Intel is instructing users of its remote keyboard to delete the app after a critical flaw was found and also the firm is halting Spectre fixes on older chips.
Escalation of privilege vulnerabilities in all version of the keyboard app allows a network attacker to inject keystrokes as a local user, inject keystrokes into another remote keyboard session and allow an authorized local attacker to execute arbitrary code as a privileged user, according to a recent notification post.
The vulnerabilities CVE-2018-3641, CVE-2018-3645 and CVE-2018-3638 were rated 9.0 Critical, 8.8 High, and 7.2 High respectively.
As a result, Intel issued a Product Discontinuation notice and recommended all users of the application uninstall the app as soon as possible.
The chip manufacturer also announced it is halting Spectre fixes on older chips citing limited ecosystem support.
Intel decided to not release microcode updates for these products for one or more reasons which may have included Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715).
Other possible explanations included limited Commercially Available System Software support, and based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities, the firm said in its microupdate.
“We've now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google Project Zero,” said Intel in a statement to Threatpost. “However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.”