Plenty of ink has been spilled in the past week regarding Meltdown and Spectre, the critical CPU vulnerabilities discovered in 2017 and revealed by The Register ahead of the official disclosure date last week. An understandable focus has been placed on Meltdown, AKA Rogue Data Cache Load, the third and generally understood to be most severe flaw which particularly affects Intel's CPU architectures stretching back over a decade. The two others - Spectre 1 and Spectre 2 - are less discussed but potentially still far-reaching as they impact commonly used methodologies for speculative execution across all CPU families.
Three distinct vulnerabilities have been uncovered, but the focus on Meltdown (and somewhat unclear statements made by CPU and OS vendors) has caused some confusion over just who is vulnerable to what, and so AMD have taken it upon themselves to be more up-front on CPUs with respect to Spectre 1, 2 and Meltdown. In summary:
1. Spectre Variant 1 AKA Bounds Check Bypass is applicable to AMD CPUs, but can be mitigated by an OS patch. Both Windows and Linux distros are in the process of issuing patches to address the vulnerability, and AMD are working with Microsoft to correct an issue uncovered this weekend which caused the patch to render systems with older (AMD Opteron, Turon X2 and Athlon) CPUs unresponsive.
2. Spectre Variant 2 AKA Branch Target Injection is applicable to AMD CPUs, but difficult to execute due to their architecture. Microcode patches and OS updates are being formulated to mitigate the threat posed by this vulnerability. Microcode updates to Ryzen and EPYC-class CPUs will be available this week, and older generations of AMD architectures will be addressed in the coming weeks.
3. Meltdown AKA Rogue Data Cache Load is not applicable to AMD CPUs (it is believed).
2. Spectre Variant 2 AKA Branch Target Injection is applicable to AMD CPUs, but difficult to execute due to their architecture. Microcode patches and OS updates are being formulated to mitigate the threat posed by this vulnerability. Microcode updates to Ryzen and EPYC-class CPUs will be available this week, and older generations of AMD architectures will be addressed in the coming weeks.
3. Meltdown AKA Rogue Data Cache Load is not applicable to AMD CPUs (it is believed).
Furthermore, as AMD GPUs do no use speculative execution they are not vulnerable to these specific threats.
Hats off to AMD for being up-front, although it is disappointing that there were major hiccups with the Windows 10 patch roll-out for older systems. More widely, the ramifications of Spectre and Meltdown are unlikely to be negligible, with some service providers already reporting significantly higher CPU usage in the wake of applying the patch.
AMD's full updated statement can be found at https://www.amd.com/en/corporate/speculative-execution.
SOURCE: AMD.com