Intel has been rolling out microcode updates meant to help protect users from attacks based on the recently disclosed Spectre and Meltdown vulnerabilities. But while most Intel chips released in the past decade or so are vulnerable, Intel has decided not to released some previously promised updates for certain chips released between 2007 and 2009.
The company released an updated version of its Microcode Revision Guidance on April 2nd, 2018 and it lists the production status for a number of chips as “stopped.”
Intel says that after investigating the architecture and capabilities, the company has decided to scrap its planned updates for: “one or more reasons including, but not limited to the following:
- Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
- Limited Commercially Available System Software support
- Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities”
In other words, it’d be tough to release an effective update and/or there aren’t that many people still using those chips anyway and/or those that still are using them say that they’re not worried about malware gaining access to their systems in a way that would allow private data to be extracted without permission.
You should check out Intel’s document (PDF) for a full list of affected processors, but the list basically seems to consist of processors that were released under the following code-names:
- 2007 Yorkfield chips including Core (Desktop) and Xeon (server) processors
- 2008 Penryn chips (Mobile)
- 2008 Harpertown chips (Embedded)
- 2008 Wolfdale chips (Desktop)
- 2009 Bloomfield chips including Intel Core (desktop) and Xeon (server) processors
- 2009 Clarksfield chips (Mobile)
- 2010 Gulftown chips (Desktop)
- 2010 Jasper Forest (Embedded)
There are also two relatively recent chips on the list: Intel’s Atom x3-C200RK and x3-C3230RK SoFIA processors, which are low-power processors aimed at entry-level smartphones and tablets. They were released in partnership with Chinese chip maker Rockchip in 2015 and featured 4 Intel Atom cores and ARM Mali 450-MP4 graphics.
As far as I’m aware the chips were never widely adopted, and so I’m guessing Intel is giving up on developing microcode updates due to lack of demand/need. Interestingly, Intel is still working on updates for the related Atom x3-C3130 processor, suggesting that there are at least some of these chips in the wild that are in need of patching.
Update: Intel released the following statement confirming the updated plan:
We’ve now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google Project Zero. However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.
via Tom’s Hardware