back to article Intel admits a load of its CPUs have Spectre v2 flaw that can't be fixed

Intel has issued fresh "microcode revision guidance" that reveals it won’t address the Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it's too tricky to remove the Spectre v2 class of vulnerabilities. The new guidance, issued April 2, adds a “stopped” status to Intel’s “production …

  1. Anonymous Coward
    Anonymous Coward

    So since Intel have now confirmed that are unwilling to fix...

    .....items faulty at time of sale then compensation/replacement with working item seems to be in order.

    1. whitepines
      Thumb Down

      Re: So since Intel have now confirmed that are unwilling to fix...

      Yep, exactly! And for those of us that kept those CPUs specifically because the ME could be disabled, Intel should need to either provide replacement ME-free CPUs or fund the full cost of replacing their broken CPU with something that is ME/PSP free and in a similar performance class.

      Or, you know, just release their microcode signing keys and source, then let us have at fixing it....

    2. Phil Kingston

      Re: So since Intel have now confirmed that are unwilling to fix...

      Depends on the definition of faulty I suppose.

      Car analogies are always a good bet on a downvote, but let's say a car maker were hauled over the coals for using glass in their windows. That glass can be smashed and used to gain access to the car and have a good rummage around the glove box.

      Would the manufacturer be liable in the same way? After all, the window served its purpose just fine until someone decided to unearth the hidden weakness in it, much like these CPU bugs.

      Still, common sense has no place in the US legal system.

      1. redpawn

        Re: So since Intel have now confirmed that are unwilling to fix...

        More like all the cars have a keyless entry system with an alternate entry code of 1111.

        1. jglathe

          Re: So since Intel have now confirmed that are unwilling to fix...

          It's probably 0000, actually.

          1. jelabarre59

            Re: So since Intel have now confirmed that are unwilling to fix...

            It's probably 0000, actually.

            "1 2 3 4 5"

            Because that's what Intel's CEO had as a combination on his luggage...

        2. Ken Hagan Gold badge

          Re: So since Intel have now confirmed that are unwilling to fix...

          OoO processing came in around the early 90s. It took a quarter of a century to find the access code. I don't think 1111 does that justice. More like 0118 999 881 999 119 7253.

          1. Roj Blake Silver badge

            Re: 0118 999 881 999 119 7253

            So the same as the new phone number for the emergency services then?

          2. Orv Silver badge

            Re: So since Intel have now confirmed that are unwilling to fix...

            It's a non-obvious vulnerability that comes about because of fundamental features of how the chips work.

            So I'd say it's like suing a car company over carjackings, because they made cars that had to stop at traffic lights.

      2. rmason

        Re: So since Intel have now confirmed that are unwilling to fix...

        You're right, car analogies don't work.

        (Most)Cars have windows, the user is aware of this fact at the point of sale.

        1. Alister

          Re: So since Intel have now confirmed that are unwilling to fix...

          You're right, car analogies don't work.

          Oh, I don't know, it's not far off:

          (Most)PCs have windows, the user is aware of this fact at the point of sale.

          :)

      3. Anonymous Coward
        Anonymous Coward

        False analogy

        The better car analogy would be what happened in the real world -- cars were sold with defective air-bags, years later manufacturers had to replace them.

      4. Aodhhan

        Re: So since Intel have now confirmed that are unwilling to fix...

        Another way to get a lot of down votes is to point out 2nd and 3rd order effects people don't want to hear.

        Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees, and/or raise the cost of the next computer you purchase by a couple of hundred dollars.

        As security professionals, you should all understand and identify risk management based decisions; and be intelligent enough to understand it. This is done by all corporations all the time. Including the one you work for.

        1. Updraft102

          Re: So since Intel have now confirmed that are unwilling to fix...

          Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees,

          And?

          and/or raise the cost of the next computer you purchase by a couple of hundred dollars.

          You think that releasing a microcode update for each of the "wontfix" CPUs on the list (the ones they promised had fixes incoming) is going to add that much the cost of my next computer? How do you figure that?

          The last computer I bought (Dec 2017) cost less than a couple hundred dollars as it was, but even if it was a high-end desktop instead of a Chromebook-spec Windows laptop (well, used to be a Windows laptop), that figure is still pretty ridiculous. Microcode updates are a regular part of development for a given CPU; mine have received several over the course of their lives, as OS updates.

