When Specter and Meltdown meet shortly after New Year It has sparked a barrage of responses from companies such as Intel, AMD, ARM and Microsoft. Patching has exploited the flaws that exploit branching prediction and speculative execution errors several months with some high-profile failures urs: Intel had to remove Specter patches for certain older systems after it became clear that they caused frequent reboots. A few weeks later, the fixes were reintroduced, with plans to patch chips by 2007. These plans have now been lifted.
Previously, we expected Intel to patch Bloomfield (45nm, Core i7), Clarksfield (45nm Mobile Core i7), Jasper Forest (45nm Xeon), Penryn (45nm mobile Core 2 Duo), Yorkfield (45nm Core 2 Quad ) and Wolfdale (45nm Desktop Core 2 Duo). Intel's SoFIA processors, some of which are still sold today, should also be updated. However, none of these updates will happen.
According to Tom's hardware, Intel's argument was as follows:
After a thorough study of microarchitecture and microcode capabilities for these products, Intel has decided not to release any microcode updates for these products for one or more reasons including, but not limited to to the following:
- Microarchitectural Features Precluding Practical Implementation of Variant 2 Mitigation Characteristics (CVE-2017-5715)
- Restricted System Software Support
- Based on customer input, most of these products are considered "closed." Systems, and are therefore expected to be less likely to be exposed to these vulnerabilities.
THG suggests that the second reason is probably the most important we would agree with. "Limited, commercially available system software support" probably means "We could not convince our motherboard partners (or possibly Microsoft) to distribute updates for us."
It is not clear how much of a security risk this is. On the one hand, chips from 10 to 11 years ago are not used too often. On the other hand, the media PC on the ground floor still uses a Core i7-920. I have family members, plural, with hardware still in daily use, that's so old. It is not difficult to understand why. With the minimum requirements for Windows, which has barely changed in the last decade, there is no reason why a rig from 2008 can not still hum.
It would be really useful to know how much of this shift was caused by the exploits. It's not really triggered, unlike the one that Intel has not tried to throw the money at to motherboard makers and / or convince Microsoft to patch older systems. If the CPUs are hard to influence, it's no big deal to push updates. If that's the case, Intel may leave millions of systems unprotected worldwide. Either way, it might be a good time to think about upgrading.