As hypothesized investigator revealed Meltdown and Intel Spectrum fault processors, some of the Intel processors will not receive patches for Spectre flaw lateral channel analysis (variant 2).
In a recent microcode guide review (PDF), Intel admits that it would not be possible to address the design flaw on their specific old CPU Specter, which requires changes in processor architecture to completely mitigate the problem.
The chip manufacturer is marked “on hold” for the production status of a total of 9 product families: Bloomfield, Clarksfield, Gulftown, Harpertown Xeon, Jasper Forestry, Penryn, SoFIA 3GR, Wolfdale, and Yorkfield.
These vulnerable chip families, which are mostly older and went on sale between 2007 and 2011, and will not receive microcode updates, leaving more than 230 models vulnerable to hacker attacks that power millions of computers and Intel mobile processor devices.
Under the revised guide “after a thorough investigation of microarchitecture and microcode capabilities for these products, Intel has decided not to release updated microcode for these products by one or more reasons.”
Intel mentions three reasons in its documentation not to solve the problem in some of the affected products:
Microarchitecture capabilities that prevent the practical implementation of features that mitigate Variant 2 (CVE-2017-5715)
Limited support for commercially available system software To Fix Spectre Flaw
According to customer data, most of these products are implemented as “closed systems” and therefore are expected to be less likely to be exposed to these vulnerabilities.
The spectre flaw of variant 2 vulnerabilities (CVE-2017-5715) influences systems that use microprocessors speculative execution and indirect prediction branch, allowing a malicious program to read sensitive information such as passwords, encryption keys or confidential information, including the kernel, using an analysis attack of the side channel.
However, these processors can install microcode updates pre-mitigation production to mitigate variant 1 (spectrum) failures and variant 3 (fusion).
In addition to Intel, the AMD Ryzen and EPYC processors also found vulnerable to 13 critical vulnerabilities that could allow unauthorized access to confidential data, install persistent malware inside the chip and gain full access to compromised attacking systems.
AMD recognized the reported vulnerabilities and promised to implement firmware patches for millions of affected devices in the coming weeks.
However, CTS Labs, the security company that discovered and reported vulnerabilities, said AMD could take several months to release patches for most security issues, where some of them can be resolved.