Processors released as far back as 2007 are vulnerable, but won’t be patched.
At the beginning of 2018, Intel was facing a bit of a crisis due to a decade’s worth of its processor being vulnerable to attack thanks to a design flaw. There’s actually two vulnerabilities called Meltdown and Spectre. Meltdown can be mitigated by an operating system update, but Spectre needs patching by Intel using microcode. However, not all vulnerable chips are going to get patched.
Intel processors vulnerable to Spectre date back as far as the Yorkfield Core and Xeon chips released in 2007. As Liliputing reports, Intel was planning to patch all affected processors, but has now decided not to for chips released between 2007 and 2009.
Intel explained, “we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.” More specifically, those reasons are:
- Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
- Limited Commercially Available System Software support
- Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
Roughly translated, Intel is saying that the oldest chips, while vulnerable, are impractical to target for an attack. And most of those processors are only being used in systems that aren’t easy to target anyway because they aren’t hooked up to the Internet.
Tom’s Hardware points out “Limited Commercially Available System Software support” is actually just a nice way of Intel explaining motherboard manufacturers and operating system developers are less than willing to help roll out patches for decade-old systems. In other words, attempting to patch really old processors just isn’t worth the hassle.