Intel Won’t Patch Spectre on All CPUs
Intel does not plan to release microcode updates for older generations of processors that are affected by the Spectre vulnerability, either because patching is not practical and for other reasons.
The company released a microcode revision guidance document and some Core, Xeon, Celeron, Pentium and Atom CPUs from several product families are listed with status Stopped. According to Intel, this status means that “after a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products.”
The reasons include microarchitectural characteristics that prevent a practical implementation of features needed to mitigate Spectre variant 2 (CVE-2017-5715), limited commercially available System Software support and a determination based on customer input that those processors are primarily used in “closed systems” and are therefore less likely to be exposed to attacks.
The CPUs that won’t receive patches are from the Bloomfield, Clarksfield, Gulftown, Harpertown, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale and Yorkfield families and cover tens of individual models. Based on the same document, all other Intel processors have microcode patches available for production use.
Intel also announced last month that the next generation of its CPUs, expected this year, will have built-in protections against speculative execution attacks. That’s good news given that in addition to Meltdown and Spectre, researchers found other attack methods that exploit the speculative execution feature of modern CPUs. This feature is intended to increase performance by executing a program’s instructions in advance.
The problem with microcode patches is that they typically need to distributed to computers along with BIOS/UEFI updates, but computer manufacturers have historically done a poor job of releasing such updates for systems that are older than a couple of years.
Since Spectre affects CPUs released over many years, there’s a large number of computers out there that still haven’t received the BIOS updates containing the Spectre patches and it’s unclear if they ever will. The fact that Intel has made these microcode updates available to OEMs is great but that’s not going to magically solve the problem for many users.
Microsoft Patches Critical Vulnerability in Malware Protection Engine
Microsoft has patched a critical remote code execution vulnerability in the Malware Protection Engine that’s used in most of its security products.
Attackers can exploit the vulnerability by placing a specially crafted file in a location where the Microsoft Malware Protection Engine will automatically scan it. If the real-time protection is turned on, files get scanned automatically when they are delivered through a browser, email, instant messaging or other applications. The large number of possible attack vectors makes the vulnerability particularly dangerous.
“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system,” Microsoft said in a security advisory. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Affected products include Microsoft Exchange Server 2013 and 2016, Microsoft Forefront Endpoint Protection 2010, Microsoft Security Essentials, Windows Defender and Windows Intune Endpoint Protection.
According to Microsoft, in most cases, the update will be applied automatically within 48 hours because its anti-malware products are configured by default to periodically check for and install engine updates.
This is not the first time when a critical vulnerability has been found in Microsoft’s Malware Protection Engine or in antivirus products from other vendors. Anti-malware engines scan a very large number of file types from a variety of sources and file parsing operations have traditionally been a constant source of memory corruption issues that can lead to arbitrary code execution.
Pingback: Microsoft Fixes 66 Vulnerabilities Across Its Products - Security Boulevard