News: 0178320450

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

AMD Warns of New Meltdown, Spectre-like Bugs Affecting CPUs (theregister.com)

(Wednesday July 09, 2025 @05:20PM (msmash) from the PSA dept.)


AMD is warning users of [1]a newly discovered form of side-channel attack affecting a broad range of its chips that could lead to information disclosure. Register:

> Akin to [2]Meltdown and Spectre , the Transient Scheduler Attack (TSA) comprises four vulnerabilities that AMD said it discovered while looking into a Microsoft report about microarchitectural leaks.

>

> The four bugs do not appear too venomous at face value -- two have medium-severity ratings while the other two are rated "low." However, the low-level nature of the exploit's impact has nonetheless led Trend Micro and CrowdStrike to assess the threat as "critical."

>

> The reasons for the low severity scores are the high degree of complexity involved in a successful attack -- AMD said it could only be carried out by an attacker able to run arbitrary code on a target machine. It affects AMD processors (desktop, mobile and datacenter models), including 3rd gen and 4th gen EPYC chips -- the full [3]list is here .



[1] https://www.theregister.com/2025/07/09/amd_tsa_side_channel/

[2] https://tech.slashdot.org/story/18/01/04/0131239/googles-project-zero-team-discovered-critical-cpu-flaw-last-year

[3] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html


Mitigation (Score:2)

by bill_mcgonigle ( 4333 ) *

This one needs microcode, kernel, and hypervisor patches, the latter two needing to flush cache when transitioning between trusted and untrusted code.

Bulletin: [1]https://www.amd.com/content/da... [amd.com]

[1] https://www.amd.com/content/dam/amd/en/documents/resources/bulletin/technical-guidance-for-mitigating-transient-scheduler-attacks.pdf

Uh huh (Score:2)

by OverlordQ ( 264228 )

So the only thing the attacks need to steal information from your system is to already have access to the system to run arbitrary code on it. Gotcha.

Re: (Score:2)

by dskoll ( 99328 )

Websites run arbitrary code on your system all the time unless you disable Javascript.

It may be hard if not impossible to exploit these vulnerabilities from Javascript, but one should not be complacent about the "arbitrary code" requirement.

Re: (Score:2)

by Gravis Zero ( 934156 )

You mean like how modern JavaScript engines compile WASM to machine code?

Impacts Zen microarchitecture (Score:2)

by Gravis Zero ( 934156 )

If you have a AMD chip based on the the Zen microarchitecture then you are impacted. The older Bulldozer and Piledriver microarchitectures are not impacted by this. If your CPU uses socket AM4, SP3/SP3r2, or TR4 then you are impacted.

Sticking with an AMD FX chip seems to have been the winning move.

Re: (Score:2)

by test321 ( 8891681 )

The Ryzen 3000 series is only impacted by the minor vulnerabilities, only leak useless information (can leak timestamp counter TSC_AUX and a CPU configuration).

Past caring. (Score:2)

by Computershack ( 1143409 )

Every week there's some new exploit or another. Number of times I can say I've been a victim of them over the past 33 years of owning a PC.....zero.

PLUG IT IN!!!