Microcode updates for Intel chips affected by Spectre and Meltdown now reach back all the way to Sandy Bridge chips, highlighting the massive impact of the vulnerability.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Intel has released another round of patches for older chipsets affected by Spectre and Meltdown. The latest include Ivy and Sandy Bridge chips, released in 2012 and 2011, respectively.
- Any organizations with affected machines are advised to patch immediately. Any machines that cannot be patched, or which are waiting for unreleased updates, should have their network access restricted or be cut off from the internet.
Intel's Spectre and Meltdown patching efforts continue to reach further back into the company's history, now going as far as Ivy Bridge and Sandy Bridge chipsets.
The latest Intel Microcode Revision Guidance shows the status of both Ivy and Sandy Bridge updates to be in production, meaning that "Intel has completed all validation and is authorizing customers to use this MCU in a production environment."
Those still using Ivy or Sandy Bridge chips are advised to install microcode updates immediately. Machines left unpatched against Spectre and Meltdown are being placed in a very vulnerable position.
Ivy and Sandy bridge chips were released in 2012 and 2011, respectively, and were rendered obsolete by the release of Intel's Haswell chips in 2013. Despite their age, it's likely there are at least a few chips of this generation in use, especially considering that 52% of businesses are still running at least one instance of Windows XP.
Spectre and Meltdown are serious risks
Intel's patching efforts aren't finished: Older chips like the mobile-specific Arrandale, Clarkdale, Wolfdale, Yorkdale, and others are still waiting for development and/or release. The fact that these chips, most over a decade old, are even considered worth patching reveals much about the severity of the Spectre and Meltdown risk.
With over 100 strains of malware identified that take advantage of Spectre and Meltdown, the risks of an unpatched machine being infected are real and are likely to grow as time goes on. Recent high-profile malware campaigns have taken advantage of exploits that had already been patched, leaving victims to answer uncomfortable accountability questions about why they fell prey when the incident could have easily been avoided.
SEE: Network security policy (Tech Pro Research)
Both Spectre and Meltdown take advantage of flaws in Intel CPU design to potentially steal sensitive data from affected machines, and both can do so relatively easily--even script running on a malicious website could exploit the vulnerabilities without a user knowing.
With most every device in the world affected by Spectre and Meltdown, no one with an unpatched, internet-connected machine is safe. IT teams should be sure they're installing the latest updates for all managed devices, and BYOD hardware that hasn't had patches installed should be blocked from accessing company networks or sensitive information.
Those in charge of patching should keep a constant eye on Intel's Microcode Revision updates if they have any machines still waiting for a patch. Once patches are released, be sure to apply them right away.
- IT pro's guide to effective patch management (free PDF) (TechRepublic)
- Use HP, Lenovo or Dell? Get ready for new updates to guard against Spectre (ZDNet)
- Spectre and Meltdown: Cheat sheet (TechRepublic)
- Meltdown-Spectre flaws: We've found new attack variants, say researchers (ZDNet)
- 6 important security takeaways from applying Spectre and Meltdown patches (TechRepublic)