Intel will not fix Spectre v2 vulnerabilities in a number of older CPU models because it's impractical to do so

Intel has released a new “microcode revision guidance” admitting that it will not fix Spectre and Meltdown design flaws in all affected processors. The company realised that it is not possible to fix Spectre v2 security vulnerabilities in some cases because the process was too tricky. [caption id=“attachment_4359333” align=“alignleft” width=“380”] Intel logo is seen behind LED lights in an illustration. Reuters.[/caption] The company issued the revision guidance on 2 April by updating the ‘production status’ as ‘stopped’ in its list of available security updates for Meltdown and Spectre. This indicates that the company will not release any microcode patch to fix these security issues. Intel clarified that “after a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons.” The primary reason for not developing the patch was that there was not “practical implementation of features mitigation” for Spectre v2. The second reason provided by the company was “limited commercially available system software support” meaning that some of the companies making drivers and Operating System level updates are no longer issuing updates for the systems with affected chips.

The last reason for not issuing update is customer inputs stating that most of the affected systems are working as “closed systems” with a “lower likelihood” of exposure from the vulnerabilities. Intel is taking into account the customer feedback because the malware that takes advantage of Spectre needs to be running on the system and if the system is not connected from the outside world, issuing tricky updates to the CPU, OS and apps will make little sense for system administrators. According to a detailed report by The Register, the CPUs that won’t be fixed include Gulftown, Harpertown Xeon CO and EO, Bloomfield, Clarksfield, Bloomfield Xeon, Harpertown Xeon CO and EO, Yorkfield Xeon, Yorkfield, Penryn/QC, Jasper Forest, Wolfdale, Wolfdale Xeon, SoFIA 3GR, Xeons, Core CPUs, Atoms, Celerons and Pentiums, making it almost all the products that Intel makes. The reason most users don’t need to worry about this development is that most of the CPUs in the list are old and sold between 2007 and 2011. [caption id=“attachment_3735009” align=“alignnone” width=“1024”] Intel logo. Image: Reuters[/caption] Intel has not confirmed the model numbers of the CPUs for which they have stopped developing patches. However, the good thing here is that Intel has developed patches for previously unpatched CPUs, including the Westmere, Lynnfield, Nehalem, Arrandale and Clarkdale families. Intel confirmed that it has completed the release of microcode updates for processors “launched in last 9+ years”.