Intel decides it's not worth patching some CPUs against Spectre

  • Liam Tung (CSO Online)
  • 04 April, 2018 05:46

Intel has nearly finished releasing its microcode updates for CPUs affected by the Spectre side-channel analysis attacks, but it’s decided against patching certain older CPUs.     

The chip-maker has weighed up the pros and cons of developing developing Spectre Variant 2 microcode updates for these older chips that are vulnerable to attacks against performance-enhancing features. Despite this, Intel has concluded it’s not worth the effort, despite the fact they’re also vulnerable. 

Intel on January 22 hit pause on its microcode updates after reports they were causing unexpected reboots, and spent the next two months releasing new updates for the bulk of affected CPU families, including Kaby Lake, Coffee Lake, Ivy Bridge, Sandy Bridge. It’s also announced new Cascade Lake chips due out later this year that will have built-in mitigations for Meltdown and Spectre, as well as a temporary bug bounty for new flaws like it.   

However, Intel’s latest “microcode revision guidance” dated April 2 highlights several chip families that will not be getting microcode updates, including Bloomfield, Clarksfield, Gulftown, Harpertown Xeon, Jasper Forest, Penryn, SoFIA 3GR, Wolfdale, and Yorkfield. 

The earliest made family is Yorkfield from 2008 while the youngest desktop CPU is its Gulftown chips that started production in 2010. The absolute youngest line of CPUs that won’t be patched is Intel’s SoFIA 3GR -- also known as Intel Atom Processor x3-C3200RK and x3-C3230RK -- a 4G mobile CPU for tablets and smartphones that Intel ditched in 2016 to focus on 5G. 

“After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons,” Intel says. 

Intel says the reasons include but are not limited to the fact that the chips had “micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)”. 

Its stated reasons also include that the products lack commercial system software support. Presumably referring to server CPUs, Intel also claims that most customers have said these CPUs are running “closed systems” and therefore aren’t as exposed to attacks as the chips it has developed microcode updates for.