Delaware, USA – April 4, 2018 – Three months have passed since the public became aware of Meltdown and Spectre vulnerabilities, and so far they have not been completely patched. On Monday, Intel updated Microcode Revision Guidance and indicated the processor families for which there will be no microcode updates to protect against the Specter v2 flaw (CVE-2017-5715). The document says that the decision was made because it is hard to mitigate Specter v2 flaw in these processor families due to their micro-architectural characteristics. Intell also stopped the release of updates for processors that are mainly used in “closed systems.” Most of these processors went on sale between 2007 and 2011, so only a small part of them are still in operation. For all other processors updates, Intell completed all validation and recommended to use them in a production environment
It also became known that Microsoft’s emergency security update KB4100480, released a few days ago to fix critical vulnerability CVE-2018-1038, can be “not applicable” for the computers in Windows Server Update Services. Perhaps Microsoft will issue the update to fix this issue next Tuesday.
You can track assets vulnerable to Specter, Meltdown and CVE-2018-1038 with the updated use case for ArcSight – Specter & Meltdown Tracker 1.1. Vulnerable assets require additional investigation and, possibly, hardware upgrades.