Intel has issued a statement saying several processor families will not be patched to overcome Variant 2 of the Spectre bug that was detected mid last year and made public just before Christmas. While the processor company has patched many of their processors, the road has been quite bumpy with some of the fixes making systems unstable resulting in spontaneous reboots. But now, it seems some of the CPUs that were going to patched have been thrown into the too hard basket.
As we reported previously, Spectre is really two different bugs. CVE 2017-5715 and CVE 2017-5753 are described as “Systems with microprocessors utilizing speculative execution and direct (for 2017-5715 ) and indirect (for 2017-5753) branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis”.
It turns out that fixing CVE 2017-5715 is harder than expected with a number of technical issues meaning the following processor architectures won’t be patched for this flaw. Those are
- Penryn (2007)
- Yorkshire (2007)
- Wolfdale (2007)
- Clarksfield (2009)
- Nehalem-based Jasper Forest (2010)
- Intel Atom “SoFIA” (2015)
Given most of those are getting fairly long in the tooth, it’s unlikely many of these will be in wide use so, it seems to me, Intel is cutting its losses.
Intel’s offical reasoning for not patching these processors is:
After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons including, but not limited to the following:
- Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
- Limited Commercially Available System Software support
- Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
Given that the patches rely on the cooperation of software partners, it’s possible Microsoft and others simply don’t see fixing older systems as a priority.
For enterprises running older systems using those CPUs, now is a good time to either fully air gap those systems or look at other risk mitigation strategies.