Intel gives up patching some chips with Spectre flaws

The Spectre and Meltdown chip vulnerability saga continues today, with Intel admitting it can't or, rather, won't issue patches for some of its affected CPUs.

Spectre and Meltdown are two flaws found at the chip level that can lead to serious data breaches. As the problem is at the architecture level, it affects virtually all processors made within the past 20 years - not just from Intel but also other giants like ARM and potentially AMD.

While no exploit of either flaw has been seen in the wild, because the problem is so widespread it's considered one of the greatest information security problems of recent times.

Despite previous pledges to issue microcode updates that will fix the flaws, Intel is now backtracking when it comes to certain of its CPUs.

In a revision notice published on Monday, the chipmaker now lists 16 microcode updates as "stopped", meaning that while patches have previously been released, Intel will no longer issue them. The company has also recommended admins and/or users stop using the updates as the mitigation for Spectre v2 contained within them causes stability issues.

The reasons Intel gave for stopping these updates vary, from the possibility that patching Variant 2 of Spectre is just too difficult based on the design of the chip in question, to limited availability of software support and the fact that some of the affected chips are powering 'closed systems' they're not connected to anything that could allow hackers to exploit them, so the risk is so small that administrators can avoid the fuss of implementing such a tricky update.

The affected chips cover a broad range of families, many of which were released around a decade ago and some of which have ceased production in the meantime, so it's hard to say how many systems will actually remain at risk due to this change. Affected chip families that won't be getting an update include Bloomfield, Bloomfield Xeon, Clarksfield, Gulftown, Harpertown Xeon C0, Hapertown Xeon E0, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale, Wolfdale Xeon, Yorkfield and Yorkfield Xeon. Intel's notice doesn't list which of these chip families it believes are too difficult to patch, and which present a low risk.

On the other side of the coin, however, Intel has rolled back a previously issued "stopped" notice on four other patches as "subsequent testing by Intel has determined that these were unaffected by the stability issues and have been re-released without modification" - these are Skylake H/S, Skylake U/Y, Skylake U23e and Skylake Xeon E3.

A full list of the affected systems, plus what their patch status is, can be found here.

In a statement, the company said:"We've now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google. However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback."

Intel has a messy history of patching Meltdown and Spectre, botching an initial run of Skylake patches that resulted in performance slowdowns and rebooting issues, which it eventually rolled back and replaced with another set of patches in February. The vendor faces more than 30 lawsuits relating to the chip vulnerabilities.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.