After initially claiming a “near-zero risk of exploitation” for the second variant of Spectre, AMD admitted that its CPUs are vulnerable to both Spectre variants. However, its CPUs remain unaffected by Meltdown, which only impacts Intel’s CPUs. AMD also started issuing patches for Spectre.
Spectre Variant 1
AMD believes that the first Spectre variant (CVE-2017-5753), which is a bounds check bypass, can be contained with an operating system update. The company said it’s working with Microsoft to deploy the patch and to also resolve an issue with certain older AMD systems that stop booting after receiving the patch.
Linux vendors have also begun rolling out this patch.
Spectre Variant 2
The Spectre variant 2 (CVE-2017-5715) is a branch target injection vulnerability, and it’s also the one AMD first thought wouldn’t affect its CPUs. The company continues to believe that its processor architecture makes it difficult to exploit this flaw. However, AMD will also add some protections in place, which the company will deliver through both microcode and OS updates.
AMD will make microcode updates optional for Ryzen and EPYC customers starting this week. Previous generation CPUs will receive the updates over the coming weeks. The updates will not come directly from AMD, but from system and OS providers, so users will need to check if they’ve received the updates from them.
The company is working with Microsoft on the timing of the patch release for this second variant of Spectre. Linux vendors have already started providing the patch, and AMD is also working closely with them to develop a new software protection called “Retpoline,” which would prevent branch target injection. Retpoline would allow indirect branches to be isolated from speculative execution, a CPU feature meant to improve performance but also the root cause of the Spectre vulnerabilities.
AMD believes that the Meltdown vulnerability (CVE-2017-5754) doesn’t affect its CPUs due to the company’s use of privilege level protections within the paging architecture. That company said that no mitigation will be required for this bug.
GPUs Are Immune
Like Nvidia’s GPUs, AMD’s GPUs are not susceptible to these vulnerabilities because they don’t use speculative execution.