Friday, January 12th 2018
AMD Confirms They are Affected by Spectre, too
The public disclosure on January 3rd that multiple research teams had discovered security issues related to how modern microprocessors handle speculative execution has brought to the forefront the constant vigilance needed to protect and secure data. These threats seek to circumvent the microprocessor architecture controls that preserve secure data.
At AMD, security is our top priority and we are continually working to ensure the safety of our users as new risks arise. As a part of that vigilance, I wanted to update the community on our actions to address the situation.Google Project Zero (GPZ) Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors.
We will provide further updates as appropriate on this site as AMD and the industry continue our collaborative work to develop mitigation solutions to protect users from these latest security threats.
Mark Papermaster,
Senior Vice President and Chief Technology Officer
At AMD, security is our top priority and we are continually working to ensure the safety of our users as new risks arise. As a part of that vigilance, I wanted to update the community on our actions to address the situation.Google Project Zero (GPZ) Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors.
- We believe this threat can be contained with an operating system (OS) patch and we have been working with OS providers to address this issue.
- Microsoft is distributing patches for the majority of AMD systems now. We are working closely with them to correct an issue that paused the distribution of patches for some older AMD processors (AMD Opteron, Athlon and AMD Turion X2 Ultra families) earlier this week. We expect this issue to be corrected shortly and Microsoft should resume updates for these older processors by next week. For the latest details, please see Microsoft's website.
- Linux vendors are also rolling out patches across AMD products now.
- While we believe that AMD's processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat. We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat.
- AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week. We expect to make updates available for our previous generation products over the coming weeks. These software updates will be provided by system providers and OS vendors; please check with your supplier for the latest information on the available option for your configuration and requirements.
- Linux vendors have begun to roll out OS patches for AMD systems, and we are working closely with Microsoft on the timing for distributing their patches. We are also engaging closely with the Linux community on development of "return trampoline" (Retpoline) software mitigations.
- We believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture and no mitigation is required.
We will provide further updates as appropriate on this site as AMD and the industry continue our collaborative work to develop mitigation solutions to protect users from these latest security threats.
Mark Papermaster,
Senior Vice President and Chief Technology Officer
44 Comments on AMD Confirms They are Affected by Spectre, too
On a serious note. I hope they fix it by ryzen 2 comes out. The exploit not the porn.
no paper, no proof exist but they don't take any chances.
This is so far, we'll see as stuff gets out if AMD is completely transparent about this but it matches findings by third party so far
The general purchasing rules have not changed. If you want to game most of the time and money is no limitation, go Intel. If you do anything else, research concerning your particular needs about which platform will serve best is needed. If you need good performance on a budget, go AMD. That is incorrect and a slight over-reaction. And you suggested this yourself; That is why Spectre is the worse problem. Some motherboard makers might not release bios patches for older equipment still in use, which is a potentially huge problem.
EDIT;
However, your general sentiment is correct. These problems are very serious if left unchecked.
The reality folks is this; If you want AMD, buy AMD. If you want Intel, buy Intel. If you want to get a nicer Android or Apple tablet or phone, then do so. These problems are bigger than usual, but they are none-the-less just but bumps in the road of technological progression. We create things that make life easier, more efficient or more fun and sometimes we find problems along the way that were not foreseen, or even foreseeable. We fix them, we move on.
EDIT2;
Grammar/spelling corrections. Good grief I need more sleep!
But ironically, AMD's statement proves only one thing: when you say there is "NEAR ZERO RISK", then there is. Have faith with Murphy.
This makes Spectre the big deal, since it's still not fully fixed. A full solution will most likely need and OS update, a microcode fix and a BIOS upgrade. Now, OS update is fairly easy, since people tend to install them. Same goes for microcode, if it can be supplied by the OS. But BIOS is another thing, since most people won't know or care, so their PCs will remain vulnerable.
BTW: it's also slightly more complicated with Meltdown. Much like Spectre, it exploits a very popular feature that can be found in many CPUs. On this forum people concentrated on Intel - possibly since there are so many Intel haters. :) But Meltdown also affects some CPUs from ARM, IBM's Power Archicetecture (and System z) and PowerPC. So quite a lot of stuff.
Meltdown also affects a lot of consoles!
AMD could be safe because they are now using Samsung's architecture, which doesn't use this mechanism. But it uses different ones, that weren't in the scope of performed tests. If anything, it's exactly the opposite.
A) If AMD is not affected by anything similar to Meltdown (which we don't know yet), it's a tie on security front.
B) If AMD is affected by something similar, then it simply hasn't been found and fixed yet.
So if you assume P(B) = 0, then it's a tie on security front, so you still buy CPUs like before - based on other aspects.
But if P(B) > 0, then it's actually Intel who has the advantage.
In the end it seems obvious that security problems are be first found and (hopefully) fixed on the most popular products. Look at Google Project Zero: they tested some CPUs from Intel, ARM and AMD. They only found the Intel one to be affected. But ARM is also affected - they said it themselves, they've shown proof and a full list of affected chips. Project Zero simply didn't succeed in their attempt. And they didn't check IBM at all.
Truth be told: AMD is the last large CPU designer that didn't provide comprehensive research results on the matter - even for Spectre, which they confirmed to be affected to.
That doesn't make any sense. Can you link an example of what you consider "comprehensive research results" from another manufacturer to use as an example?