AMD provides update on Spectre and Meltdown patches

[deadcatwalking]

As a Security Professional...

Hmm. I'm sure your opinion isn't biased at all.

[deadcatwalking]

Couldn't agree more though when it comes to being careful what one clicks on. I've had one virus in 25 years of computing. The work computer, on the other hand, has a virus/malware/pup every other week due to its principle users clicking on crap and insisting on using an unprotected browser (which in itself will have installed even more bumph without them realising).

My virus history on my workstation, since 2004, is non-existent! If I've been OK for 13 years without incident then it's obviously something other people are doing with their computers. Yes, people will tell you otherwise but hey...it's incredible how easy it is for security software and the media to scare people into thinking everything is bigger than it actually is.

[Tabbykatze]

Hmm. I'm sure your opinion isn't biased at all.

And your opinion is wrong, fact.

How about you read something before you make yourself out to be on the same level of debative capability as an anti vaxxer or flat earther.

http://www.verizonenterprise.com/ver...lab/dbir/2017/

[peterb]

Hmm. I'm sure your opinion isn't biased at all.

Tabbykatze wasn’t giving an opinion, he was describing two (of many) stealth attacks that can occur to even the most careful users.

Which is not to say that users shouldn’t be careful about the sites they visit of course.

[DanceswithUnix]

Which is not to say that users shouldn’t be careful about the sites they visit of course.

The most shocking part of this for me was that Spectre can be performed using Javascript. Turn that off though, and so much of the Internet stops working. Thankfully it sounds like browser updates won't sacrifice much speed.

[Millennium]

Wow. There's a serious debate here and AMD has not even been mentioned? I run Ryzen myself and understand it's much less vuln than Intel in the last 15+ years (which iss lucky because Bulldoser et all are a bit more vuln) but I am very surprised to see the lack of debate here. As I understand it, AMD were initially saying they would be ok with a small OSs update that would not present particularly any performance penalty, but in the last 2-3 days they are admitting theys are vulnerable for both Spectre variants and are sayin that firmware level fix is required .... Ok AMD but please release this firmware fix. I checked a little earlier for my MSI board and there is no recent UEFI|BIOSs update. Please sort it. I'm sure shInnnnnnnntelhas it much worse but at least prove this?

[Tabbykatze]

AMD has always stated that they're vulnerable to both variants of Spectre but they have stated that the second is incredibly difficult and theoretically possible but hasnt been proven.

That is why there isn't a debate about AMD because they they were up front and didn't try to smokescreen. Plus patches are already out and are minimal performance impacters. It's not AMDs fault that your Mobo manufacturer haven't released the patch yet. Make sure you blame the right people.

Whereas Meltdown is an actual flaw in design due to bad architectural development which cannot be easily patched out without potential major impact to the operating cost of resources.

The scale of seriousness differs massively between the two architectures. Also as Intel has a far larger budget and far larger development team than AMD then a mistake such as this, which you can gosh golly darn someone must have known about, is completely unacceptable.

It's far worse than heartbleed and that was pretty god damn high on the seriousness scale.

[Corky34]

Personally i wouldn't say it's down to the difference in how they both handled the vulnerabilities, the seriousness of them, or even how difficult each is to exploit as i suspect most people, including myself after having read a ton of stuff, struggle to understand the difference between Meltdown and Spectre, It's probably because Spectre effects everyone no matter what whereas Meltdown is mainly isolated to Intel.

[Biscuit]

Wow. There's a serious debate here and AMD has not even been mentioned? I run Ryzen myself and understand it's much less vuln than Intel in the last 15+ years (which iss lucky because Bulldoser et all are a bit more vuln) but I am very surprised to see the lack of debate here. As I understand it, AMD were initially saying they would be ok with a small OSs update that would not present particularly any performance penalty, but in the last 2-3 days they are admitting theys are vulnerable for both Spectre variants and are sayin that firmware level fix is required .... Ok AMD but please release this firmware fix. I checked a little earlier for my MSI board and there is no recent UEFI|BIOSs update. Please sort it. I'm sure shInnnnnnnntelhas it much worse but at least prove this?

Im pretty sure AMD have responded, with consistency, to all information that has been leaked, as it was leaked.

They have never changed their statements on the matter and have maintained that the vulnerabilities in thier system are either zero chance (meltdown) or close to zero chance (each spectre variant).
If a customer provides pretty solid information with no reason to really dispute it, why would there be any discussion?

Intel on the other hand, have been incredibly vague and at every chance to divert the attention away from them, they have done just that.