Security news that informs and inspires

AMD Releases Spectre Mitigations

AMD has released a set of fixes for the Spectre vulnerability that affect several of its processors and could lead to sensitive data leaking from the processors.

The Spectre and Meltdown vulnerabilities surfaced in January and led to a scramble among hardware vendors and software makers to develop and implement mitigations. Because the vulnerabilities exist at the processor level, the patching process has been more complex and time-consuming than would be typical for a normal set of bugs. While some software makers implemented mitigations for the vulnerabilities relatively quickly, the hardware-level changes have taken more time.

This week, AMD officials said the company had released low-level code changes to address Spectre, a bug that allows an attacker to use a special technique to force an application to leak sensitive data such as passwords.

“Today, AMD is providing updates regarding our recommended mitigations for Google Project Zero (GPZ) Variant 2 (Spectre) for Microsoft Windows users. These mitigations require a combination of processor microcode updates from our OEM and motherboard partners, as well as running the current and fully up-to-date version of Windows. For Linux users, AMD recommended mitigations for GPZ Variant 2 were made available to our Linux partners and have been released to distribution earlier this year,” Mark Papermaster, senior vice president and CTO at AMD, said.

Both Spectre and Meltdown take advantage of a technique called speculative execution that allows processors to execute some instructions before it is certain whether those instructions should actually be executed. The flaws enable an attacker to break the isolation between applications and access memory that should be off-limits. AMD released the fixes on the same day Microsoft pushed out software mitigations for Spectre on Windows machines running AMD processors.

“While we believe it is difficult to exploit Variant 2 on AMD processors, we actively worked with our customers and partners to deploy the above described combination of operating system patches and microcode updates for AMD processors to further mitigate the risk,” Papermaster said.

Intel has released some microcode mitigations for its processors that are affected by Spectre, and others are still in the works. However, the company has released a guide that shows there are some processors that won’t receive fixes, either because they’re not very popular or because the possibility of exploitation is low. Those processors that won’t receive microcode updates include the Bloomfield and Clarkdale lines.

“After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons,” the Intel gudance says.