Spectre and Meltdown continue to be a major issue for Intel as it also scrambles to deal with a vulnerability in the Intel Management Engine BIOS Extension. But Google says its fix for CVE 2017-5715 (commonly called Variant 2 of Spectre) can fix the problem with negligible impact on system performance, contrary to Intel’s fix.
Spectre and Meltdown were ethically disclosed about six months before they were publicly revealed so Intel and their major software partners could get a fix ready before the vulnerabilities became public knowledge and threat actors had a chance to get ahead with their own exploits. Google created their own fix for Variant 2 and called it Retpoline.
The details of what Reptoline does is covered in a Google support article with a simplified explanation on Google’s security blog.
When Spectre and Meltdown were first publicised, AMD has released advice saying that their CPUs aren’t vulnerable. But they have backtracked on that saying Spectre is a potential threat to their platform.
Both Variant 1 (CVE-2017-5753) and Variant 2 (CVE-2017-5715) pose a threat. AMD says they are working with software partners with Variant 1 fixable via patches to the operating system and Variant 2 requiting both CPU microcode fixes and OS updates.
Firmware updates available for Ryzen and EPYC CPUs will be going to PC makers this week for distribution to system owners. Older processors will be updated “over the coming weeks” according to reports.
AMD said their GPUs are not believed to be affected.
Leave a Reply
You must be logged in to post a comment.