April 11, 2018 // 10:37 a.m.
AMD has finally released the first microcode updates designed to protect users against the Spectre vulnerability present in the company's processors, three months after the flaw's public disclosure.
Announced back in January following an earlier leak, Spectre is one of a family of attacks which leverage flaws in the speculative execution system implemented in the vast majority of modern mainstream processors as a way of boosting performance to access supposedly-protected memory contents - including private keys and passwords. Since its unveiling, Intel - which is affected by both Spectre and a related vulnerability dubbed Meltdown - has been working to release microcode patches to work around the flaws in its processors, though initially somewhat unsuccessfully, while its rival AMD has been rather quieter on the matter.
Now, three months after the flaws were made public, AMD has released its first microcode update. 'Today, AMD is providing updates regarding our recommended mitigations for Google Project Zero (GPZ) Variant 2 (Spectre) for Microsoft Windows users. These mitigations require a combination of processor microcode updates from our OEM and motherboard partners, as well as running the current and fully up-to-date version of Windows,' writes AMD chief technology officer Mark Papermaster in a blog post. 'While we believe it is difficult to exploit [Spectre] Variant 2 on AMD processors, we actively worked with our customers and partners to deploy the above described combination of operating system patches and microcode updates for AMD processors to further mitigate the risk.'
Protections against both Spectre variants had previously been made available in software patches for the Linux operating system, but Windows users were left vulnerable to Variant 2. AMD's work with Microsoft brings protections to Windows 10 as of yesterday's Patch Tuesday, with an update for Windows Server 2016 due to land in the near future. No update has been released for older Windows versions, however, meaning that users yet to upgrade will be forced to rely on protections included in AMD's microcode update. This microcode, which needs to be integrated into firmware updates to be applied to motherboards hosting AMD processors, has been distributed to 'customers and ecosystem partners' but has yet to land in the public's hands, and covers processors through to Bulldozer cores from 2011 - but nothing earlier.
As with Intel before it, AMD has made no promises to issue fixes for vulnerable parts older than 2011.