Intel: We now won't ever patch Spectre variant 2 flaw in these chips

A handful of CPU families that Intel was due to patch will now forever remain vulnerable.
Written by Liam Tung, Contributing Writer

Intel is dropping plans to patch certain CPU families affected by the Meltdown and Spectre bugs, because it's impractical or they're not widely supported.

The chipmaker has spent the past few months releasing and re-releasing microcode updates to fix the Spectre variant 2 flaw. But while it's rolled out updates for all processors launched in the past five years, it has now revealed some older CPUs won't be patched at all.

Intel's latest Microcode Revision Guidance, dated April 2, applies a new 'stopped' status to several CPU product families for which it had been developing microcode updates. The product families include chips from Intel's Core, Celeron, Pentium, and Xeon-branded CPUs.

Most of the chips are older, with some starting production in 2008, and are probably less widely used today than the already patched Kaby Lake, Skylake, and Coffee Lake CPUs.

Intel says it stopped developing the Spectre variant 2 mitigations for at least one of three main reasons, including that it was impractical, the CPU was not widely supported, or that customers indicated the CPUs are running on closed systems.

"After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons including, but not limited to the following:

  • Micro-architectural characteristics that preclude a practical implementation of features mitigating variant 2 CVE-2017-5715.
  • Limited commercially available system software support.
  • Based on customer inputs, most of these products are implemented as 'closed systems' and therefore are expected to have a lower likelihood of exposure to these vulnerabilities."

CPU families that won't be updated include Bloomfield, Clarksfield, Gulftown, Harpertown Xeon C0, Harpertown Xeon E0, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale C0 and M0, Wolfdale E0 and R0, Wolfdale Xeon X0, Wolfdale Xeon E0, Yorkfield, and Yorkfield Xeon.

Intel announced in March that forthcoming 8th generation Intel Core processors will have built-in mitigations for Spectre variant 2 and Meltdown.

Intel told ZDNet that it has now finished releasing microcode updates for its products launched in the past nine-plus years that required protection against the side-channel vulnerabilities discovered by Google.

"However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback," an Intel spokesperson said.

Previous and related coverage

Windows 7 Meltdown patch opens worse vulnerability: Install March updates now
Microsoft's Meltdown fix opened a gaping hole in Windows 7 security, warns researcher.

Use HP, Lenovo or Dell? Get ready for new updates to guard against Spectre
Intel's fixed microcode updates to mitigate the Spectre attack have now reached Sandy Bridge and Ivy Bridge chips.

New Spectre attack variant can pry secrets from Intel's SGX protected enclaves
Sensitive data protected by Intel's Software Guard Extensions could be open to a new side-channel attack.

Intel's Spectre fix for Broadwell and Haswell chips has finally landed
Chips that sparked Intel's recall of microcode for Spectre Variant 2 attack now have stable fixes.

Intel's new Spectre fix: Skylake, Kaby Lake, Coffee Lake chips get stable microcode
Intel makes progress on reissuing stable microcode updates against the Spectre attack.

Linux Meltdown patch: 'Up to 800 percent CPU overhead', Netflix tests show
The performance impact of Meltdown patches makes it essential to move systems to Linux 4.14.

26% of organizations haven't yet received Windows Meltdown and Spectre patches (TechRepublic)
Roughly a week after the update was released, many machines still lack the fix for the critical CPU vulnerabilities.

Bad news: A Spectre-like flaw will probably happen again (CNET)
Our devices may never truly be secure, says the CEO of the company that designs the heart of most mobile chips.

Editorial standards