January 12, 2018 // 10:52 a.m.
AMD has confirmed that it is to release microcode updates for its Ryzen, Threadripper, and Epyc processors to protect against the Spectre vulnerability, which it describes as 'optional' for users whose operating systems have already received software mitigation patches.
Following the ahead-of-schedule announcement of the Meltdown and Spectre speculative execution vulnerabilities earlier this month, which exploits a performance-enhancing feature of modern processors to gain access to supposedly-protected memory locations, AMD was clear that its processors were fully protected against one of the three vulnerability variants, Meltdown, that there was 'near zero risk of exploitation' of another, Spectre Variant 2, and that software workarounds were on the way for the final variant, Spectre Variant 1.
Now, though, the company has changed its tune slightly with the admission that AMD chips are also vulnerable to Spectre Variant 2, branch target injection. 'While we believe that AMD's processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat,' explains AMD chief technical officer Mark Papermaster in a corporate update on the matter. 'We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat.'
Those microcode updates, which are loaded by the system firmware at boot time to work around the hardware issues behind Spectre, will be released 'over the coming weeks' for Ryzen, Threadripper, and Epyc processors. Those running the company's older chips, before the release of the Zen microarchitecture, are not mentioned in the update, suggesting that any microcode updates for customers on anything other than AMD's latest parts will be delivered significantly later - or potentially not at all, relying instead on operating system level software protections against exploitation.
Microsoft has also confirmed that it has begun issuing Meltdown- and Spectre-related security patches to 'the majority' of users on older pre-Zen AMD processors, following the late discovery of an issue causing systems to fail to boot.
A precise release date for the microcode updates has yet to be provided.