Yesterday, Microsoft and AMD released microcode and operating system security patches against Spectre attacks.
As soon as Spectre and Meltdown vulnerabilities have been discovered, AMD downplayed their impact on its processors, however, the company promised to release microcode updates and add protections against these attacks to its future CPUs.
According to the experts, the Meltdown attacks levarage the CVE-2017-5754 vulnerability, while the Spectre ones most probably rely on CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). In the AMD case, the Meltdown attack did not affect the company’s processors thanks to their design, Spectre Variant 1 can be addressed with software patches.
The mitigating Spectre Variant 2 attack needs a combination of microcode and operating system updates, which AMD and Microsoft released yesterday.
“While we believe it is difficult to exploit Variant 2 on AMD processors, we actively worked with our customers and partners to deploy the above described combination of operating system patches and microcode updates for AMD processors to further mitigate the risk,” the senior vice president and chief technology officer at AMD, Mark Papermaster, said.
Computer users can obtain microcode updates from device manufacturers via BIOS updates, which have been developed for AMD processors dating back to the first Bulldozer core products launched in 2011. The company has published a document describing the indirect branch control feature created to mitigate indirect branch target injection attacks like Spectre Variant 2, for instance.
The updates for Windows 10 which Microsoft released yesterday, feature Spectre Variant 2 mitigations for AMD devices. After being validated and tested, the patches are also expected to become available for Windows Server 2016.
Shortly after the CPU vulnerabilities were disclosed in January, Microsoft started releasing Spectre patches for devices with AMD processors. However, due to instability issues, the company was forced to temporarily suspend the updates.
Regarding the Linux devices, AMD said that the mitigations for Spectre Variant 2 were made available earlier this year.
Despite the fact that the AMD processors turn out to be less impacted compared to Intel products, the lawsuits against the company over the Spectre vulnerabilities have still been filed.