Intel: some processors will never receive Meltdown and Spectre patches
With little fanfare, Intel has revealed that some processors will simply never receive microcode updates that will patch against the Meltdown and Spectre vulnerabilities.
In a document entitled Microcode Revision Guidelines, the chip-maker says that a wide range of processor families -- equating to over 200 CPUs -- will not receive any more updates. While the majority of the affected chips were on sale between 2007 and 2011, it's safe to assume that a large proportion of them are still in use, meaning that a lot of systems will remain unprotected.
See also:
- Intel unveils hexacore mobile Core i9 chip and gets within spitting distance of 5GHz
- Meltdown patches from Microsoft made Windows 7 and Windows Server 2008 less secure
- Intel failed to warn US government about Meltdown and Spectre flaws before going public
- Microsoft gives sysadmins Meltdown and Spectre detection in Windows Analytics
Intel says that "after a comprehensive investigation of the microarchitectures and microcode capabilities" of a series of chips it has decided not to release microcode updates. The document shows that Bloomfield, Bloomfield Xeon, Clarksfield, Gulftown, Harpertown Xeon C0, Harpertown Xeon E0, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale C0, Wolfdale M0, Wolfdale E0, Wolfdale R0, Wolfdale Xeon C0, Wolfdale Xeon E0, Yorkfield and Yorkfield Xeon processors now have a Production Status of "Stopped" -- so no more patches or other updates will be made available.
The company says that the decision was taken for a number of reasons, including:
- Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
- Limited Commercially Available System Software support
- Based on customer inputs, most of these products are implemented as "closed systems" and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
In a statement, Intel says:
We've now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google. However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.
Take a look at Intel's Microcode Revision Guidelines document for more details.