{"uuid": "2b1a056d-a703-4bd2-9e06-6bb49c9bbd39", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2017-5715", "type": "exploited", "source": "https://t.me/information_security_channel/15835", "content": "Intel Will Not Patch Spectre in Some CPUs\nhttp://feedproxy.google.com/~r/Securityweek/~3/_caUX5KtHj0/intel-will-not-patch-spectre-some-cpus\n\nIntel has informed customers that some of the processors affected by the Meltdown and Spectre vulnerabilities will not receive microcode updates due to issues related to implementation and other factors.\nTwo weeks after announcing that microcode updates have been made available for all recent processors (https://www.securityweek.com/intel-shares-details-new-cpus-spectre-meltdown-protections) vulnerable to speculative execution side-channel attacks, Intel updated its microcode revision guidance  (https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf)to say that some chips will not receive patches.\nThe list includes Core, Xeon, Celeron, Pentium, and Atom processors with Bloomfield (Xeon), Clarksfield, Gulftown, Harpertown Xeon, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale (Xeon) and Yorkfield (Xeon) microarchitectures. These products have been assigned a \u201cstopped\u201d status, which indicates they will not receive updates due to one or more reasons.\nIntel says it has conducted a comprehensive investigation of the microarchitecture and microcode capabilities of these CPUs and determined that some of their characteristics prevent a practical implementation of mitigations for Spectre Variant 2 (CVE-2017-5715).\nOther possible reasons for not releasing fixes include limited commercially available system software support and low risk of attacks.\n\u201cBased on customer inputs, most of these products are implemented as \u2018closed systems\u2019 and therefore are expected to have a lower likelihood of exposure to these vulnerabilities,\u201d Intel explained.\nIntel revealed recently that its upcoming processors for data centers and PCs will include built-in protections (https://www.securityweek.com/intel-shares-details-new-cpus-spectre-meltdown-protections) against Meltdown (Variant 3) and Spectre (Variant 2) attacks. The chip giant expects to roll out these protections in the second half of 2018.\n\u201cWe have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,\u201d explained Intel CEO Brian Krzanich. \u201cThink of this partitioning as additional \u2018protective walls\u2019 between applications and user privilege levels to create an obstacle for bad actors.\u201d\nDozens of lawsuits (https://www.securityweek.com/over-30-lawsuits-filed-against-intel-cpu-flaws) have been filed against Intel by customers and shareholders over the disclosure and handling of Meltdown and Spectre.\nRelated: IBM Releases Spectre, Meltdown Patches for Power Systems (https://www.securityweek.com/ibm-releases-spectre-meltdown-patches-power-systems)\nRelated: New AMD Processors to Include Protections for Spectre-like Exploits (https://www.securityweek.com/new-amd-processors-include-protections-spectre-exploits)\nRelated: Microsoft, Intel Share Data on Performance Impact of CPU Flaw Patches (https://www.securityweek.com/microsoft-intel-share-data-performance-impact-cpu-flaw-patches)", "creation_timestamp": "2018-04-04T13:46:16.000000Z"}