          You think issuing just one more microcode update for a CPU that has already had several over its lifetime is going to cost that much?

          Also, why would Intel's difficulties have anything to do with the cost of an AMD system? 'Cause, fsck Intel if they're not going to stand behind their products OR keep their word.

        2. rmullen0

          Re: So since Intel have now confirmed that are unwilling to fix...

          "Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees"

          Yeah, right, this is just like how all the companies immediately gave their employees raises and created new jobs when the Trump tax cuts for the rich and corporations went through. It didn't happen. They did stock buy back instead.

      5. Eduard Coli

        Re: So since Intel have now confirmed that are unwilling to fix...

        I think a better car analogy would be if a car manufacturer released a car with a power window that would not go up thus allowing world+dog in.

      6. TrumpSlurp the Troll
        Unhappy

        Re: So since Intel have now confirmed that are unwilling to fix...

        Struggling for a good car analogy because most things that fail can be fixed/replaced with new or recycled parts.

        However let us invent some metal fatigue problem which has a potential to cause a chassis failure in cars over 10 years old which could only be rectified by a new body shell.

        How likely is it that the manufacturer would (as some commentards seem to be suggesting) provide a brand new body shell (from a non-existent production line right back to the steel maker) or failing that a brand new car?

        Consumer law is unlikely to try and enforce this because the vehicle has lasted a reasonable time. Any compensation would probably be limited to the current trade in value (prior to the discovery of the fault).

        So what is the street value of a mid specification Core 2 Duo (or quad) system? That is, processor, memory and motherboard?

        If Intel really cared they might do a scrappage deal where if you handed in a motherboard, processor and memory then you would get say 50 UKP off a brand new configuration. Or hand in a complete laptop and get similar off a brand new one.

        Restarting a production line for old chips with a different silicon density and different leg count so you can replace chips like for like - that is, several generations where the pin numbers and locations have been deliberately changed to force you to buy a new motherboard with a different socket - is obviously not feasible. What happens to old silicon foundries anyway, when the next generation of fabrication hardware is installed?

        Free replacement isn't going to happen for reasons above (plus probably many others) and a scrappage scheme to get you to buy the latest i9 is in effect rewarding Intel for designing vulnerable processors.

    3. Anonymous Coward
      Anonymous Coward

      Re: So since Intel have now confirmed that are unwilling to fix...

      If you bought a retail bixed CPU on its own, perhaps. I would bet money 99.999% of people however opted for the substantially cheaper OEM tray part and have no course of action at all, they waived that at time of purchase of the system builder part

      1. Ben1892

        Re: So since Intel have now confirmed that are unwilling to fix...

        Actually, I bought mine in a retail box, so I must be in the 0.001% , coincidentally I think there's an equal probability of me being able to get any kind of recompense from Intel or the vendor

      2. BinkyTheMagicPaperclip Silver badge

        Re: So since Intel have now confirmed that are unwilling to fix...

        Actually, most of the CPUs I've bought new from retailers have been the retail version - they're practically the same cost and come with a cooler that's guaranteed to work (if perhaps not to be the most effective option).

        My latest CPUs were second hand, though, as buying new Xeons is more than a little expensive for a non business user..

        1. jelabarre59

          Re: So since Intel have now confirmed that are unwilling to fix...

          My latest CPUs were second hand, though, as buying new Xeons is more than a little expensive for a non business user..

          Actually, ALL my CPUs these days are second-hand, because I haven't bought a NEW computer in years (most are scavenged systems, or handoffs when MSWin "advanced" to the point they were unusable for the standard home user. They run Linux just fine).

  2. Oh Homer
    Meh

    "Now all Intel has to do is..."

    Make an effort, for a change.

    Although I suspect that Intel will ride out this storm easily, because ... money, and end up being just as inept and anticompetitive as ever.

  3. corestore

    So if they can't fix them...

    ...with microcode, will they offer to replace them as they did with the defective Pentium FDIV hardware?

  4. Tejekion

    Soooooo. Intel Fanbois! How you like iNTEL iNSIDE now?

    But then again. iBoyz and Girlz will still buy iNHeyal anyway.

  5. Chairman of the Bored

    Suggested title?

