AMD backtracks on 'near zero risk' processor claim
Vendor admits its CPUs are vulnerable and starts issuing patches for both Spectre variants
Processor maker AMD has backtracked on its claims that its processors had "near zero risk" to the Spectre security flaw with a more comprehensive statement acknowledging that it will issue microcode and OS patch updates to protect customers.
AMD, in a corporate blog post, admitted that the two variants of the Spectre vulnerabilities identified by Google Project Zero apply to its processors, although it said the third vulnerability, known as Meltdown, is not applicable.
This stood in contrast to AMD's original response on January 3rd to the Spectre and Meltdown vulnerabilities when it blogged that there was currently "near-zero risk" to its processors from vulnerabilities associated with the Spectre and Meltdown issues.
An AMD spokesperson said in a statement that the company does not need to release any firmware or OS updates to address the Spectre and Meltdown issues.
This was followed by a report from Microsoft that some users who installed the latest Windows security update issued in response to the Spectre and Meltdown vulnerabilities on AMD processor-based devices found those devices forced into an unbootable state.
As a result, Microsoft temporarily halted Windows OS updates to devices with AMD processors affected by this apparent bug, including nine updates released since January 3rd with the security-only Spectre and Meltdown update among them (KB4056897). Microsoft also detailed troubleshooting steps for blue screen errors affecting Windows 7, Windows 8.1 and Windows 10.
The Meltdown and Spectre vulnerabilities refer to a flaw in the design of many server processors could potentially allow unauthorised users to either read the kernel memory from the user space memory or to read the contents of memory from other running programs. Many of these processors are central to storage systems.
Spectre and Meltdown account for three variants of the side-channel analysis security issue first identified by the Google Zero Project team and other researchers who found that Intel, AMD, and ARM Holdings processors commonly used in servers and PCs could allow unauthorized users to examine privileged information in memory in certain circumstances. Apple also said its Mac and iOS devices could be vulnerable.
To date, there have been no known exploits of the security issue.
Mark Papermaster, AMD senior vice president and CTO, wrote in his blog post last week that the company had updated its take on the security risks caused by the processor design flaws and actions the company has taken.