Patches released to mitigate Meltdown & Spectre

Patches released to mitigate Meltdown & Spectre

Matt Blowes April 12, 2018 Security

Microsoft, Intel and AMD continue to deal with the fallout from the Meltdown and Spectre vulnerabilities revealed in early January.

The companies have progressively rolled out patches in their attempt to fix the issues, but now we know which machines will be patched and those that won't be included. 

The story so far:
  • Meltdown patches were released throughout January, it was relatively less complex compared to the Spectre vulnerabilities.
  • Intel released patches for Spectre processors released in the years 2011 - 2018. The patches were progressively released during February & March.
    Specifically, that's patches for Spectre variant 2 for machines based on these microarchitectures: Skylake, Kaby Lake, Coffee Lake, Broadwell, Haswell, Ivy Bridge and Sandy Bridge.
  • AMD has similarly released patches to cover systems sold since 2011. 
What you should do:

Continue to keep your computer(s) up-to-date with Windows update and related software patches. Microsoft's patches should be applied automatically within a reasonable time-frame. 

Patches from AMD and Intel can take longer to be implemented. In some cases, your PC manufacturer may not pass them on. However, Intel and AMD point out that Spectre is difficult for malicious actors to exploit as it is a local vulnerability (attacker must be using the computer to take advantage of the vulnerability, they can't exploit it remotely).

Intel will not patch older systems

If you are running an Intel-based computer purchased up until mid-2011, it's likely the machine will not receive a patch for Spectre. Intel have officially decided that computers running the ageing processors will not receive patches.

Intel's reasoning is, "architecture that prevents a "practical implementation" of a Spectre fix, limited commercially available system software support, or because they were most likely implemented as closed systems and therefore less exposed to Spectre-based attacks."

Despite this, Intel has released patches for most processors released in the past seven years.

Recovery has been slow, initial mistakes were made

In the rush to fix Meltdown and Spectre, many of the initial patches released by Intel were found to have serious performance issues themselves.

After some of the first patches in January, some Intel users were finding their PCs were randomly restarting and causing data loss. An issue causing Microsoft to pull the patches and Intel to release an apology

Microsoft also released patch that prevented computers with some AMD-based processors from being able to load Windows

The story isn't over

The mitigation patch releases for Meltdown and Spectre are now largely complete.

The relatively long time to fix these issues and the clear difficulty of releasing patches will not be quickly forgotten. This is the difficulty of fixing a hardware vulnerability compared to a software vulnerability. 

Intel and AMD have now moved on to try and ensure that their future products are protected from the vulnerabilities. 

Intel have promised that its next generation of processors will have mitigation methods built in, but it may take years for them to release a processor that is unequivocally safe from these two vulnerabilities. And it may take even longer for their reputation to recover and for consumer confidence to be restored. 

Subscribe to the Sentrian Newsletter for the latest security news and expert advice.