Several pre-2011 Macs could still be vulnerable to "ZombieLoad"-like security exploits, and Apple can't fix that because Intel won't release the necessary microcode updates.
contacted Apple about the list published on May 13 to clarify how Macs made before the 2011 vulnerability could be affected. Apple says that certain older Macs could remain vulnerable to security attacks that are similar to "ZombieLoad," because Intel will not release necessary updates. While 'ZombieLoad' itself will not affect these machines, because of the particular attack vector, Apple cannot fully patch against other such "speculative execution vulnerabilities" without Intel's help.
The "ZombieLoad" exploit affects all Intel processors since 2011 and Apple's new support documentation lists only earlier Macs that could remain vulnerable to similar issues.
These Macs are all ones that are either supported as vintage ones, as opposed to obsolete, or which are capable of running the latest macOS Mojave.
"These models may receive security updates in macOS Mojave, High Sierra or Sierra," says Apple in its new support documentation, "but are unable to support the fixes and mitigations due to a lack of microcode updates from Intel."
Even on new Macs hit by the actual "ZombieLoad" security exploit, the problems are unlikely to materially affect many users.
There is a method of what Apple calls full mitigation, which would eliminate the possibility of "ZombieLoad" and similar assaults affecting a Mac, but it requires disabling functions that would reduce system performance by as much as 40%.
However, a better prevention is to download software only from the Mac App Store or other developers' sites that you trust.