    Exploitus interruptus? Damn, couldn't pull it off in time.

  6. 9Rune5
    Flame

    You b..... you just killed Bloomfield!

    "oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."

    Ah good, so my i7-920 is covered then? Oh, wait... Bugger.

    That should teach me buying a CPU from a reputable vendor such as Intel. 'cause AMD supposedly was much worse at this lark.

    1. Anonymous Coward
      Anonymous Coward

      Re: You b..... you just killed Bloomfield!

      Dammit, I still have i7-920's in use. Fortunately, not on the public interwebs though. And now I'd better make sure they never are.

      1. Justin Clift

        Re: You b..... you just killed Bloomfield!

        > Dammit, I still have i7-920's in use. Fortunately, not on the public interwebs though. And now I'd better make sure they never are.

        Fuck. Just checked, and my main gaming rig is on the list too. It's an Intel Core2 Extreme X9650. It does absolutely fine for the stuff I use, and there's no damn way it's "too slow", etc.

        Intel, you'd better think again. You screw this up, it's on you to fix it.

        1. Orv Silver badge

          Re: You b..... you just killed Bloomfield!

          The odds of Spectre causing a major security problem for a gaming rig are probably low. A far more likely scenario is an accidental backdoor in one of the games you play, or an intentional backdoor in a sketchy mod you install. If you want to be careful, do your banking on another system.

    2. Updraft102

      Re: You b..... you just killed Bloomfield!

      "oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."

      Yeah, I was thinking about that line too... you know how we keep hearing about the tragic decline in PC sales? The reason is that the end of Moore's Law (such that it has been called) means that older kit stays usable much longer, and people are using it much longer. I certainly am, and I know several others running gear old enough to be on Intel's "wontfix" list. I think you might be surprised at how much old computer equipment is still in use-- and why not? For most computing tasks, older gear is still very usable today. We've reached a point that a great many people only replace PC gear when it stops working, not because it's too slow... they're like toasters or other commoditized items. If it works, keep using it until it doesn't.

      It's purely anecdotal, but I pay attention to what gear people run when in discussion forums, whether it is pertinent to the thread at hand or just something listed in a signature file, and there is a LOT of old gear still being used today, including for web browsing (the most likely vector for most people to be affected by Spectre, via JavaScript).

      1. IceC0ld

        Re: You b..... you just killed Bloomfield!

        It's purely anecdotal, but I pay attention to what gear people run when in discussion forums, whether it is pertinent to the thread at hand or just something listed in a signature file

        Maybe El Reg could approach STEAM to see if they would allow access to their system spec sheet, as all of their players can load up their specs, and as a quick check, I can't think of anyone else of equivilent size who may have similar data sets

    3. jelabarre59

      Re: You b..... you just killed Bloomfield!

      "oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."

      Oldies??? Hah, I'd be lucky to have anything that new. OK, my Dell OptiSux 390 is from 2012, so maybe I have *one* that will get updates.

  7. big_D Silver badge

    Not in use...

    2007 to 2011? I know of a lot of kit from that era still in use.

    Heck, I have a Core2Quad Q6600 desktop and two Core laptops with i5 and i7 first generation chips in them that are still in use.

    1. Primus Secundus Tertius

      Re: Not in use...

      I have a Lenovo T60 Thinkpad. Runs everything from Windows 2000 to 10, and various Linuxes. (Not all at once!)

    2. BinkyTheMagicPaperclip Silver badge

      Re: Not in use...

      Yep, my main system whilst the latest is down is a Yorkfield Xeon (Core 2 Quad). Still totally viable for many purposes.

    3. Rusty 1

      Re: Not in use...

      And almost all, if not all, of that kit will not be in use in such an environment where any of this matters.

      1. Updraft102

        Re: Not in use...

        And almost all, if not all, of that kit will not be in use in such an environment where any of this matters.

        None of it matters for any PC anywhere as long as the threat remains theoretical, but it remains to be seen if it will. My C2D Penryn laptop is assuredly in an environment where this could matter, browsing the web and what not...

  8. Anonymous Coward
    Anonymous Coward

    As above

    Plenty of 2007-2011 cpu's still in use, my daughters system runs a Harpertown Xeon, and it doesnt lack anything against a current system for anything except modern, high end games and 4K video.

