AMD Ryzen: alert on a security vulnerability affecting certain processors

AMD has confirmed the presence of a microcode-related vulnerability in some of its processors, made public prematurely by an Asus BIOS beta update. This flaw, known as the “microcode signature verification vulnerability,” likely affects consumer models, although AMD has not yet specified which ones.

The leak was revealed by Tavis Ormandy of Google's Project Zero team, who noticed that Asus' beta BIOS update mentioned a fix for this vulnerability… before AMD even made an official announcement. Asus later removed this mention from its patch notes, but the information was already public.

Nature of the vulnerability and AMD's response

Microcode is a set of instructions stored in the processor that dictate how it operates. This vulnerability could allow unofficial microcode to be loaded, potentially modifying the operation of the processor or stopping it completely. Usually, only a privileged process, such as the operating system kernel or BIOS firmware, can load microcode, making this vulnerability of particular concern.

AMD has confirmed that some of its products are affected by this vulnerability and that a patch will be released soon. “Executing the attack requires local administrator-level access and the development and execution of malicious microcode”said an AMD spokesperson. The company says it is actively working with its partners and customers to deploy the necessary corrective measures.

But for now, AMD has neither specified which processors are affected, nor the exact nature of the vulnerability. We will therefore have to wait for more information, but AMD plans to publish a security bulletin soon with additional advice and mitigation options. Given the specific situation described here, it will be prudent to wait for official guidelines from AMD before installing any unverified updates.