The Spectre vulnerabilities are a bigger problem for AMD than the company previously believed.
The chip maker Thursday backtracked on an earlier statement to the media regarding Spectre, which had claimed there was a “near zero risk” to AMD processors from “the three variants targeting speculative execution.” Those variants include both the Meltdown vulnerability (CVE-2017-5754) and the two Spectre vulnerabilities (CVE-2017-5753 and CVE-2017-5715) for bounds check bypasses and branch target injection attacks, respectively. In addition, AMD published a security statement that reiterated that position, specifically for the branch target injection flaw. “Differences in AMD architecture mean there is a near zero risk of exploitation of this variant,” the post reads.
However, the new statement released yesterday from AMD senior vice president and CTO Mark Papermaster admitted that both Spectre vulnerabilities affect its chips, including the branch target injection variant. “While we believe that AMD’s processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat,” the statement reads. “We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat.”
Papermaster said AMD will release “optional microcode updates” to mitigate the Spectre vulnerabilities on systems running Ryzen and EPYC processors beginning this week. “We expect to make updates available for our previous generation products over the coming weeks,” he wrote. “These software updates will be provided by system providers and OS vendors; please check with your supplier for the latest information on the available option for your configuration and requirements.”
AMD also said it is working with both Microsoft and Linux vendors on future Spectre patches for AMD systems, as well as “engaging closely with the Linux community” on Retpoline, aka “return trampoline,” which is a mitigation technique developed by Google for the branch target injection attacks.
Papermaster’s statement Thursday also provided an update on earlier Spectre patches for AMD processors. While Microsoft has distributed Windows patches for the majority of AMD systems, the company acknowledged issues with those patches.
“We are working closely with them to correct an issue that paused the distribution of patches for some older AMD processors (AMD Opteron, Athlon and AMD Turion X2 Ultra families) earlier this week,” Papermaster wrote.” We expect this issue to be corrected shortly and Microsoft should resume updates for these older processors by next week.”
The company also said Linux vendors are currently distributing patches for AMD products. In addition, AMD said its AMD Radeon GPU products are not affected by either Meltdown or Spectre vulnerabilities because the architecture does not use speculative execution.