    Equally, my parents still run a Core2 Duo E4xxx, although TBF, that is slower than a 3 legged tortoise.

    In fact, only one PC in the family runs a cpu built after that date - and that is an AMD cpu anyway.

  9. Anonymous Coward
    Anonymous Coward

    Might be another reason ..

    .. why Apple is talking about making their own CPUs based on AMD architecture ..

    It's not been a fun week for Intel, has it? And it's only Wednesday :)

    1. Simon Taylor 1

      Re: Might be another reason ..

      After the SSL MITM and root no password buffoonery, it will be interesting to see what screw ups Apple manage to build in to their silicon.

      1. Anonymous Coward
        Anonymous Coward

        Re: Might be another reason ..

        Rather offtopic, but I'll bite: yet, they still don't screw up on the scale of some other, software only setups who really ought to know better by now..

    2. Claptrap314 Silver badge

      Re: Might be another reason ..

      Sooo.... If this is a real thing, you might want to run. AMD brought in VP from Apple to drive the infrastructure needed for the K7 (Athlon). He had 0 appreciation for component validation. After 18 months, the director of validation (who had built the validation team at AMD) quit. So yeah, I don't think I would be in a hurry to buy Apple-designed cpus. (Bitter? Me?)

      1. Anonymous Coward
        Anonymous Coward

        Re: Might be another reason ..

        OK, so tell us why you really quit? :)

  10. Fading
    FAIL

    I think there are still...

    quite a few of those processors in use. I still have a Yorkfield core 2 quad (Q8200) in my HTPC so certainly not a "Closed System". With 4 GB ram, AMD HD7750 GPU and a Mint install it is still serviceable. Am I supposed to retire a perfectly adequate machine just because intel can't be bothered to fix a security flaw in their chips?

  11. mark l 2 Silver badge

    I have a Dell Optipex 760 desktop from around 2007 which after ditching the Vista install a bumping up the RAM to 4GB can happily run Linux Mint Mate and is used daily when working from home for office and internet tasks.

    I have never been an Intel fan, perhaps because I grew up with Commodore computers (C64 then Amiga) and my first home built PC had an AMD K6. But this makes me even more determined not to give Intel any more money either direct or indirect by buying an system with an Intel CPU from a PC manufacturer.

  12. Zippy's Sausage Factory

    This is typical Intel - "support? No, we don't care about anything that might cost us money. Besides, that part should have been replaced by now."

    Also, anyone else noticed there's a lot of Xeons here? I'm wondering how many are in use in corporate servers. Or even government - replacement cycles in government tend to be longer than the private sector because if they're not the press start screaming about "taxpayer's money"...

    1. John Brown (no body) Silver badge

      "Also, anyone else noticed there's a lot of Xeons here? I'm wondering how many are in use in corporate servers. "

      Went out shopping with my wife today. In Matalan I saw a 14" Dell CRT screen behind the checkout counter. No idea what it was plugged into though. It does make me wonder what state the rest of their IT kit is in.

  13. Shak

    But how do we patch?

    I'm no Intel expert, and all I really have is a model number of my CPU. So:

    1) How do I know which family/class my CPU is in? Is there a look up table somewhere?

    2) How do I apply any relevant microcode patch?

    1. BinkyTheMagicPaperclip Silver badge

      Re: But how do we patch?

      Search for your CPU here https://ark.intel.com/search?q=

      (it's not entirely accurate, despite being Intel, but is good enough).

      Look up the product family in this document

      https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

      Patches are supplied as part of your operating system, so just apply the latest patches. For Unix based systems, upgrade to the latest patched release.

    2. Steve Jackson

      Re: But how do we patch?

      1. Use the Gibson Research Inspectre utility.

      2. Pray that MS expand KB4090007

  14. a_yank_lurker

    Risk?

    From what I have read Meltdown and Spectre are not being exploited in the wild and some of the 'fixes' (looking at you Slurp) are worse than do nothing at all. So the real question for older chips, what is the real risk of an exploit? Partly how difficult are they to exploit with a normal user configuration and how would the exploit be installed. I have seen opinions that say if hit it is real bad but it is very difficult to actually exploit.

    So should the average user (or their informal IT department) maintain a watch and wait posture towards patching?

