AMD has revealed its Ryzen CPUs are at risk of four new vulnerabilities. Not all Team Red processors are in the crosshairs, but there are several compromised chips from the original Zen to Zen 4. The good news is you can fix it with a simple BIOS update. The bad news is that not all motherboard makers have caught up, and BIOS updates might not yet be available.
Each vulnerability relates to the SPI interface, which bridges the processor and flash chip that stores your BIOS. If a bad actor exploits it, they can stop you from using your device (denial of service), gain control of your system by escalating privileges, or inject malicious code. The latter could result in malware that harvests your information or extorts you for financial gain.
AMD patches these vulnerabilities using AGESA before motherboard manufacturers bake it into BIOS updates. While Team Red has almost completed its fix for all its CPUs, called AGESA 1.2.0.B, your mileage may vary depending on which model you run.
Motherboard manufacturers have already covered AM5, meaning you’re good to update your Ryzen 7000 or Ryzen 8000 system ASAP. These even have access to the latest AGESA 1.2.0.C, which protects against last year’s Zenbleed issue.
Zenbleed, for those unaware, affects Zen 2 processors specifically, including the Epyc data centre range. Cropping up in May 2023, the attack allows the theft of protected information. Once again, bad actors need direct access to a system in order to exploit it, so the likelihood of suffering is pretty slim. A microcode update quelled the issue until now, but it’s good to see an official BIOS for it.
When it comes to either patch, AM4 is much more hit-or-miss. None are compatible with C just yet, but 500 series has access to B. It’s best you check back with your motherboard manufacturer over the next week or two. Hopefully, ASRock, Asus, Gigabyte, MSI, and the rest will have caught up by then.
If you’re one of the unlucky few not yet patched, don’t sweat it too much. Hackers can’t exploit vulnerabilities without local access to your machine. Just keep the device away from strangers until it’s all fixed. Or, you know, keep it away from strangers altogether.
