Intel Won’t Patch Spectre on All CPUs

Intel does not plan to release microcode updates for older generations of processors that are affected by the Spectre vulnerability, either because patching is not practical and for other reasons.

The company released a microcode revision guidance document and some Core, Xeon, Celeron, Pentium and Atom CPUs from several product families are listed with status Stopped. According to Intel, this status means that “after a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products.”

The reasons include microarchitectural characteristics that prevent a practical implementation of features needed to mitigate Spectre variant 2 (CVE-2017-5715), limited commercially available System Software support and a determination based on customer input that those processors are primarily used in “closed systems” and are therefore less likely to be exposed to attacks.

The CPUs that won’t receive patches are from the Bloomfield, Clarksfield, Gulftown, Harpertown, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale and Yorkfield families and cover tens of individual models. Based on the same document, all other Intel processors have microcode patches available for production use.

Intel also announced last month that the next generation of its CPUs, expected this year, will have built-in protections against speculative execution attacks. That’s good news given that in addition to Meltdown and Spectre, researchers found other attack methods that exploit the speculative execution feature of modern CPUs. This feature is intended to increase performance by executing a program’s instructions in advance.

The problem with microcode patches is that they typically need to distributed to computers along with BIOS/UEFI updates, but computer manufacturers have historically done a poor job of releasing such updates for systems that are older than a couple of years.

Since Spectre affects CPUs released over many years, there’s a large number of computers out there that still haven’t received the BIOS updates containing the Spectre patches and it’s unclear if they ever will. The fact that Intel has made these microcode updates available to OEMs is great but that’s not going to magically solve the problem for many users.

Microsoft Patches Critical Vulnerability in Malware Protection Engine

Microsoft has patched a critical remote code execution vulnerability in the Malware Protection Engine that’s used in most of its security products.

Attackers can exploit the vulnerability by placing a specially crafted file in a location where the Microsoft Malware Protection Engine will automatically scan it. If the real-time protection is turned on, files get scanned automatically when they are delivered through a browser, email, instant messaging or other applications. The large number of possible attack vectors makes the vulnerability particularly dangerous.

“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system,” Microsoft said in a security advisory. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Affected products include Microsoft Exchange Server 2013 and 2016, Microsoft Forefront Endpoint Protection 2010, Microsoft Security Essentials, Windows Defender and Windows Intune Endpoint Protection.

According to Microsoft, in most cases, the update will be applied automatically within 48 hours because its anti-malware products are configured by default to periodically check for and install engine updates.

This is not the first time when a critical vulnerability has been found in Microsoft’s Malware Protection Engine or in antivirus products from other vendors. Anti-malware engines scan a very large number of file types from a variety of sources and file parsing operations have traditionally been a constant source of memory corruption issues that can lead to arbitrary code execution.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

One thought on “Intel Won’t Patch Spectre on All CPUs

Comments are closed.