    An accurate risk assessment will also impact any law suit as it currently stands as there has been no known attacks using the flaws.

    1. BinkyTheMagicPaperclip Silver badge

      Re: Risk?

      Spectre is much lower risk than Meltdown, and difficult to exploit. That's not to say at some point someone won't find a method of making Spectre more exploitable, and then it becomes a larger issue.

      Meltdown should definitely be patched as soon as possible, and is safer because it doesn't involve microcode updates, it's an OS patch.

      1. Updraft102

        Re: Risk?

        Meltdown should definitely be patched as soon as possible, and is safer because it doesn't involve microcode updates, it's an OS patch.

        Microcode updates can be delivered that way too. I'm not recommending any of the firmware patches for Spectre that have been released... just do it at the OS level. In Windows, I believe this requires downloading the microcode update directly from the Windows catalog, as it is not being delivered by Windows Update, for some reason. For Linux, of course that depends on the distro... I use Mint, so all I need to do is... nothing. It appears in the updates when it's ready.

        ...that is, of course, if the PC in question was not one of the ones that just got shit on by Intel, after they promised for months that a fix was incoming. My Braswell laptop already has a fix available (in the form of firmware, so no thanks), but my Core 2 Duo laptop is now "wontfix". Even though the C2D unit is far faster and more capable than the Braswell across the board, I guess it's obsolete, but the Braswell isn't.

        Strangely, no one from Intel ever contacted me to ask whether my C2D laptop was "closed" to the internet; I guess I'm not one of the "customers" Intel talked about. I wonder who was.

  15. Anonymous Coward
    Anonymous Coward

    Unless one has an Intel motherboard

    None of these articles, El Reg or otherwise, ever mention that Intel motherboards are not going to receive BIOS updates because Intel burned its bridges with respect to support when it left the business, so users of Intel processors on Intel motherboards will not be receiving all of the Meltdown / Spectre updates.

    1. BinkyTheMagicPaperclip Silver badge

      Re: Unless one has an Intel motherboard

      ..as opposed to other manufacturers, where they similarly also Cannot Be Arsed. Most OS will probably load the revised firmware quite early in the boot process, though, reducing the attack surface considerably.

      BIOS wise you'd be wiser to worry more about addressing management engine issues.

  16. tekHedd

    Every corporation has his raisons

    Those reasons are given as:

    1) it would cost us money

    2) we don't have a large customer pressuring us to update this model

    3) we would prefer that you buy a new processor instead

    Translated.

    1. Anonymous Coward
      Anonymous Coward

      Re: Every corporation has his raisons

      To be fair, the reasons could also be:

      4) We found out these fixes lead to a whack-a-mole situation for the older kit

      5) We found out the fixes just plain don't work right (for some idiot reason)

      6) Whilst testing the fixes, we discovered those old chips have a much more horrendous problem we'd rather not get into at this time. ;-|

  17. Bill2357
    Unhappy

    The Reg has no clue?

    "Most the CPUs listed above are oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use." is garbage and Reg authors/editors should get out in the real world.

    Look at MS OS share from any source.

    Look at Missing CPU types in April "Guidance" and you find PDF doesn't even cover all CPU models w/ Meltdown and Spectre problems.

    Most systems running XP, Vista and Win7/8/8.1 have "old" Intel CPU and won't get a New BIOS. Most Running XP and some w/ Win7 are people down/up graded Vista systems and see little reason to replace them. Most won't buy New Intel products just to fix Meltdown and Spectre either. Note that Intel CPU bugs go back to a least Pentium FDIV bug that also never got fixed. Intel offered replacements but few knew of this and fewer bothered to get them.

    Dell et al had no intention to offer BIOS updates most or all system over 2-5 years old and now have an easy way out because Intel won't bother making new MCU for most of them.

    OS patches? Funny. Not. Many Win7 alone have not patch since 12-17 because MS patch failed and fix patches for that also failed. Most Linux users haven't patch for this either.

  18. Anonymous Coward
    Anonymous Coward

    Mil Security

    How many of these have found their way into military systems via the popular "commercial-off-the-shelf" method of reducing costs, how many of them are still in mission-critical applications, how many in administrative apps, and what vulnerabilities might those involve, if any?

