By Next Week, Intel Expects To Issue Updates To More Than 90% of Processor Products Introduced Within Past Five Years

Intel said on Thursday that by next week it expects to have patched 90 percent of its processors that it released within the last five years, making PCs and servers "immune" from both the Spectre and Meltdown exploits. The company adds: Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.

Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact. System updates are made available by system manufacturers, operating system providers and others.

5 Years?

[PingSpike]

Does the issue only apply to CPUs newer than 5 years ago or did Intel just decide if your CPU is older than that they don't actually care? I'd previously heard anything since the original pentium up to the P4 was where it began.

Re:5 Years?

They really should update everything, but maybe they're just starting with the newer ones.

Failing that, they should at least go back to Conroe, which was pretty much their first CPU that would actually be useful in 64-bit mode. It also means that there's a simple "core=fixed, pentium=vulnerable" understanding for users. But Nehalem was probably the first CPU that was regularly used with more than 4GB of RAM. Any of those would be, in some way, acceptable, but only going back to Haswell is just going to encourage a lot of people to buy new CPUs. From AMD.

Re:Will this finally get rid of XP?

[sl3xd]

I think we can safely say that if people haven't switched from XP by now, there's nothing in Meltdown or Spectre that'll change their minds.

Uh what?

[crweb]

Uh, why is Intel pretending like THEY are the ones deploying patches, Operating Systems, and fixes for their flaw?

I'm really confused.. Did our machines some how auto update the Intel hardware, or is this Intel taking credit for everyone elses effort to act like they were proactive?

Re:Uh what?

[Megol]

The Intel propaganda machine is working hard, just look at all sites that try to combine the two kind of exploits into one and imply that all processors not only Intel is vulnerable when in reality one type of exploit with less severity is general while the severe one is Intel specific.

But I have no doubt that Intel engineers are also working hard in order to patch the problems as quickly as possible and with as little performance impact as possible.

Re:class action time!

[tomxor]

No... I'll just get a different CPU next time. Especially since they don't seem to be bothering with microcode patches for 5yr old CPUs, so Intel CPUs are a bad investment it would seem.

Re:Intels updates also slow down AMD chips that do

[WaffleMonster]

Bear in mind that there are two vulnerabilities, Meltdown and Spectre. Meltdown is currently Intel-only, but Spectre is Intel, ARM and AMD. Both use similar techniques to access kernel memory (Meltdown) and local process memory (Spectre).

This description is very misleading because it makes it sound like the two issues are similar when they very much are not.

Meltdown provides processes with access to memory contents they have no right to access.

Spectre is merely a side-channel timing attack. Similar issues have been known about for years exploiting static caches, hyper threading, branch prediction, DPA...etc. Spectre is little more than a PR smoke screen for Meltdown. The two are not in the same league and they don't deserve to be described as if they are close relatives.

Re:Intels updates also slow down AMD chips that do

[DamnOregonian]

This description is very misleading because it makes it sound like the two issues are similar when they very much are not.

No, they are. "Meltdown" should be considered a subset of the "Spectre" class of vulnerabilities.
While AMD is not vulnerable to Meltdown variants that can be mitigated with KPTI, they're still vulnerable to Meltdown variants that can manipulate the kernel into doing the speculative execution for them- as the Google PoC demonstrated, eBPF with JIT (though disabled by default).

Spectre is merely a side-channel timing attack. Similar issues have been known about for years exploiting static caches, hyper threading, branch prediction, DPA...etc. Spectre is little more than a PR smoke screen for Meltdown. The two are not in the same league and they don't deserve to be described as if they are close relatives.

They're both side-channel timing attacks. They both exploit a race condition between instruction retirement after a fault in a superscalar architecture. The difference is that AMDs execution units can't specifically leak the data, because their L1 caches store and honor privilege bits. However, if that speculative execution happens in the kernel context (eBPF JIT) then userspace can still pick up the side-channel leaked data, making even AMD vulnerable to a subset of Meltdown, itself a subset of Spectre. Clear?