Today’s Patch Tuesday helps harden AMD CPUs against Spectre

Today is April's Patch Tuesday for Microsoft operating systems, and AMD CPU owners will want to fire up Windows Update as soon as possible. This round of patching includes operating-system-level mitigations for Spectre Variant 2, also known as CVE-2017-5715, on at least some AMD processors running Windows 10. The update exposes control over the Indirect Branch Prediction Barrier, or IBPB, within AMD CPUs that support the feature. According to AMD's latest security white paper, using the IBPB is the company's recommended mitigation for Spectre Variant 2.

While its CPUs do support other methods of controlling the behavior of the branch predictor in response to past predictions (a special bit indicating Indirect Branch Restricted Spectulation, or IBRS) and in response to sibling threads on a processor (a bit indicating Single Thread Indirect Branch Predictor, or STIBP), AMD does not recommend employing those methods as "performant" mitigations against Spectre.

Downloading operating system updates isn't enough to protect affected systems, either. AMD says that owners of its products will need to check OEM websites or motherboard partner websites for firmware updates that mitigate the vulnerability, as well. We were able to fully patch one of our Ryzen systems this way, and quick benchmarks suggest that any performance impact is minor—about 3% or so for the Javascript benchmarks we use as a gauge of day-to-day performance impacts. That's in line with our results for Spectre mitigations on recent Intel systems. In fact, the impact appears to be less severe on Ryzen CPUs overall.

Despite the update for AMD's CPUs, today's Patch Tuesday doesn't mark broader availability of Intel microcode updates through Microsoft's update catalog. The list of Intel CPUs with Spectre microcode updates available through Microsoft remains the same as it has been for the past few weeks. Users with CPUs older than Skylake still need to hope for OEM or motherboard firmware updates. Whether that's a side effect of Microsoft's support policy for Windows 10 or some broader clog in the pipe for older CPUs remains to be seen, but as a user of a Haswell desktop, I remain hopeful that microcode for my system will eventually be made available—somehow.

Comments closed
    • WaltC
    • 1 year ago

    Intel delivers the patches and Microsoft simply incorporates them into a Windows patch–same is true for AMD. Microsoft doesn’t do the actual Spectre 2 code patch itself, etc. for obvious reasons. I’m on build 17133.1, version 1803 of Windows 10×64, and yesterday I installed a cumulative update to bring it to 17133.73–no mention of a Spectre 2 patch there, so I’ll assume it is already in the RS4 codebase for AMD cpus. RS4 will be released to the public any day now–they are just ironing out a last minute bug affecting a few older systems. (It’s the best version of Win10 yet, imo, if you are interested.)

    • ronch
    • 1 year ago

    Not much word on the vulnerability of FX chips on Windows 7. But then has AMD stopped supporting Windows 7 across the board or is it just with Ryzen?

      • DancinJack
      • 1 year ago

      It looks like they have chipset stuff (read: downloads) for W7 x64 on their website. I can’t speak to the rest though.

    • Shobai
    • 1 year ago

    So, my work machine just performed updates and rebooted, inside the time specified for “active hours”. Group Policy here we come, but even so: please tell me that Microsoft isn’t muffing time zone interaction in determining when it’s safe to reboot…

    • ronch
    • 1 year ago

    AMD CPUs have always been more secure than Intel processors anyway. Fact.

    Edit – hah I just knew someone would take the bait and jump the gun and shoot me down when the opportunity comes up. 😉 Works in real life, works on the internet. 😀

      • EzioAs
      • 1 year ago

      Your bias is clearly showing up here. Opinion.

      Edit – really speaks something about someone when it works in both real life and the internet, huh? ¯\_(ツ)_/¯

      • Klimax
      • 1 year ago

      Your edit won’t save you from punishment for BSing.

        • ronch
        • 1 year ago

        Aaarrgghh.. Those downthumbs are killing me!! :..-(

      • Beahmont
      • 1 year ago

      Congratulations. You’ve just validated Chuckula’s over the top trolling of AMD Fanboys. I hope you’re happy with yourself.

        • chuckula
        • 1 year ago

        I’m so proud!
        [wipes away tear of joy]

        • ronch
        • 1 year ago

        Ahem.. On the contrary, wasn’t I supposedly trolling Intel fanbois? 😐

        Sorry Chucky ol’ boy!

      • pogsnet1
      • 1 year ago

      I agree. 1 reason less targeted coz of less appearance in the market share so it would be nonsense for hackers just like Apple has less virus.

      • drfish
      • 1 year ago

      One of these days, people will realize that real life and the internet are the same thing.

        • ronch
        • 1 year ago

        Maybe the Matrix is real.

      • BobbinThreadbare
      • 1 year ago

      Funny thing is that always is probably not true, but meltdown goes back to the Pentium Pro so a while.

    • stefem
    • 1 year ago

    Once I was told ” there is a near-zero risk of exploitation”…

    Now I know what they meant, was it really too hard to come clean and say “we are working on patches, stay tuned”?

      • TheRazorsEdge
      • 1 year ago

      Near-zero and nonexistent aren’t the same thing.

      Also, the longer a vulnerability exists, the more time attackers have to understand it and figure out some way to exploit it usefully.

      Spectre looks far less dangerous than Meltdown or Heartbleed, but it still needs to be fixed.

        • stefem
        • 1 year ago

        True, but I must say that “near-zero risk” in computer security sound like being “almost pregnant”…
        I’m really happy they are patching for Spectre but would have preferred a more professional comunication instead of trying to pass the idea that there wasn’t tangible risks (they would have not patched if they were really convinced), that was my point, they fully known at the time but decided to talk about “optional firmware updates” (implying they weren’t necessary) that now has become required to mitigate Spectre

      • JustAnEngineer
      • 1 year ago

      You were “near zero” risk. Now you’re “near[b<]er[/b<] zero" risk.

Pin It on Pinterest

Share This