AMD Working on Microcode Updates to Mitigate Spectre Attack
AMD has informed customers that it will soon release processor microcode updates that should mitigate one of the recently disclosed Spectre vulnerabilities, and Microsoft has resumed delivering security updates to devices with AMD CPUs. Shortly after researchers revealed the Spectre and Meltdown attack methods, which allow malicious actors to bypass memory isolation mechanisms and access sensitive data, AMD announced that the risk of attacks against its products was “near zero.” The company has now provided additional information on the matter, but maintains that the risk of attacks is low.
According to AMD, its processors are not vulnerable to Meltdown attacks thanks to their architecture. They are, however, vulnerable to Spectre attacks. Spectre attacks are made possible by two vulnerabilities: CVE-2017-5753 and CVE-2017-5715.
The former does impact AMD processors, but the chipmaker is confident that operating system patches are sufficient to mitigate any potential attacks. Microsoft announced a few days ago that it had suspended the delivery of security updates to devices with AMD processors due to some compatibility issues. AMD said the problem affected some older processors, including Opteron, Athlon and Turion families.
Microsoft said on Thursday that it had resumed the delivery of updates to a majority of AMD devices, expect for a “small subset” of older processors. AMD told customers it expects the issue to be corrected for the remaining processors by next week. As for the second Spectre vulnerability, AMD believes it is difficult to exploit against its products.
Nevertheless, the company has been working with operating system vendors to develop patches, and it has also promised to provide optional microcode updates. The microcode updates should become available for Ryzen and EPYC processors in the next days, and for previous generation products sometime over the coming weeks. The updates will be available from system manufacturers and OS vendors.
AMD claims its GPUs are not impacted by the vulnerabilities. NVIDIA also says its GPUs are immune, but the company has still provided some display driver updates to help mitigate the CPU flaws. Intel has already released patches, including processor microcode updates, for many of its processors. Linux users can install the microcode updates through the operating system’s built-in mechanism.
The fixes for the Spectre and Meltdown vulnerabilities appear to cause problems on some systems. Ubuntu users complained that their devices failed to boot after installing updates, forcing Canonical to release a new kernel update to address the issue. Intel has also become aware of reports that systems with Broadwell and Haswell CPUs reboot more often as a result of the patches.
“We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue,” the company stated.
Related: IBM Starts Patching Spectre, Meltdown Vulnerabilities Related: Microsoft, Intel Share Data on Performance Impact of CPU Flaw Patches Related: Lawsuits Filed Against Intel Over CPU Vulnerabilities
- ^ Spectre and Meltdown (www.securityweek.com)
- ^ suspended (www.securityweek.com)
- ^ NVIDIA (www.securityweek.com)
- ^ patches (www.securityweek.com)
- ^ failed to boot (www.securityweek.com)
- ^ stated (newsroom.intel.com)
- ^ IBM Starts Patching Spectre, Meltdown Vulnerabilities (www.securityweek.com)
- ^ Microsoft, Intel Share Data on Performance Impact of CPU Flaw Patches (www.securityweek.com)
- ^ Lawsuits Filed Against Intel Over CPU Vulnerabilities (www.securityweek.com)
- ^ Industry Reactions to Meltdown, Spectre Attacks (www.securityweek.com)