If your PC runs one of Intel’s older microprocessors, bad news: Intel has announced that some of the company’s consumer and business chips from this era will not now receive updates to fix a variant of the Spectre mega-flaw.
After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products.
The affected processor families are: Penryn, Yorkfield, Wolfdale (all 2007), Bloomfield (2008), Clarksfield (2009), Jasper Forest, and Gulftown (both 2010).
The more recent SoFIA 3GR X3 Atom chip used in smartphones from 2015 is also on the list.
For most people, these names won’t be terribly helpful in working out whether they’re affected because they relate to a chip’s architecture not the product name it was sold under.
Helpfully, Intel itemises the individual processors in each affected family (see rows marked red, column two), so it’s a question of reading through the list to see which ones are mentioned.
A theme that jumps out of the listing is the number of high-performance Core 2 Extreme, Core i7 and Xeon server processors listed.
The likely reason for this is that the announcement relates to variant 2 of Spectre (CVE-2017-5715), rather than variant 1 (CVE-2017-5753).
From the moment Spectre was made public in January, it was clear that that while variant 1 could be addressed in userland software, variant 2 would need a mixture of BIOS and possibly operating system updates.
This required a lot of work by BIOS vendors and OS makers, such as Microsoft, to patch a flaw affecting older chips used in a relatively small number of specialist PCs.
Less politely, it’s not worth the bother when there’s so much other work needed to fix this flaw for everyone else.
The upside is that anyone whose PC contains one of these older chips can now make an informed choice about whether to ditch it and buy something more recent.
For everyone else, the process of mitigating and patching systems affected by both variants of Spectre as well as Meltdown is still unfolding.
How users achieve this will depend on which vendor made their PC, the BIOS inside it, and the operating system. Spectre variant 2 also affects chips from AMD (including recent Ryzen parts) and ARM.
Good places to drill down into the practical effects are Microsoft’s Meltdown and Spectre resource page, or similar ones provided by Intel, or AMD, or ARM’s developer-oriented site.
An introduction to Meltdown and Spectre can be found on a site set up by some of the researchers, and you can read a clear explanation of the KPTI flaws behind them from Naked Security’s own Paul Ducklin.
Spectre’s ghostly nickname has turned out to be spot on. As researchers wrote when announcing it in January:
As it is not easy to fix, it will haunt us for quite some time.
Tracy
Of course not. They want you to buy more of their defective products. I think about all of the Intel processors I bought and sold over the years and now I feel bad for my customers because I promoted the Intel product. :(
Wilderness
This is not some seedy stunt to get people to upgrade. The hurdles to patch it are significant.
Tracy
I’ve been in IT for over 30 years Wilderness. The coding that goes into these processors does not change significantly over the generations. That is why this flaw is prevalent in a wide range. The only hurdle is getting all of the players to work together but alas they all are doing the blame game because no one wants to fork over the money to fix the flaw nor do they want to take the blame in case of class action lawsuits. If that is the significant hurdle you were referring to then I suppose you statement is correct. :)
Steve
As are the hurdles for, say, Toyota replacing airbag canisters, or GM replacing ignition switches. Just because it’s “tech” doesn’t relieve them of responsibility for defects in their products.
sweetlilycake
Too bad I am broke, otherwise I would’ve upgraded.. :(
Laurence Marks
Nice photo, but it’s not an Intel processor. The 82371 “South Bridge” is a bridge between PCI and ISA busses used in much older desktop computers which supported both kinds of feature cards. It was produced in 1996.
Your editor would have difficulty finding a picture of an Intel processor since they are usually buried beneath a heatsink.
S. Bernard
This is helpful. One question I have about this article: Do the listed processors apply to Microsoft platforms only, or do they also apply to Linux boxes and Mac iOS computers? The article specifies “Windows Vulnerabilty” at the top and references “PC” throughout (which some readers might interpret suggests the list of processors is purely Wintel based). Is there a quick answer without having to research each one on the red list? Thx!
John E Dunn
PC in this article refers to x86 on Windows or Linux (the latter is ported to various hardware but Intel is still dominant for desktop/laptop machines).
This makes life complicated because a Wintel/AMD computer might require a patch from Intel via a system vendor, a BIOS update from a separate BIOS vendor via the same system maker, and an OS update from Microsoft.
By contrast, Apple desktops/laptops use Intel but have an integrated patching regime controlled by Apple itself (likewise iOS ARM-derived SoCs).
Depending on the handset, Android is somewhere between the two extremes.
Anonymous
Lol at the “Upside”
what upside? are they paying us back for their flawed products???
David Courtney
Intel’s crying crocodile tears🤬
Steven
I bought a HP 210-4000cto customized. They gave me options of processors to pick. When I received it one of the options among many options was impossible to put in it and refunded me. The reason for this statement no one wrote 64bit software for the BIOS therefore I was mislead into thinking by Intel its usable for 64bit – that perhaps there is a secret about why no one wrote the software because perhaps its a flawed processor.
Edward Tippelt
The world will beat a path to the door of anyone who creates a 100% foolproof way of writing code. How would we even know that the solution was 100% foolproof unless we spent the rest of eternity looking for loopholes in the solution. I doubt Intel knowingly sold us processors with security flaws in them. After all, it took many years for anyone to find these flaws. Having done so, I would not expect Intel to spend money fixing their processors that are more than 5 years old, any more than you could reasonably expect any manufacturer of white goods to guarantee the availability of spare parts for their machines for more than a few years. You could argue that Intel 8088 parts are flawed as they do not run as well as i7s. Technology moves on and so do we. Let’s accept that future generations of Intel processors will perform better and have less bugs than previous generations, rather than wasting our lives debating whether Intel have a responsibility to fix every processor they ever made.
Alfred Neuman
Chances are that future generations will be secure from this particular vulnerability but perform worse. Such is the nature of this particular flaw.