AMD Starts Issuing Patches For Both Spectre Variants

After initially claiming a “near-zero risk of exploitation” for the second variant of Spectre, AMD admitted that its CPUs are vulnerable to both Spectre variants. However, its CPUs remain unaffected by Meltdown, which only impacts Intel’s CPUs. AMD also started issuing patches for Spectre.

Spectre Variant 1

AMD believes that the first Spectre variant (CVE-2017-5753), which is a bounds check bypass, can be contained with an operating system update. The company said it’s working with Microsoft to deploy the patch and to also resolve an issue with certain older AMD systems that stop booting after receiving the patch.

Linux vendors have also begun rolling out this patch.

Spectre Variant 2

The Spectre variant 2 (CVE-2017-5715) is a branch target injection vulnerability, and it’s also the one AMD first thought wouldn’t affect its CPUs. The company continues to believe that its processor architecture makes it difficult to exploit this flaw. However, AMD will also add some protections in place, which the company will deliver through both microcode and OS updates.

AMD will make microcode updates optional for Ryzen and EPYC customers starting this week. Previous generation CPUs will receive the updates over the coming weeks. The updates will not come directly from AMD, but from system and OS providers, so users will need to check if they’ve received the updates from them.

The company is working with Microsoft on the timing of the patch release for this second variant of Spectre. Linux vendors have already started providing the patch, and AMD is also working closely with them to develop a new software protection called “Retpoline,” which would prevent branch target injection. Retpoline would allow indirect branches to be isolated from speculative execution, a CPU feature meant to improve performance but also the root cause of the Spectre vulnerabilities.

Meltdown

AMD believes that the Meltdown vulnerability (CVE-2017-5754) doesn’t affect its CPUs due to the company’s use of privilege level protections within the paging architecture. That company said that no mitigation will be required for this bug.

GPUs Are Immune

Like Nvidia’s GPUs, AMD’s GPUs are not susceptible to these vulnerabilities because they don’t use speculative execution.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • SteveRNG
    So does this mean everyone will shut the and stop saying this is an Intel problem, that it's a sign of Intel's greed and admit that maybe the people that develop devices that literally contain billions of elements might not find every possible potential problem?

    Everybody is affected; ARM, AMD, and Intel. Perhaps some are affected less than others, but it seems like the constant harping on the 22 year old design imperfection is just a little too bitchy. Yes, the performance loss could be problematic. And the stability problems of the patches are the cause of everyone freaking out and pushing patches ASAP. But the root cause is not a Zionist Conspiracy! Find it. Fix it. Adjust your expectations and move on ... please!
    Reply
  • RedFIveStandingBy
    LIARS!!!!!!!! Defend them all you want they claimed immunity from these bugs to make their competition look worse. Slimey move AMD
    Reply
  • barryv88
    20588080 said:
    LIARS!!!!!!!! Defend them all you want they claimed immunity from these bugs to make their competition look worse. Slimey move AMD

    Oh nonsense! They never claimed immunity from any official announcement. The only difference is that AMD CPU's are far less affected and the performance hits are miniature as well. That's pretty much the bottom line!

    Reply
  • kinney
    People are focusing on Intel because they're the only player that really matters. It's not to beat up on precious Intel. That's why #IntelMeltdown is the meme even in the press. Intel is in the vast majority of the world's datacenters, and the majority of desktops. They run a lot of varied software, it's the wild west. Your phone is a non-issue, it's patched and you move on. Not the case with servers.

    AMD is in an enviable position and someone deserves a raise there for their architectural choices. Spectre needs protected against, but the big flaw (Meltdown) is not an issue.

    The performance impact for Intel is huge, and it's understated in the press. They don't want to anger their masters at Intel by pumping this up.
    Patch tracking, not even fully patched yet: https://gist.github.com/woachk/2f86755260f2fee1baf71c90cd6533e9
    Java compilation, 75%+ loss: https://twitter.com/PCzanik/status/949275491617464320
    Server impact, 30%+: https://imgur.com/a/zYRap#HGvuXnc
    Gaming minimum framerates, 50%+: https://np.reddit.com/r/pcmasterrace/comments/7obokl/performance_impact_of_windows_patch_and_bios/

    That's gaming, the main "concern" for most kids on sites like this. Be interesting to see how this all pans out once the dust settles in a few months, but don't expect the above results to be the end of the performance hit on your Intel rigs. Expect games that stream textures to get absolutely hammered on minimum framerates. Given that minimum frames are the most important aspect for gamers (only as good as the worst performance), this is huge.

