Intel has listed a range of CPUs released between 2007 and 2011 that will not receive a firmware update to help guard against Spectre-related exploits.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A range of Intel CPUs released between 2007 and 2011 won't receive a firmware update to mitigate against Spectre-related attacks.
- The Spectre-related firmware update is available for a wide range of Intel CPUs, including every CPU released within the past five years, from Sandy Bridge (2nd generation) onwards.
Intel has said it will not patch a range of older processors against a variant of the Spectre security vulnerability.
Intel has listed a variety of CPUs released between 2007 and 2011 that will not receive a firmware update to help guard against Spectre variant 2-related exploits.
Spectre and the related flaw Meltdown are vulnerabilities in modern chip design that could allow attackers to bypass system protections on nearly every recent PC, server and smartphone - allowing hackers to read sensitive information, such as passwords, from memory.
Those processors that will not receive the firmware update are: Bloomfield, Bloomfield Xeon, Clarksfield, Gulftown, Harpertown Xeon C0 and E0, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale, Wolfdale Xeon, Yorkfield, and Yorkfield Xeon series.
"After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products," Intel says in its latest guidance.
Meltdown and Spectre are related vulnerabilities in how CPUs handle data cache timing, with the Spectre flaws known as variant 1 and variant 2, and Meltdown as variant 3.
Intel lists the reasons for not releasing firmware updates for these older processors as one of the following:
- The processors have micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715) .
- There being limited commercially available system software support.
- Most of these products are implemented as "closed systems" and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
However, Intel did announce a production-ready release of the firmware update for a range of other older processors: covering: the Arrandale, Clarkdale, Lynnfield, Nehalem, and Westmere series. Intel has also already released microcode updates for every CPU released within the past five years, from Sandy Bridge (2nd generation) onwards.
Intel's firmware updates will in turn be rolled out to users by computer and motherboard manufacturers, with the microcode data file for Linux available here.
"We've now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google," said an Intel spokesman.
Patches for Meltdown and Spectre have been shown to impact performance, although not significantly in many cases, with estimates that performance impact on Linux-based systems and many Windows systems will be largely negligible, with the severest hit on Windows 8 and Windows 7 PCs running on 2015-era Intel Haswell or older CPUs.
Intel CEO Brian Krzanich said its server-targeted Intel Xeon Scalable processors, code-named Cascade Lake, as well as its 8th generation Intel Core processors, will contain hardware-based protections when they ship in the second half of 2018.
The threat from the vulnerabilities is still evolving. Just last month, US researchers demonstrated BranchScope, a new CPU vulnerability related to the Spectre that they said was the first to enable a side-channel attack that extracts information through the CPU's branch predictor.
- Special report: The cloud v. data center decision (free PDF) (TechRepublic)
- First Intel, now AMD also faces multiple class-action suits over Spectre attacks (ZDNet)
- Spectre and Meltdown: Cheat sheet (TechRepublic)
- GPU databases are coming of age (ZDNet)
- AMD CPU vulnerabilities published by unknown security firm after 24 hours notice (TechRepublic)