Intel decides to leave some older processor families vulnerable to Spectre

In the end, it was just too much work for too little benefit for too few customers. We're talking about Intel's decision to stop developing and releasing microcode updates to mitigate Spectre and Meltdown for certain older processor architectures.

The change is reflected in the latest microcode revision guidance (PDF) from Intel, which now lists a new "stopped" status next to a handful of processor families. They include the following:

  • Bloomfield (including Xeon)
  • Clarksfield
  • Gulftown
  • Harpertown Xeon C0 and E0
  • Jasper Forest
  • Penryn/QC
  • SoFIA 3GR
  • Wolfdale C0, M0, E0, R0, and Xeon E0
  • Yorkfield (including Xeon)

Intel's decision to abandon mitigations for older processor architectures affects chips such as the Core 2 Quad Q8200 (Yorkfield) and Core i7-920 (Bloomfield), to give just a couple of examples.

"After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons including, but not limited to the following:

  • Micro-architectural characteristics that preclude a practical implementation of features mitigating variant 2 CVE-2017-5715.
  • Limited commercially available system software support.
  • Based on customer inputs, most of these products are implemented as 'closed systems' and therefore are expected to have a lower likelihood of exposure to these vulnerabilities."

 Some of the affected processors are more than a decade old, dating back to 2007, and the majority were sold between then and 2011—Intel's SoFIA Atom processor is a lone exception. It seems that Intel decided it was more trouble than it was worth to try and mitigate recently disclosed flaws in older processors—some of the earlier patches have caused problems on certain platforms.

For the affected CPU families, Intel recommends discontinuing the use of previously released microcode updates "due to stability issues." While this means that several older processors are forever vulnerable to certain side-channel attacks, Intel feels there are too few systems and not enough demand to warrant patching chips that are not as widely deployed as more recent CPUs.

"We've now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google. However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback," Intel said in a statement to ZDNet.

It remains to be see if Intel's decision will have any legal ramifications. Back in February, Intel revealed in a filing with the US Securities and Exchange Commission that it was facing 30 customer class-action lawsuits and two securities class-action lawsuits related to Spectre and Meltdown.