Business IT, Security

No Spectre Patches for Award BIOS Devices

Following up from our recent article on the Meltdown and Spectre vulnerabilities, we’ve had confirmation from Gigabyte that Award BIOS motherboard products cannot apply the Intel CPU microcode that patches the Spectre flaws. According to them this affects all Award BIOS products from all manufacturers. In that case, even though the CPUs may be supported by Intel, the platform itself is not, so there’s no way to apply the CPU microcode and protect that system from Spectre. There’s a possibility that Microsoft may release a future patch that includes the microcode updates at boot time, but there are a couple of problems with this:

  1. An OS microcode implementation cannot protect against a system attack that occurs prior to the OS bootloader initiating and loading the microcode tables – the microcode will protect against attacks against the OS kernel’s memory access, but a successful attack against a device that can load an attack method prior to the OS bootloader call could still exploit this flaw to some extent. That’s why the microcode firmware patch is the best path to mitigation, but for tens to hundreds of millions of systems this simply isn’t going to be possible.
  2. So far, Microsoft have released security patches that only cover the most recent architecture generations, with no word from them about when, if ever, microcode for older generations will be integrated. At this point the idea that older systems may have an OS workaround to implement Intel’s microcode is little more than wishful thinking.
Intel have been releasing rolling Linux packages with the microcode updates since January, which have been integrated into all the major distros. So there’s no technical reason why Microsoft couldn’t also include microcode for the whole gamut of affected CPUs, but they are notoriously hesitant about including patches in official Windows patches that might adversely affect people’s PCs – we’re hopeful they’re just trying to do extensive testing before they roll this out, but realistically that day may never come. Both Intel and Microsoft are recommending people apply the manufacturer’s firmware patches, but in many cases this will simply never be possible.

When we asked Gigabyte what the options were for people with Award BIOS systems, they responded with this:
We suggest you to buy new chipset motherboard and enjoy the latest technology if you encounter any issue.

So no surprises there…