Video: Meltdown-Spectre attack variants discovered
Meltdown-Spectre
Intel has finally released new microcode updates to address the Spectre Variant 2 flaw in the older chips that triggered its across-the-board halt on early fixes for the vulnerability.
Following last week's release of reworked microcode updates for Skylake, Kaby Lake, and Coffee Lake chips, Intel has released corresponding updates for its older Broadwell and Haswell chips.
The updates address Variant 2 of the three Meltdown and Spectre CPU flaws that Google revealed on January 3 and are released to end-users as firmware or BIOS updates from hardware manufacturers.
Within days of Intel releasing its hardware fixes for the branch target injection flaw, Intel confirmed customer reports that it was causing higher reboots on Broadwell and Haswell processors.
By January 22 it urged hardware makers and customers to stop deploying its first microcode updates for all chip families affected by the flaws.
Intel developed stable beta fixes for Broadwell and Haswell chips first but released "production"-ready fixes for its 6th generation Skylake-based platforms ahead of others. As of last week's update, it had rereleased production fixes for its 6th, 7th, and 8th generation Intel Core chips and its latest Core X processors.
Chips with production fixes in Intel's microcode update guidance document have been validated by Intel and approved for use in a production environment.
New production-ready updates are available for all Broadwell and Haswell chip families except Broadwell Server EX and Haswell Server EX, which remain in beta.
The stable updates are available for Xeon and Intel Core i chips, including Broadwell H 43e-series Core i chips and Broadwell U- and Y-series Core i processors.
New updates for Intel's Sandy Bridge and Ivy Bridge families of processors remains in beta, which means the company has released microcode updates for customers to validate under a non-disclosure agreement. Similarly, while most Skylake chips are in production, Skylake Xeon E3 remains in beta.
Intel this week also explained why it didn't tell the Department of Homeland Security's US CERT/CC (Computer Emergency Readiness Team Coordination Center) before Google publicly disclosed Meltdown and Spectre, following a report from The Register.
In a response to questions from the US House of Representatives Committee on Energy and Commerce, Intel said it intended to brief the government before the planned public disclosure on January 9, but that was derailed by the flaws being leaked to the public.
"The US Computer Emergency Readiness Team was first informed of the exploits through public disclosure on January 3, 2018. Intel promptly discussed this disclosure with US-CERT on that day and again two days later, on January 5, 2018," it said.
Intel said its embargo, which limited knowledge of the flaws to Google, Apple, Microsoft, and Arm, was in line with industry standards for vulnerability disclosure and incident response.
Previous and related coverage
First Intel, now AMD also faces multiple class-action suits over Spectre attacks
Customers accuse the chip maker of charging premium prices for a faulty product.
Intel's new Spectre fix: Skylake, Kaby Lake, Coffee Lake chips get stable microcode
Intel makes progress on reissuing stable microcode updates against the Spectre attack.
Meltdown-Spectre: Now the class action suits against Intel are starting to mount up
Intel faces 32 class action lawsuits over its processor flaws and says more may be in the pipeline.
Meltdown-Spectre flaws: We've found new attack variants, say researchers
Intel and AMD may need to revisit their microcode fixes for Meltdown and Spectre.
Linux Meltdown patch: 'Up to 800 percent CPU overhead', Netflix tests show
The performance impact of Meltdown patches makes it essential to move systems to Linux 4.14.
Spectre reboot problems: Now Intel replaces its buggy fix for Skylake PCs
And offers patching tips from US CERT, which it failed to brief on the bugs.
Meltdown-Spectre: Malware is already being tested by attackers
Malware makers are experimenting with malware that exploits the Spectre and Meltdown CPU bugs.
Windows emergency patch: Microsoft's new update kills off Intel's Spectre fix
The out-of-band update disabled Intel's mitigation for the Spectre Variant 2 attack, which Microsoft says can cause data loss on top of unexpected reboots.
Meltdown-Spectre: Why were flaws kept secret from industry, demand lawmakers
Great work on patching your own products, but why were smaller tech companies kept in the dark?
Spectre flaw: Dell and HP pull Intel's buggy patch, new BIOS updates coming
Dell and HP have pulled Intel's firmware patches for the Spectre attack.
Windows 10 Meltdown-Spectre patch: New updates bring fix for unbootable AMD PCs
AMD PCs can now install Microsoft's Windows update with fixes for Meltdown and Spectre and the bug that caused boot problems.
Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch
Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs.
26% of organizations haven't yet received Windows Meltdown and Spectre patchesTech Republic
Roughly a week after the update was released, many machines still lack the fix for the critical CPU vulnerabilities.
Bad news: A Spectre-like flaw will probably happen againCNET
Our devices may never truly be secure, says the CEO of the company that designs the heart of most mobile chips.