https://www.tomshardware.com/news/intel-discovers-amd-spectre-patch-has-been-broken-since-2018-amd-issues-fix Skip to main content (*) ( ) Tom's Hardware [ ] Search [ ] RSS UK US Australia Canada * * Reviews * Best Picks * Raspberry Pi * CPUs * GPUs * Coupons * More + Laptops + SSDs + Motherboards + Cooling + Desktops + PC Builds + Monitors + RAM + PC Cases + Keyboards + Headsets + Mice + Power Supplies + VR Headsets + Windows Tips Forums Trending * Alder Lake * AMD Ryzen 6000 * Intel Core i5-12400 * Raspberry Pi 10th Anniversary Tom's Hardware is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more 1. Home 2. News Intel Finds Bug in AMD's Spectre Mitigation, AMD Issues Fix By Paul Alcorn published 12 March 22 Intel's crack STORM security team unearths issues * * * * * * * Comments (0) AMD (Image credit: AMD) News of a fresh Spectre BHB vulnerability that only impacts Intel and Arm processors emerged this week, but Intel's research around these new attack vectors unearthed another issue: One of the patches that AMD has used to fix the Spectre vulnerabilities has been broken since 2018. Intel's security team, STORM, found the issue with AMD's mitigation. In response, AMD has issued a security bulletin and updated its guidance to recommend using an alternative method to mitigate the Spectre vulnerabilities, thus repairing the issue anew. As a reminder, the Spectre vulnerabilities allow attackers unhindered and undetectable access to information being processed in a CPU through a side-channel attack that can be exploited remotely. Among other things, attackers can steal passwords and encryption keys, thus giving them full access to an impacted system. Intel's research into AMD's Spectre fix begins in a roundabout way -- Intel's processors were recently found to still be susceptible to Spectre v2-based attacks via a new Branch History Injection variant, this despite the company's use of the Enhanced Indirect Branch Restricted Speculation (eIBRS) and/or Retpoline mitigations that were thought to prevent further attacks. In need of a newer Spectre mitigation approach to patch the far-flung issue, Intel turned to studying alternative mitigation techniques. There are several other options, but all entail varying levels of performance tradeoffs. Intel says its ecosystem partners asked the company to consider using AMD's LFENCE/JMP technique. The "LFENCE/ JMP" mitigation is a Retpoline alternative commonly referred to as "AMD's Retpoline." As a result of Intel's investigation, the company discovered that the mitigation AMD has used since 2018 to patch the Spectre vulnerabilities isn't sufficient -- the chips are still vulnerable. The issue impacts nearly every modern AMD processor spanning almost the entire Ryzen family for desktop PCs and laptops (second-gen to current-gen) and the EPYC family of datacenter chips. The abstract of the paper, titled "You Cannot Always Win the Race: Analyzing the LFENCE/JMP Mitigation for Branch Target Injection," lists three Intel authors that hail from Intel's STORM security team: Alyssa Milburn, Ke Sun, and Henrique Kawakami. The abstract sums up the bug the researchers found pretty succinctly: "LFENCE/JMP is an existing software mitigation option for Branch Target Injection (BTI) and similar transient execution attacks stemming from indirect branch predictions, which is commonly used on AMD processors. However, the effectiveness of this mitigation can be compromised by the inherent race condition between the speculative execution of the predicted target and the architectural resolution of the intended target, since this can create a window in which code can still be transiently executed. This work investigates the potential sources of latency that may contribute to such a speculation window. We show that an attacker can "win the race", and thus that this window can still be sufficient to allow exploitation of BTI-style attacks on a variety of different x86 CPUs, despite the presence of the LFENCE/JMP mitigation." Intel's strategic offensive research and mitigation group (STORM) is an elite team of hackers that attempts to hack Intel's own chips, which you can read about more here. AMD Security Bulletin (Image credit: AMD) In response to the STORM team's discovery and paper, AMD issued a security bulletin (AMD-SB-1026) that states it isn't aware of any currently active exploits using the method described in the paper. AMD also instructs its customers to switch to using "one of the other published mitigations (V2-1 aka 'generic retpoline' or V2-4 aka 'IBRS')." The company also published updated Spectre mitigation guidance reflecting those changes [PDF]. AMD commented on the matter to Tom's Hardware, saying, "At AMD, product security is a top priority and we take security threats seriously. AMD follows coordinated vulnerability disclosure practices within the ecosystem, including Intel, and seeks to respond quickly and appropriately to reported issues. For the mentioned CVE, we followed our process by coordinating with the ecosystem and publishing our resulting guidance on our product security website." We asked Intel if it had found other vulnerabilities in AMD's processors in the past, or if this were an isolated event. "We invest extensively in vulnerability management and offensive security research for the continuous improvement of our products. We also work to get outside perspectives, collaborating with researchers and leading academic institutions to find and address vulnerabilities," a company representative responded. "If we identify an issue that we believe may impact the broader industry, we follow coordinated vulnerability disclosure practices to report potential vulnerabilities to vendors and release findings and mitigations together." Security vulnerabilities obviously make for what would normally be strange bedfellows. In this case, that's a good thing: The Spectre vulnerabilities threaten the very foundations of security in the silicon that powers the world. AMD's security bulletin thanks Intel's STORM team by name and noted it engaged in the coordinated vulnerability disclosure, thus allowing AMD enough time to address the issue before making it known to the public. That's good for everyone. Paul Alcorn Paul Alcorn Paul Alcorn is the Deputy Managing Editor for Tom's Hardware US. He writes news and reviews on CPUs, storage and enterprise hardware. Topics CPUs See all comments (0) [ ] No comments yet Comment from the forums Be In the Know Get instant access to breaking news, in-depth reviews and helpful tips. [ ] [ ] [ ] Contact me with news and offers from other Future brands [ ] Receive email from us on behalf of our trusted partners or sponsors [Sign me up] Thank you for signing up to Tom's Hardware. You will receive a verification email shortly. There was a problem. Please refresh the page and try again. By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. MOST POPULARMOST SHARED 1. Cure Resin Prints 1 How to Clean and Cure Resin Prints 2. 2 Intel Teases Third-Gen Optane Memory, New Tech 3. 3 ErgoDox 76 'Hot Dox' V2 Review: An ErgoDox Layout for Less 4. 4 Best 3D Printers 2022: FDM, Resin and Sub-$250 Models 5. 5 Best RAM for Gaming: DDR4, DDR5 Kits for 2022 1. Cure Resin Prints 1 How to Clean and Cure Resin Prints 2. 2 Intel Teases Third-Gen Optane Memory, New Tech 3. 3 ErgoDox 76 'Hot Dox' V2 Review: An ErgoDox Layout for Less 4. 4 Best 3D Printers 2022: FDM, Resin and Sub-$250 Models 5. 5 Best RAM for Gaming: DDR4, DDR5 Kits for 2022 Tom's Hardware is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site. * Terms and conditions * Privacy policy * Cookies policy * Accessibility Statement * Advertise * About us * Contact us * Coupons * Careers (c) Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.