AMD announced that it has made mitigations available for Spectre Variant 2 through a combination of microcode and software updates. The new patches will protect all of AMD’s products dating back to Bulldozer, provided they are paired with the latest version of the Windows 10 operating system.
AMD has already addressed Spectre Variant 1 with operating system patches that it distributed via Windows updates. AMD had no exposure to Variant 3 (otherwise known as Meltdown) due to its processor architecture, so no patches are needed.
Microsoft is pushing out an operating system update today that contains the software patches for Spectre Variant 2. These patches will go out to users on Windows 10 (version 1709), but it’s unclear how AMD will address patching older versions of Windows. AMD is also going through final validation and testing for Windows Server 2016 patches.
The microcode updates will filter into the broader ecosystem via OEMs and motherboard vendors. AMD users will have to wait for BIOS updates that contain the new patch, but AMD has a resource page to help users locate the relevant patches.
AMD isn’t releasing patches for its pre-2011 processors, but like Intel, the company may have decided that patching older processors would have limited support from OEM partners.
Intel’s Meltdown patches have had a limited performance impact, but the Spectre Variant 2 patches have more of an impact on applications that commonly issue kernel calls, such as storage-intensive applications and web browsers. These performance penalties are more severe with Intel’s older processors. AMD has released a new whitepaper (PDF) covering the technical aspects of the patches, but it doesn’t contain any information on possible performance impacts. We’re following up with the company to learn more.
These new mitigations apply to the Spectre mitigations, and not the vulnerabilities exposed by CTS-Labs’ recent revelations. CTS-Labs has come under intense scrutiny, and deservedly so, for its preemptive disclosures, but the company did expose several vulnerabilities that can be exploited through second-level attacks. AMD has promised timely mitigations for those vulnerabilities, which should arrive soon.