    The good news is that CPUs have been overpowered for a long time, so the loss isn't going to do anything but butthurt those who live life as benchmark queens. You can also just ignore and not test for minimum framerates, 0.1% lows etc and pretend there's nothing to see here. :)

    But buying Ryzen isn't a bad idea, hop on the AM4 bandwagon.
    Reply
  • The_Bytemaster
    20588080 said:
    LIARS!!!!!!!! Defend them all you want they claimed immunity from these bugs to make their competition look worse. Slimey move AMD
    AMD Has been saying they were less vulnerable almost from the beginning. They are not vulnerable to the Meltdown at all, which is the easiest to exploit. They have said they were vulnerable to variant 1 of Spectre since the beginning, but that they was a very low chance of being vulnerable to Variant 2 due to their architecture. It has only changed in that they say they may be vulnerable to variant 2, but that it is extremely difficult for someone to exploit due to their architecture. They are issue microcode updates just to be certain.

    What IS slimy is Intel always lumping all three variants (2 Spectre and 1 Meltdown) together. They are three different things, really. Meltdown really comes down to not checking security before you do a calculation. Spectre is a new technique that utilizes timing information to put together a picture of other code, if I understand it correctly. To be honest, I can't believe that Intel thought that checking the security at the end instead of upfront was a good idea.
    Reply
  • redgarl
    20588080 said:
    LIARS!!!!!!!! Defend them all you want they claimed immunity from these bugs to make their competition look worse. Slimey move AMD

    AMD is not affected by meltdown. They only updated saying one of the Spector variant is now a plausible threat.

    They never said they were immune to Spector, they only said there was really low probability that it would be an issue.

    Stop your fanboyism and enjoy your Meltdown.
    Reply
  • cryoburner
    20587925 said:
    After initially claiming a “near-zero risk of exploitation” for the second variant of Spectre, AMD admitted that its CPUs are vulnerable to both Spectre variants.

    Actually, going by the article linked to there, AMD still believes that their architecture should make variant 2 of Spectre difficult to exploit, but they are providing optional microcode updates just to be safe. Nothing really changed. They're just proactively making an optional patch available in case someone were to find a way to perform a similar exploit on their hardware. And of course, they are still not vulnerable to Meltdown at all.
    Reply
  • nitrium
    So are tech sites going to be publishing extensive benchmarks across Intel and AMD systems past and present to see who is ultimately the most affected post-patch? They've been awfully quiet so far (absolutely nothing on AnandTech or Tom's), although I guess the sheer number of systems that needed to be (gotten hold of and) tested to get a good understanding of which CPUs are most affected by the Spectre/Meltdown patches is quite an undertaking.
    My own internal testing of the Meltdown Patch on two Intel systems (an i5 760 and an i3 4130) showed relatively minor performance degradation, but I gather the Spectre Patch is much more damaging.
    Reply
  • cryoburner
    20593455 said:
    So are tech sites going to be publishing extensive benchmarks across Intel and AMD systems past and present to see who is ultimately the most affected post-patch? They've been awfully quiet so far (absolutely nothing on AnandTech or Tom's), although I guess the sheer number of systems that needed to be (gotten hold of and) tested to get a good understanding of which CPUs are most affected by the Spectre/Meltdown patches is quite an undertaking.
    I would definitely like to see that, but it's probably better to wait a bit to make sure all the test hardware and software is patched, and that things have had a bit of time to settle. There might be optimizations or further adjustments following the initial patches. Of course, I'd also like to see tests with combinations of BIOS updates and OS/driver updates both enabled and disabled. And samples of hardware from a number of processor generations, maybe even stretching back 10 years or so. It would certainly be a large undertaking to perform these tests properly. Maybe they could start with a selection of processors from the last few years, and then move on to older hardware at a later time. Plus, lots of other hardware might potentially affect how much impact the patches will have, such as memory speed or storage medium, which may require a number of articles exploring the performance impacts of different supporting hardware. The impact on a the higher-end system like Toms normally tests CPUs with might not necessarily be entirely representative of the hardware that the majority of people are using, after all.
    Reply