Archive for Intel

Intel Punts Out List Of CPUs That Will NOT Get Fixes For Meltdown & Spectre

Posted in Commentary with tags on April 4, 2018 by itnerd

Intel released an update to the Meltdown and Spectre mitigation guide which is a PDF document that Intel published in February. The file contains information on the status of microcode updates for each of Intel’s CPU models released in the past years. And in this update is the news that the following CPU models will not get updates to mitigate the Meltdown and Spectre CPU flaws:

  • Bloomfield
  • Bloomfield Xeon
  • Clarksfield
  • Gulftown
  • Harpertown Xeon C0
  • Harpertown Xeon E0
  • Jasper Forest
  • Penryn/QC
  • SoFIA 3GR
  • Wolfdale C0
  • Wolfdale M0
  • Wolfdale E0
  • Wolfdale R0
  • Wolfdale Xeon C0
  • Wolfdale Xeon E0
  • Yorkfield
  • Yorkfield Xeon

Using my friend Google, most of these CPUs are a decade or more old. Therefore it’s understandable that they won’t be getting updates to fix these flaws. However if you’re still using one of these CPUs, consider this to be your incentive to move onto something much newer.


Oh Noes! New Intel CPU Flaw Discovered! Is It A Big Deal?

Posted in Commentary with tags on March 28, 2018 by itnerd

Here we go again.

Researchers have found a new CPU flaw that is similar to the Spectre CPU flaw. This one is called BranchScope and was found by researchers from the College of William and Mary, Carnegie Mellon, the University of California Riverside and Binghamton University.  A report on the flaw indicates that the attack uses some of the same predictive execution vulnerabilities as Spectre, exploiting the branch predictors of chips by using them to inadvertently leak sensitive information.

The folks at Ars Technica got this comment from Intel on this new CPU flaw:

We have been working with these researchers and we have determined the method they describe is similar to previously known side channel exploits. We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper. We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers.

In other words, nothing to see here, move along. We’ll find out if there’s nothing to see here as now that this is public, hackers will be looking at this to see if they can utilize it to pwn computes all over hell’s half acre.

Intel Didn’t Tell Feds About Spectre & Meltdown Flaws Until They Leaked

Posted in Commentary with tags on February 22, 2018 by itnerd

The PR disaster that is the Spectre and Meltdown fiasco that Intel finds itself in just got worse. Intel apparently failed to inform U.S. cyber security officials about the Meltdown and Spectre chip flaws ahead of when they leaked to the public even though Intel had advanced knowledge of the vulnerabilities, several tech companies said in letters sent out to lawmakers on Thursday. Here’s the details from Reuters:

Intel did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until Jan. 3, after reports on them in online technology site The Register had begun to circulate.

US-CERT, which issues warnings about cyber security problems to the public and private sector, did not respond to a request for comment.

Oh boy. That’s not going to end well for Intel. With everything that has gone on with the failed remedies, possible insider trading and the like, the optics of this suck. You could make an argument that if there was no active threat, there was no need to tell the feds about this. But good luck arguing that now. And you can bet that lawyers who are suing Intel are going to use this to their advantage.

Intel Facing 32 Lawsuits Over CPU Flaws

Posted in Commentary with tags on February 20, 2018 by itnerd

Life is not good for Intel at the moment as the Spectre and Meltdown CPU flaws which to be clear are #EpicFails on the part of Intel, have resulted in 32 class-action suits filed against Intel. This comes via their annual SEC filing. What’s interesting about these lawsuits is this:

Additionally, three further shareholder lawsuits were filed, claiming that Intel’s board and corporate officers committed breach of duty in connection to the disclosure of the security flaws and failed to act in relation to alleged insider trading. In November last year, Intel CEO Brian Krzanich sold all the Intel stock he was allowed to sell. This stock sale has provoked speculation about insider trading, though Intel maintains that Krzanich’s actions were unrelated to the security issues.

That’s got to get Intel’s attention. Hopefully for their sake, Intel has great lawyers on their side. Otherwise this could really impact Intel’s bottom line.

Intel Releases New Spectre & Meltdown Fixes… But Will They Work This Time?

Posted in Commentary with tags on February 8, 2018 by itnerd

Intel has released new microcode to address the stability and reboot issues on systems after installing its initial mitigations for Variant 2 of the Meltdown and Spectre attacks. Allegedly these ones work without crashing PCs and servers. Intel has also said that more fixes are inbound “in the coming days” which should be interesting to see given how this last round of patches went.

Microsoft Stops Issuing Spectre & Meltdown Patches…. And Intel Told The Chinese About These Flaws Ahead Of The US

Posted in Commentary with tags , on January 29, 2018 by itnerd

It seems that Microsoft has joined Intel, HP and Dell in stopping people from installing the mitigations for Spectre and Meltdown according to Bleeping Computer via an emergency patch that appeared over the weekend.

Microsoft has issued on Saturday an emergency out-of-band Windows update that disables patches for the Spectre Variant 2 bug (CVE-2017-5715). The update — KB4078130 — targets Windows 7 (SP1), Windows 8.1, all versions of Windows 10, and all supported Windows Server distributions. Microsoft shipped mitigations for the Meltdown and Spectre bugs on January 3. The company said it decided to disable mitigations for the Spectre Variant 2 bug after Intel publicly admitted that the microcode updates it developed for this bug caused “higher than expected reboots and other unpredictable system behavior” that led to “data loss or corruption.”

HP, Dell, and Red Hat took previous steps during the past week.

So, that is pretty bad. But here’s something that’s worse. It appears that Intel might have told the Chinese about these chip flaws before it told the US Government. Here’s why that’s bad:

Intel Corporation initially warned a handful of customers, including several Chinese technology firms, about security flaws within its processor chips, while at the same time not telling the U.S. government, The Wall Street Journal reported Sunday. 

Security experts told the newspaper that the decision could have allowed Chinese tech companies to flag the vulnerabilities to Beijing, giving the Chinese government opportunity to exploit them. 

Now that’s really bad. Clearly the response to these chip flaws has been sub-optimal to say the least. Thus I am fully expecting more bad news to appear on this front in the coming days.

Amazon, AMD, Apple, ARM, Google, Intel & Microsoft Are Asked To Answer Spectre And Meltdown Questions

Posted in Commentary with tags , , , , , , on January 25, 2018 by itnerd

It seems the Spectre and Meltdown gong show just got real. The leaders of Amazon, AMD, Apple, ARM, Google, Intel and Microsoft have been asked via a letters to answer questions about the two CPU bugs by Republican members of the US House of Representatives.

Specifically, the politicians want to know about a secrecy agreement that was put in place by these same companies. In short the agreement demanded silence from June 2017 which is when researchers recognized the seriousness of the processor design flaws, through the planned date of coordinated disclosure on Tuesday, January 9, 2018. Except that The Register found out about the flaws and dropped the details on an unsuspecting world a week before the deal expired, which caused these companies to scramble to get fixes out.

You have to suspect that this is the first step in the eventual public flogging known as a Congressional Hearing. Given that this is an election year, that won’t end well for any of these companies. But we’ll see if congress decides to go there.