    1. Claptrap314 Silver badge

      Re: Mil Security

      As I keep pointing out, there is a notices on the inside cover of the instruction manual, "This product is not approved for use with information classified CONFIDENTIAL or higher." (CONFIDENTIAL is the lowest formal classification level.)

      So, if anyone did use it, they would be facing a Courts Martial.

  19. Nate Amsden

    seems reasonable to me

    Intel is really only on the hook for stuff that is supported, the warranties are usually just a few years (I see in the case of embedded they may support up to 7 years on extended support).

    So chips outside of this window should not expect fixes. While it'd be nice if they got fixed it's not reasonable to expect to get support past the support window unless you have a special agreement with Intel for extended support.

    I just stopped a support case for a firewall product yesterday for example. I had had the issue reproduce about once every 2 weeks for almost a year now(unable to reproduce on demand). Workaround is to reboot the unit(happens on both units in HA pair). Product ran fine for a good 4+ years without this condition until a particular software version was installed early last year(took 4-8 weeks for problem to be discovered at which point rollback was not practical, older software was end of life anyway). Vendor unable to find the cause yet alone find a resolution. Support for the product officially ends in about two weeks. Fortunately the decision was made to shut down the site that the affected product is operating in within the next month so I won't have to deal with it anymore.

    But the point is I know when support for the product was ending, and while I certainly am frustrated they could not make any meaningful progress on the issue for just over a year at this point, I'm not expecting them to support past the support window.

    You'd have every right to be upset if you reported the Meltdown issue to Intel within the warranty/support period of their product and they did not produce a fix. But that is not the case with all of the chips they are not going to fix(I haven't tried to check to see if any of their extended support embedded chips with 7 years won't be fixed if they were released in 2011).

    If you REALLY feel you are that much of a target or have that lax of habits with regards to pretty safe computing then you should upgrade the hardware.

    1. Alex Atkin UK

      Re: seems reasonable to me

      The thing is Warranty != Law. As this is a proven issue with the chips since day one, not a result of age, if taken to court Intel could still be in hot water.

      How long Intel say they warrant the product is largely irrelevant when we can prove that people actually expect to be able to use these CPUs for much longer. People don't buy a product expecting it to die the day the warranty ends, they buy it expecting it to the last the average life span of products already out there.

  20. Anonymous Coward
    Anonymous Coward

    Fifty (or Sixty) Years of Processor Development…for This?

    "Dr. David Patterson quick-marched an audience of about 200 pizza-sated engineers through a half-century of computer design on March 15. He spoke from the podium in a large conference room in building E at Texas Instruments’ Santa Clara campus during an IEEE talk titled “50 Years of Computer Architecture: From Mainframe CPUs to DNN TPUs and Open RISC-V.” It’s a history of accidental successes and potholes, sinkholes, and black holes that swallow entire architectures."

  21. Stevie

    Bah!

    Never should have moved off big axles full of cogs and planetary gears.

  22. Anonymous Coward
    Anonymous Coward

    Well, my main day to day box is a WONTFIX too. Dual 3Ghz e5450's in a HP xw6600 chassis with 64Gb of ram and a pair of nvidia gfx cards, all running linux and cuda etc for hashing work and virtual machine instances and compiling binaries.

    I have never really thought "oh this box is too old, I'll give it a tech refresh" apart from slapping a ssd in at one point because it just works & when we compared it against newer stuff it manages just fine. Only now it has to just work in a airgapped private network, or throw away my investment in the entire machine itself (wont take a motherboard from a later chipset), the ram (matched to the cpu's) and while we're at it we might as well upgrade to apu's. So thats half a grand for a newer box down the toilet then. Thanks intel for crapping on what was a couple of generations ago your top of the line kit to save a tiny percent in costs for the people to work on all your cockups, not just the ones that your currently milking.

    Next server room buildout I'm involved with, I'll be bringing up intel's handling of this for sure. And I wont be buying intel's again for my personal machines by choice.

    1. Anonymous Coward
      Anonymous Coward

      So how many holes and hack points do you create per hour on that lovable hunk-o-junk o'yours ?

      1. rmullen0

        "So how many holes and hack points do you create per hour on that lovable hunk-o-junk o'yours ?"

        What makes you think this person doesn't have their software up to date? I have a HP xw4600 which works great. All my software is completely up to date. And Windows 10 runs better now than the versions of Windows that were released at the time I bought the computer.

        Not everyone is into throwing their money away on unnecessary upgrades and filling landfills with e-waste.

        1. Outer mongolian custard monster from outer space (honest)

          I'm hoping they were asking how many vulnerabilities do I develop per day. Sorry, I don't have a metric for that you can put in a spreadsheet to decide how to crank the hamster wheel HR want to put all our staff* on.

          Latest shiny is for all those cool kids who game on their pc's isn't it? for computational loads it copes rather well.

          If you meant how out of date is it? I'm assuming from the idiocy you are a PHB, but the packages were updated last night by cron if that helps.

    2. BinkyTheMagicPaperclip Silver badge

      It's not a 'couple of generations ago' though, is it? That's a Harpertown CPU from 2007, discontinued 2010 and is Core2 (Penryn) architecture based.

      If I'm really generous and only count the overall architectures that's seven generations ago.

      If EP/EX etc variants are included add on at least another five chip variants (which I'd be inclined to do as EP chips do tend to include reasonable additional features rather than being a basic re-spin of a desktop chip).

      You don't have to airgap it, you need to decide if Spectre variants are a large enough risk to isolate the system. Meltdown is patched by the OS, so as long as it isn't exploited prior to the OS being loaded..

      1. BinkyTheMagicPaperclip Silver badge

        Also, I know a Penryn era CPU does support virtualisation, and your xw6600 hopefully has working vt-d (the xw4600 certainly doesn't, it's in the BIOS but broken), but you're missing SLAT (EPT/RVI) as it's pre Nehalem. That really does limit both the products that can be used and the possible performance as SLAT is a pre-requisite for many virtualisation systems.

        (I should know, my backup system is using the really oddball X38 derived S3210 chipset, which is Core 2, supports VT-d, and ECC DDR2. I also have a system built around an xw4600 motherboard, which would be great if the BIOS wasn't incompletely implemented)

        1. Outer mongolian custard monster from outer space (honest)

          I use the 6600 as a vm host using vmware/virtual box and use a completely different machine for browsing with a kvm for when doing research, as er, it can end up in some less salubrious places quite often so that's even more critical to stay on top of & I'll have to uplift that because its running a ivybridge 2127U but that's not a big loss, any cheap box will do for that, its just a glorified web browser + vpn client host. I'm still a bit annoyed that the 6600 needs isolating and its instances not allowed to route out as a fix though as to upgrade to something more modern but capable takes what I consider a not insignificant* sum of money.

          But, yeah, hands up, I'm being super grouchy, I have to make some investment in new kit because of someone else's mess. I know the nuances and I'm just going to have to suck it up and pass this cost onto my clients. But when it comes to SME's, you try telling 9/10ths of the world they need to landfill their devices because there's a unpatched flaw in the cpu they use on the machine and they absolutely must be able to use facebook and twitter while at their desk. And are all the affected machines going to go to landfill or end up in corporate disposal for the next decade?

          I personally think intel should have ate the extra dev + test costs as a goodwill gesture and supported the mess they made, rather than apparently trying to turn it into a profit op to drive new cpu purchases to replace the ones they already sold you. Even if they prioritized the newer arches first it would have kept more options open longer term. At the end of the day, they made this mess with their product, washing their hands isn't going to take all of the compromised product out of the second user ecosystem for years.

          *i.e. its mine and I've got short arms and deep pockets

          1. BinkyTheMagicPaperclip Silver badge

            Ivy Bridge has already had a firmware update released for it? 2127U is CPUID 306A9 which is in 'production' state - i.e. allegedly firmware is already out.

            This is still a little overblown, well, at least until a worst exploit is found.

            Meltdown is a solved problem, aside from the extra money needed to cope with the drop in speed of specific cloud compute instances..

            Spectre is a risk assessment, not dissimilar to deprecation of SSL. Certain SSL ciphers are horrendously insecure and need retiring, others might be an issue at some stage. Spectre isn't a problem *yet* for most people. However the day may come when someone finds a reliable exploit that can be easily used by the script kiddies, and at that point it may suddenly be necessary to retire hardware.

