Intel won’t fix Spectre flaws in older chips

If your PC runs one of Intel’s older microprocessors, bad news: Intel has announced that some of the company’s consumer and business chips from this era will not now receive updates to fix a variant of the Spectre mega-flaw.

After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products.

The affected processor families are: Penryn, Yorkfield, Wolfdale (all 2007), Bloomfield (2008), Clarksfield (2009), Jasper Forest, and Gulftown (both 2010).

The more recent SoFIA 3GR X3 Atom chip used in smartphones from 2015 is also on the list.

For most people, these names won’t be terribly helpful in working out whether they’re affected because they relate to a chip’s architecture not the product name it was sold under.

Helpfully, Intel itemises the individual processors in each affected family (see rows marked red, column two), so it’s a question of reading through the list to see which ones are mentioned.

A theme that jumps out of the listing is the number of high-performance Core 2 Extreme, Core i7 and Xeon server processors listed.

The likely reason for this is that the announcement relates to variant 2 of Spectre (CVE-2017-5715), rather than variant 1 (CVE-2017-5753).

From the moment Spectre was made public in January, it was clear that that while variant 1 could be addressed in userland software, variant 2 would need a mixture of BIOS and possibly operating system updates.

This required a lot of work by BIOS vendors and OS makers, such as Microsoft, to patch a flaw affecting older chips used in a relatively small number of specialist PCs.

Less politely, it’s not worth the bother when there’s so much other work needed to fix this flaw for everyone else.

The upside is that anyone whose PC contains one of these older chips can now make an informed choice about whether to ditch it and buy something more recent.

For everyone else, the process of mitigating and patching systems affected by both variants of Spectre as well as Meltdown is still unfolding.

How users achieve this will depend on which vendor made their PC, the BIOS inside it, and the operating system. Spectre variant 2 also affects chips from AMD (including recent Ryzen parts) and ARM.

Good places to drill down into the practical effects are Microsoft’s Meltdown and Spectre resource page, or similar ones provided by Intel, or AMD, or ARM’s developer-oriented site.

An introduction to Meltdown and Spectre can be found on a site set up by some of the researchers, and you can read a clear explanation of the KPTI flaws behind them from Naked Security’s own Paul Ducklin.

Spectre’s ghostly nickname has turned out to be spot on. As researchers wrote when announcing it in January:

As it is not easy to fix, it will haunt us for quite some time.