AMD Backtracks On 'Near Zero Risk' Processor Claims, Now Must Issue Updates To Combat Spectre
Processor maker AMD on Thursday backtracked on its claims that its processors had "near zero risk" to the Spectre security flaw with a more comprehensive statement acknowledging that it will issue microcode and OS patch updates to protect customers.
AMD, in a Thursday corporate blog post, admitted that the two variants of the Spectre vulnerabilities identified by Google Project Zero apply to the Sunnyvale, Calif.-based processor manufacturers, although it said the third vulnerability, known as Meltdown, is not applicable.
This stood in contrast to AMD's original response on January 3 to the Spectre and Meltdown vulnerabilities when it blogged that there was currently "near-zero risk" to its processors from vulnerabilities associated with the Spectre and Meltdown issues.
[Related: 7 Things You Need To Know About Spectre And Meltdown Security Exploits]
An AMD spokesperson told CRN at the time that the company does not need to release any firmware or OS updates to address the Spectre and Meltdown issues.
This was followed Tuesday by a report from Microsoft that some users who installed the latest Windows security update issued in response to the Spectre and Meltdown vulnerabilities on AMD processor-based devices found those devices forced into an unbootable state.
As a result, Microsoft temporarily halted Windows OS updates to devices with AMD processors affected by this apparent bug, including nine updates released since January 3 with the security-only Spectre and Meltdown update among them (KB4056897). Microsoft also detailed troubleshooting steps for blue screen errors affecting Windows 7, Windows 8.1 and Windows 10.
The Meltdown and Spectre vulnerabilities refer to a flaw in the design of many server processors could potentially allow unauthorized users to either read the kernel memory from the user space memory or to read the contents of memory from other running programs. Many of these processors are central to storage systems.
Spectre and Meltdown account for three variants of the side-channel analysis security issue first identified by the Google Zero Project team and other researchers who found that Intel, AMD, and ARM Holdings processors commonly used in servers and PCs could allow unauthorized users to examine privileged information in memory in certain circumstances. Apple also said its Mac and iOS devices could be vulnerable.
To date, there have been no known exploits of the security issue.
Mark Papermaster, AMD senior vice president and CTO, wrote in his Thursday blog post that the company had updated its take on the security risks caused by the processor design flaws and actions the company has taken.
Papermaster now says the second Spectre vulnerability, called branch target injection, is applicable to AMD processors, although exploiting the vulnerability would be difficult. The company is this week providing optional microcode updates for its Ryzen and EPYC processors and plans to offer such patches on other processors over the coming weeks. It is working with the software vendors to bring patches to customers as well.
AMD had previously said there was no impact on its processors from the branch target injection and rogue data cache load variants. An AMD spokerson had told CRN at the time that the vendors AMD works with, such as Microsoft and Linux, have resolved the bounds check bypass through software and OS updates with "negligible performance impact expected."
Microsoft temporarily halted distribution of patches for some older AMD Opteron, Athlon and Turion X2 Ultra processors, but is expected to resume updates next week, AMD said. Linux vendors are also now patching their operating systems for AMD processors, Papermaster wrote.
Papermaster also said AMD's processors are not susceptible to the rogue data cache load vulnerability known as Meltdown due to its use of privilege level protection with its paging architecture, and as a result, it sees no need to provide any mitigation.
AMD does not expect issues with its Radeon GPU architectures as they do not use the speculative execution feature at the heart of the Spectre and Meltdown processor vulnerabilities, he wrote.
"We will provide further updates as appropriate on this site as AMD and the industry continue our collaborative work to develop mitigation solutions to protect users from these latest security threats," he wrote.
AMD did not respond to a CRN request for further information by press time.
Alec Shirkey and Mark Haranas contributed to this story.