The long-running Spectre patching cycle took another turn this week after Intel revealed it won’t be updating all chip models affected by the critical vulnerability after all.
The chip giant claimed it won’t be patching the second Spectre variant (CVE-2017-5715) for Core 2 processors and any first-generation products that haven’t already received microcode updates.
Affected lines include: Bloomfield, Clarksfield, Gulftown, Harpertown, Jasper Forest, Penryn, SoFIA 3GR, Wolfdale and Yorkfield.
Intel said it reached its decision “after a comprehensive investigation of the microarchitectures and microcode capabilities for these products.”
Its reasoning is three-fold. Intel believes that most of these products are implemented in closed systems and therefore have limited exposure to the flaw, there is limited commercially available system software support and the processors’ architecture mean they cannot be practically patched.
The Spectre and Meltdown flaws published at the start of the year have caused numerous problems for manufacturers trying to provide security updates.
Microsoft was forced to release an out-of-band patch at the end of January to fix a broken Intel Spectre patch for CVE-2017-5715. However, Redmond has since found itself in difficulties with one researcher claiming last month that its Meltdown fixes left Windows 7 with an even worse flaw.
New research from ServiceNow released today highlighted the importance of prompt and effective patching.
Of the hundreds of UK security professionals polled, the majority (59%) of those that were breached in the past claimed this happened because of a vulnerability for which a patch was available. Over a third of breach victims (37%) claimed they don’t even scan for flaws.
In addition, the majority (53%) claimed that hackers are outpacing their ability to mitigate risk, by using emerging technologies like AI and machine learning.
Overall, global firms are planning a 50% increase in headcount for vulnerability response, but with significant resources already devoted to patching, ServiceNow said this isn’t the answer.
“Adding more talent alone won’t address the core issue plaguing today’s security teams,” said Sean Convery, vice-president and general manager, ServiceNow Security and Risk. “Automating routine processes and prioritizing vulnerabilities helps organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”