Now that CES is winding down, attention is returning to the response to the major vulnerabilities caused by oversights in the way speculative execution is handled in most modern processors. Yesterday, AMD's Senior VP and CTO Mark Papermaster wrote the company's first response to the developing problem since January 3. Google's Project Zero (GPZ) divided Meltdown and Spectre into three different classes of attack, and Papermaster laid out AMD's planned response to each. Most notably, the company will issue microcode updates for Ryzen and Epyc CPUs as a preventive measure against one of the Spectre variants.
AMD's chips are vulnerable to GPZ Variant 1 (Spectre, Bounds Check Bypass). The company believes this issue can be solved with operating system patches. The chip design firm says that Microsoft is distributing patches to the majority of AMD-powered systems already, and that problems with the patches on older Opteron, Athlon, and Turion X2 systems will be resolved by next week. The company says Linux vendors are distributing patches to their users, as well.
Things are a little different when it comes to the GPZ Variant 2 vulnerability (Spectre, Branch Target Injection). On January 3 the company said:
Differences in AMD architecture mean there is a near-zero risk of exploitation by this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
The company now says that while it thinks that GPZ Variant 2 is difficult to exploit on its chips, it'll still work with its partners to release microcode updates and OS patches to mitigate the vulnerability. AMD plans to issue optional microcode updates for its current Ryzen and Epyc chips this week, and expects to have patches for previous-generation products "in the coming weeks." The updates will reach end users through system providers and OS vendors. AMD will work with Microsoft to determine the appropriate timing for distributing Windows updates. Linux vendors are already distributing patches, and AMD says it's working with the Linux community to develop "return trampoline" software mitigations.
AMD still maintains that its processors are not vulnerable to the GPZ Variant 3 exploit (Meltdown, Rogue Data Cache Load) and that no updates are needed to protect systems from it.
Papermaster also notes that the company's Radeon GPUs do not use speculative execution and that no updates to its graphics drivers or associated software are necessary. He concludes the update by remarking that AMD will continue to work with the rest of the technology industry to mitigate Meltdown and Spectre.