Intel has been working at a fervent pace since the beginning of 2018 to provide security patches and updates to its users following the reveal of the Meltdown and Spectre vulnerabilities affecting nearly every processor they’ve ever made since 1995. The company has been busy trying to update all of their lineups simultaneously while also battling three lawsuits and an investigation by the SEC into insider trading allegations levelled against their CEO, Brian Krzanich. This week, Intel announced that although they put significant effort into solving the issue, most of their first-generation Core-i lineup, as will their entire Core 2 family, will remain unpatched against the second variant of Spectre. This affects both consumer and server processors that share an architecture across these families, so there’s a large number of machines out there on the internet currently vulnerable to these attacks.

Intel had previously announced plans to update the microcode of these older processors by working with system vendors and operating system designers including Microsoft, Apple, and the Linux kernel security team to deliver updated microcode that could be patched in at boot time for vulnerable systems. Microcode loaded by an OS can temporarily replace the microcode embedded into the processor, and may in some cases offer better performance and implement bug fixes that will eventually be included in future products.

In a presentation published to Intel’s blog site dated 2 April 2018, Intel announced that it would no longer be providing microcode updates to the following families:

  • Bloomfield and Bloomfield Xeon
    • Intel Core i7-975, 965 Extreme Edition
    • Intel Core i7-920, 930, 940, 950, 960
    • Intel Xeon W3520, W3530, W3540, W3550, W3565, W3570, W3580
  • Clarksfield
    • Intel Core i7-920XM, 940XM Extreme
    • Intel Core i7-720QM, 740QM, 820QM, 840QM
  • Gulftown
    • Intel Core i7-970, 980
    • Intel Core i7-980X, 990X Extreme Edition
    • Intel Xeon W3690
  • Harpertown Xeon
    • Intel Xeon L5408, L5410, L5420
    • Intel Xeon E5405,E5410,E5420, E5430, E5440, E5450, E5462, E5472
    • Intel Xeon X5450, X5460, X5470, X5472, X5482
    • Intel Xeon L5408, L5410, L5420, L5430
    • Intel Xeon E5405,E5410,E5420,E5430, E5440, E5450, E5462, E5472
    • Intel Xeon X5450, X5460, X5470, X5492
  • Jasper Forest
    • Intel Celeron P1053
    • Intel Xeon EC3528, EC3529, EC5509, EC5539, EC5549, LC3518, LC3528, LC5518, LC5528
  • Penryn Dual and Quad-core
    • Intel Core2 Extreme X9000, X9100
    • Intel Core2 Quad Q9000, Q9100
    • Intel Core2 Duo T6400, T6500, T6670, T8100, T8300, T9300, T9400, T9500, T9550, T9600, T9800, T9900, SU9300, SU9400, SU9600, SP9300, SP9400, SP9600, SL9380, SL9400, SL9600, SL9300, P7350, P7370, P7450, P7550, P7570, P8400, P8600, P8700, P8800, P9500, P9600, P9700]
    • Intel Core2 Solo SU3500, ULV SU3500, ULV SU3300
    • Intel Pentium T4200, T4300, T4400, T4500
    • Intel Celeron 900, 925, SU2300, T3100, T3300, T3500, ULV 763
    • Intel Celeron M Processor ULV 722, ULV 723, ULV 743
  • SoFIA 3GR
    • Intel Atom x3-C3200RK, x3-C3230RK
  • Wolfdale and Wolfdale Xeon
    • Intel Core 2 Duo E7200, E7300, E8190, E8200, E8300, E8400, E8500
    • Intel Core 2 Duo E7400, E7500, E8400, E8500, E8600
    • Intel Pentium E5200, E5300, E5400, E5500, E5700, E5800, E6300, E6500, E6500K, E6600, E6700, E6800
    • Intel Celeron E3200, E3300, E3400, E3500
    • Intel Xeon E3110, E5205, E5220, L5240, X5260, X5272
    • Intel Xeon E3110, E3120, E5205, E5220, L3110, L5215, L5240, X5260, X5270, X5272
  • Yorksfield and Yorksfield Xeon
    • Intel Core2 Extreme QX9650, QX9770, QX9775
    • Intel Core2 Quad Q8200, Q8200S, Q8400, Q8400S, Q9300, Q9400, Q9400S, Q9450, Q9500, Q9505, Q9505S, Q9550, Q9550S, Q9650
    • Intel Xeon L3360, X3320, X3330, X3350, X3360, X3370, X3380

Intel’s reason for not providing the updates is that these processors cannot have their microcode updated to fix Spectre V2 in the same manner they had planned for their other products, and thus completely different approaches would be needed that suited these older architectures. Implementing these fixes would not be practical, according to Intel. In addition, they expect “limited commercially available system software support” from software vendors and OEMs, and that most of the machines still in use are implemented as “closed systems”, where they are not connected to the internet.

Intel also notes in their brief that they have just completed new microcode updates for the following families, and should have these updates available soon through participating vendors:

  • Arrandale and Arrandale Mobile
  • Clarkdale, Clarkdale Mobile, and Clarkdale Xeon
  • Lynnfield and Lynnfield Xeon
  • Nehalem-EP and Nehalem-WS
  • Westmere EP, WS, and EX

It’s an extremely long list of processors that will remain vulnerable to Spectre V2, although you can take some solace in the fact that Spectre V1 is mitigated through individual application updates and Meltdown is handled through OS updates. For the most part, you’re probably okay to hang out on popular, secure websites on the internet, but you could put yourself at some risk by doing so.

Spectre V2 fixes require hardware or microcode changes to mitigate any vulnerabilities, and it is exploitable in Javascript. Web browsers might have been updated enough that you’ll be protected from most attacks, but if you happen to install a browser extension, or sign up for site notifications for a site or service that is compromised, any attacker can use Spectre V2 against you and attack the branch predictor in the processor to yield sensitive information. The only precaution you can take to fix this permanently is just to never let that machine go on the internet. In an age where adverts load up their own Javascript, where browser extensions are not checked by the browser makers, and where you don’t quite know what’s happening in the background of that update to uTorrent you got the other day, there’s no telling when you’ll be hit.

Viruses that specifically target Spectre V2 are already out in the wild, and several are made to be wormable and report back anything useful to the attacker’s control server. Heck, you could send a virus to Windows Defender to scan, and it might create the right conditions to run the exploit against the CPU. Microsoft just patched Defender for that exact same reason this week, but you’d still be able to co-opt the scanner to do your bidding in a system vulnerable to Spectre V2.

Hey, there’s also Branchscope to worry about too. I guess we’re all just going to have to buy new machines.

More stuff like this: