC-V.” It’s a history of accidental successes and potholes, sinkholes, and black holes that swallow entire architectures."
Well, my main day to day box is a WONTFIX too. Dual 3Ghz e5450's in a HP xw6600 chassis with 64Gb of ram and a pair of nvidia gfx cards, all running linux and cuda etc for hashing work and virtual machine instances and compiling binaries.
I have never really thought "oh this box is too old, I'll give it a tech refresh" apart from slapping a ssd in at one point because it just works & when we compared it against newer stuff it manages just fine. Only now it has to just work in a airgapped private network, or throw away my investment in the entire machine itself (wont take a motherboard from a later chipset), the ram (matched to the cpu's) and while we're at it we might as well upgrade to apu's. So thats half a grand for a newer box down the toilet then. Thanks intel for crapping on what was a couple of generations ago your top of the line kit to save a tiny percent in costs for the people to work on all your cockups, not just the ones that your currently milking.
Next server room buildout I'm involved with, I'll be bringing up intel's handling of this for sure. And I wont be buying intel's again for my personal machines by choice.
"So how many holes and hack points do you create per hour on that lovable hunk-o-junk o'yours ?"
What makes you think this person doesn't have their software up to date? I have a HP xw4600 which works great. All my software is completely up to date. And Windows 10 runs better now than the versions of Windows that were released at the time I bought the computer.
Not everyone is into throwing their money away on unnecessary upgrades and filling landfills with e-waste.
I'm hoping they were asking how many vulnerabilities do I develop per day. Sorry, I don't have a metric for that you can put in a spreadsheet to decide how to crank the hamster wheel HR want to put all our staff* on.
Latest shiny is for all those cool kids who game on their pc's isn't it? for computational loads it copes rather well.
If you meant how out of date is it? I'm assuming from the idiocy you are a PHB, but the packages were updated last night by cron if that helps.
It's not a 'couple of generations ago' though, is it? That's a Harpertown CPU from 2007, discontinued 2010 and is Core2 (Penryn) architecture based.
If I'm really generous and only count the overall architectures that's seven generations ago.
If EP/EX etc variants are included add on at least another five chip variants (which I'd be inclined to do as EP chips do tend to include reasonable additional features rather than being a basic re-spin of a desktop chip).
You don't have to airgap it, you need to decide if Spectre variants are a large enough risk to isolate the system. Meltdown is patched by the OS, so as long as it isn't exploited prior to the OS being loaded..
Also, I know a Penryn era CPU does support virtualisation, and your xw6600 hopefully has working vt-d (the xw4600 certainly doesn't, it's in the BIOS but broken), but you're missing SLAT (EPT/RVI) as it's pre Nehalem. That really does limit both the products that can be used and the possible performance as SLAT is a pre-requisite for many virtualisation systems.
(I should know, my backup system is using the really oddball X38 derived S3210 chipset, which is Core 2, supports VT-d, and ECC DDR2. I also have a system built around an xw4600 motherboard, which would be great if the BIOS wasn't incompletely implemented)
I use the 6600 as a vm host using vmware/virtual box and use a completely different machine for browsing with a kvm for when doing research, as er, it can end up in some less salubrious places quite often so that's even more critical to stay on top of & I'll have to uplift that because its running a ivybridge 2127U but that's not a big loss, any cheap box will do for that, its just a glorified web browser + vpn client host. I'm still a bit annoyed that the 6600 needs isolating and its instances not allowed to route out as a fix though as to upgrade to something more modern but capable takes what I consider a not insignificant* sum of money.
But, yeah, hands up, I'm being super grouchy, I have to make some investment in new kit because of someone else's mess. I know the nuances and I'm just going to have to suck it up and pass this cost onto my clients. But when it comes to SME's, you try telling 9/10ths of the world they need to landfill their devices because there's a unpatched flaw in the cpu they use on the machine and they absolutely must be able to use facebook and twitter while at their desk. And are all the affected machines going to go to landfill or end up in corporate disposal for the next decade?
