As part of its revised ‘Microcode Revision Guidance‘ published yesterday, Intel has announced that it won’t release any updates for a large number of its older CPU chips to mitigate against the Spectre vulnerabilities. The company had earlier promised to roll out Spectre patches to many of its older CPU lineups dating back to more than a decade, and has been releasing microcode updates for the flaws over the past few weeks.
According to the announcement, the chips that will no longer receive the patches include Penryn (2007), Yorkfield (2007), Wolfdale (2007), Bloomfield (2008), Clarksfield (2009) and Jasper Forest (2010). Two ‘SoFIA’ Atom processors from 2015 will also apparently miss out on the updates. Such CPUs could be in use in servers as well as legacy enterprise systems. The company said it decided not to release microcode update for the aforementioned lineups for some or all of the following reasons:
- Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
- Limited Commercially Available System Software support
- Based on customer inputs, most of these products are implemented as ‘closed systems’ and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
Intel had earlier released updates to patch variant 2 (the branch injection vulnerability) in its Skylake, Kaby Lake, Coffee Lake, Broadwell and Haswell processors back in February, while fixes for Sandy Bridge and Ivy Bridge were released last month.
According to Tom’s Hardware, the ‘real reason’ for Intel moving away from its earlier promise of updating these chips may well be the second point on the above list – ‘Limited Commercial Software Support’. What that means in essence, is that neither the motherboard manufacturers nor Microsoft is willing to release updates for their decade-old systems, which means, Intel will have no way of delivering the patches to end-consumers even if it were to develop them. The microcode updates, in case you didn’t realize, can only reach end-consumers via BIOS updates or OS updates.