Edit 8/12/2024 4:45am PT: The researchers who discovered the flaw in AMD's chips contend that the vulnerability impacts all AMD chips extending back to 2006. However, AMD has not listed Ryzen and Threadripper 1000 and 2000 and other previously released products as impacted by the vulnerability. We are following up for further details regarding the disparity.
AMD processors dating back to 2006, reportedly numbering in the hundreds of millions of chips, suffer from a major security flaw that allows attackers to infiltrate a system virtually undetectable. AMD Product Security has since released updates for several processor families to mitigate this issue, but not all of them will be covered. According to a statement given to Tom's Hardware, AMD said, "There are some older products that are outside our software support window." AMD has no plans to update its older Ryzen 3000 series processors, and it is possible that the vulnerability extends back further than the processors listed in AMD's advisory. We're following up for more details.
Nevertheless, most of AMD's recent processors have already received mitigation options to deal with the issue. This includes all generations of AMD's EPYC processors for the data center, the latest Threadripper, and Ryzen processors. Its MI300A data center chips are also getting the patch. The company said there is "No performance impact expected" when asked about the consequences of the update. Thus, the company is likely still doing performance tests to fully assess patch impacts on overall system performance.
These are all the AMD chips that are expected to have, or already have, the security patch available:
These are all the chips that are flagged to receive an update so far, and it covers most of the recent processors. However, you'll notice that several older processors, which are nonetheless popular with consumers, are not included in this list. These include the Ryzen 3000 chips. The latest Ryzen 9000 and Ryzen AI 300 series processors are also not included in the list, but these newly-released models might have had this vulnerability already addressed from the factory. We're following up for clarity.
Attackers need to access the system kernel to exploit the Sinkclose vulnerability, so the system would have to already be compromised. The hack itself is a sophisticated vector that is usually only used by state-sponsored hackers, so most casual users should take that into account.
Nevertheless, all Ryzen Embedded and EPYC Embedded systems will receive an update to patch the vulnerability. This is because most embedded machines are designed to run in the background 24/7 with little to no human intervention for several years, meaning they can be used as attack vectors if not updated properly.
But even if you don't have state secrets stashed in your personal computer, we still recommend updating your chips if you receive an update from AMD. That way, you ensure that you're protected and won't lose your data, even if the Sinkclose vulnerability becomes more widely used.