I personally think intel should have ate the extra dev + test costs as a goodwill gesture and supported the mess they made, rather than apparently trying to turn it into a profit op to drive new cpu purchases to replace the ones they already sold you. Even if they prioritized the newer arches first it would have kept more options open longer term. At the end of the day, they made this mess with their product, washing their hands isn't going to take all of the compromised product out of the second user ecosystem for years.
*i.e. its mine and I've got short arms and deep pockets
Ivy Bridge has already had a firmware update released for it? 2127U is CPUID 306A9 which is in 'production' state - i.e. allegedly firmware is already out.
This is still a little overblown, well, at least until a worst exploit is found.
Meltdown is a solved problem, aside from the extra money needed to cope with the drop in speed of specific cloud compute instances..
Spectre is a risk assessment, not dissimilar to deprecation of SSL. Certain SSL ciphers are horrendously insecure and need retiring, others might be an issue at some stage. Spectre isn't a problem *yet* for most people. However the day may come when someone finds a reliable exploit that can be easily used by the script kiddies, and at that point it may suddenly be necessary to retire hardware.
I have more sympathy for the general public than small SMEs. Even the small SMEs if they have any business sense write down their computers in three years or less, then sweat the assets. Given that we're talking about unsupported products being more than around six years old they are well and truly worthless from an accounting point of view at this point. If the SME hasn't budgeted for a replacement of their kit, they aren't doing their job.
Well in the last month my Windows 8.1 crashed due to hard drive problems, denied from being able to boot, none of the emergency provisions would work no PBR, WinRE or boot disk could save me. I turned to Linux, well after what seemed like a NTP zero day hack from a *joker.ntp on April the first, or something like that (thanks Folks, haha - you'll get yours), my hard primary drive with Ubuntu Studio on it went belly up and Mint Mate 18.3 started to disobey orders and act up So I then reinstalled Windows8.1 from a downloaded 4.3gb start disk .
What does this have to do with Meltdown or Spectre - well it F*cked any updates, fixes or anything else I already had received and all I know now is that Ctl +P at boot time will not allow me to access the Intel Processor
Left me feeling like disconnecting anything of value from the internet entirely and using a cheep tablet from Aldi to brows the subscriptions and get the news.
Holding purveyors of defective products accountable is precisely what class action lawsuits are for. In this case where Intel knowingly compromised the security of all of their products by disregarding command security protocol, their should be a very high price to encourage better judgment in the future. Intel should be fined no less than 100 billion dollars and made to provide defect free replacement components and cash to all who were bilked into buying these defective goods at premium prices.
"Most the CPUs listed above are oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."
Yeah, right. We've over 100 Wolfdales in daily use at the school where I work - and that's not unusual for schools in general. I guess they'll just carry on in their vulnerable state until they die...
The author of the article made it seem like CPUs older than 2011 weren't in use that much. So, it isn't that big of a deal if they aren't patched. I have an Intel Core Duo 3+ GHz that may be that old. I have had it for years, and it has continued to work fine. Performance hasn't been an issue at all. In fact, I think Windows 10 runs better on it, than the older Microsoft garbage. I'm not looking forward to being forced into upgrading a system that has been totally solid and problem free. Some of us don't feel the need to throw out perfectly good hardware for upgrades we don't need or want every couple years. I hope that there continues to be at least a software patch for it.
"Most the CPUs listed above are oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."
Shows how they have zero comprehension of how their market works. You hear TONS of people saying they are still using Core 2 CPUs, because unless you are a content creator or gamer its "good enough". I know at least two people myself.
I also have a Core 2 as a server at a friends house, its more than powerful enough for the job so not even close to EOL. There are a LOT of Atoms of various ages used for small form factor PCs and crucially mid-range routers
My router is one of the last Intel motherboards based on Atom so I'm out of luck on all sides it seems, the CPU isn't even on that guidance list despite being NEWER than some of the ones that are. :/
Seems the best recourse to mitigate the potential attack vector of any speculative unfixable exploit is to... Uninstall Windows, because undoubtedly the first in-the-wild exploits we find will surely be delivered through some cobbled together `Registry Cleaner 5000.exe' or Java-required webapp. Linux might even get some action through the usual SSH sniffers and other server security holes.
So does using a BSD make me theoretically invulnerable...?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
