UPDATE 16 April 2018 - On the 10 April 2018 AMD announced that it is releasing processor microcode updates to mitigate security vunerability SPECTRE Variant 2 (CVE-2017-5715). AMD had previously indicated that their processors would not be affected by the SPECTRE or MELTDOWN security vunerabilities, however after further analysis and after working with their customers and partners they have released a microcode update to mitigate these vunerabilities. AMD still states that it will be difficult to exploit SPECTRE Variant 2 on AMD processors. 

Based on this new microcode update, GIGABYTE estimates that all BIOS updates for our products using AMD processors will be ready by 6/1. Please refer to this webpage or our twitter page for the latest information regarding updates to mitigate against SPECTRE.

Taipei, Taiwan, 17 January 2018 - Security researchers have recently uncovered security issues known by two names, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, and CVE-2017-5715). These issues apply to all modern processors and affect nearly all computing devices and operating systems. All GIGABYTE systems are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious software to be installed in your systems, GIGABYTE recommend downloading software only from trusted sources.

Resolution of these vulnerabilities may call for both an operating system update, provided by the OS vendor, and a system ROM / BIOS update from GIGABYTE.

• Variant 1 (CVE-2017-5753, bounds check bypass or Spectre)
  The threat can be contained with an OS patch.
• Variant 2 (CVE-2017-5715, branch target injection or Spectre)
  GIGABYTE will provide BIOS updates combining processor microcode to further mitigate the threat.
• Variant 3 (CVE-2017-5754, rogue data cache load or Meltdown)
  The threat can be contained with an OS patch.

For the availability date of BIOS updates for all GIGABYTE affected products, please refer to the following table. BIOS updates can be downloaded from the support section of each individual product page (please find your affected product here)

Background

The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory — including that of the kernel — from a less-privileged user process such as a malicious software running on a system.

Intel has provided a high level statement here: https://newsroom.intel.com/press-kits/security-exploits-intel-products/

Resources

• Intel Advisory
• AMD Advisory
• ARM Advisory
• NVD CVE-2017-5754
• NVD CVE-2017-5753
• NVD CVE-2017-5715
• Suse Linux Enterprise Server Advisory
• Red Hat Enterprise Linux Advisory
• Ubuntu Linux Advisory
• Microsoft Windows Server Advisory
• VMware Advisory
• Wind River Advisory

Please follow @GigabyteServer on Twitter for instant notification of all BIOS updates as they become available!