Updated, 4/4/2018, 7:00am PT: Added Intel's statement.
Intel hinted in a previous microcode update guidance that some older chip architectures going back about a decade, such as Penryn, Yorksfield, and Wolfdale, would receive updates to address the Spectre vulnerability. However, in a recent microcode revision guidance, the company changed its mind.
Old Chips Forgotten
Intel announced that Penryn (launched in 2007), Yorkfield (2007), Wolfdale (2007), Bloomfield (2008), Clarksfield (2009), Nehalem-based Jasper Forest (2010), and Intel Atom “SoFIA” (2015) will no longer receive the Spectre patches, as originally promised.
The company gave the following reasons for no longer providing the patches:
After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons including, but not limited to the following:
- Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
- Limited Commercially Available System Software support
- Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
But What’s The Real Reason?
It’s no secret that patching Spectre variant 2 wasn’t easy, as we’ve seen both Intel and Microsoft first bungle and then disable patches for this flaw. However, the real reason Intel gave up on patching these systems seems to be that neither motherboard makers nor Microsoft may be willing to update systems sold a decade ago. That's likely what Intel means by “limited commercially available system software support.”
Even though Intel develops the microcode update for its own processors, the update can be delivered only through a BIOS or OS update. If neither motherboard manufacturers nor Microsoft are willing to deliver the patches, then there’s not much point for Intel to develop them.
With the exception of the Intel Atom “SoFIA” chip, most of the others are indeed quite old chips, so this decision shouldn’t have too much of a negative impact on PC users and companies that bought Intel chips.
Intel later followed up to our inquiry, stating the following:
We’ve now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google Project Zero. However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.