            I have more sympathy for the general public than small SMEs. Even the small SMEs if they have any business sense write down their computers in three years or less, then sweat the assets. Given that we're talking about unsupported products being more than around six years old they are well and truly worthless from an accounting point of view at this point. If the SME hasn't budgeted for a replacement of their kit, they aren't doing their job.

  23. Anonymous Coward
    Anonymous Coward

    Around the world

    Well in the last month my Windows 8.1 crashed due to hard drive problems, denied from being able to boot, none of the emergency provisions would work no PBR, WinRE or boot disk could save me. I turned to Linux, well after what seemed like a NTP zero day hack from a *joker.ntp on April the first, or something like that (thanks Folks, haha - you'll get yours), my hard primary drive with Ubuntu Studio on it went belly up and Mint Mate 18.3 started to disobey orders and act up So I then reinstalled Windows8.1 from a downloaded 4.3gb start disk .

    What does this have to do with Meltdown or Spectre - well it F*cked any updates, fixes or anything else I already had received and all I know now is that Ctl +P at boot time will not allow me to access the Intel Processor

    Left me feeling like disconnecting anything of value from the internet entirely and using a cheep tablet from Aldi to brows the subscriptions and get the news.

  24. Anonymous Coward
    Anonymous Coward

    This is what class action lawsuits are for

    Holding purveyors of defective products accountable is precisely what class action lawsuits are for. In this case where Intel knowingly compromised the security of all of their products by disregarding command security protocol, their should be a very high price to encourage better judgment in the future. Intel should be fined no less than 100 billion dollars and made to provide defect free replacement components and cash to all who were bilked into buying these defective goods at premium prices.

  25. Nano nano

    Let us choose

    Not everyone needs CPU-level fixes anyway.

    I'd be happy with an OS update allowing selected process (-trees ?) to run in KPTI mode as required ... or conversely for some applications, NOT run ....

  26. Retron

    "Most the CPUs listed above are oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."

    Yeah, right. We've over 100 Wolfdales in daily use at the school where I work - and that's not unusual for schools in general. I guess they'll just carry on in their vulnerable state until they die...

  27. ewan 3

    My main computer is a i7 950, which is still pretty quick. It's not getting fixed apparently - so do I need to stop using it? Or is the risk small enough to take a chance (with firewall etc in place)?

  28. rmullen0

    A 2011 or older CPU may otherwise work just fine

    The author of the article made it seem like CPUs older than 2011 weren't in use that much. So, it isn't that big of a deal if they aren't patched. I have an Intel Core Duo 3+ GHz that may be that old. I have had it for years, and it has continued to work fine. Performance hasn't been an issue at all. In fact, I think Windows 10 runs better on it, than the older Microsoft garbage. I'm not looking forward to being forced into upgrading a system that has been totally solid and problem free. Some of us don't feel the need to throw out perfectly good hardware for upgrades we don't need or want every couple years. I hope that there continues to be at least a software patch for it.

  29. Alex Atkin UK

    "Most the CPUs listed above are oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."

    Shows how they have zero comprehension of how their market works. You hear TONS of people saying they are still using Core 2 CPUs, because unless you are a content creator or gamer its "good enough". I know at least two people myself.

    I also have a Core 2 as a server at a friends house, its more than powerful enough for the job so not even close to EOL. There are a LOT of Atoms of various ages used for small form factor PCs and crucially mid-range routers

    My router is one of the last Intel motherboards based on Atom so I'm out of luck on all sides it seems, the CPU isn't even on that guidance list despite being NEWER than some of the ones that are. :/

  30. elvisimprsntr

    I won't be upgrading any devices which have a CPU vulnerable to MD/Spectre for as long as possible until CPU redesigns have been proven in mass.

    In the meantime, I will use the $ saved to buy a new or car or take an extended vacation.

  31. ds6 Silver badge

    I call it the Berkeley Silicon Defender!

    Seems the best recourse to mitigate the potential attack vector of any speculative unfixable exploit is to... Uninstall Windows, because undoubtedly the first in-the-wild exploits we find will surely be delivered through some cobbled together `Registry Cleaner 5000.exe' or Java-required webapp. Linux might even get some action through the usual SSH sniffers and other server security holes.

    So does using a BSD make me theoretically invulnerable...?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like