Asus lets processor security fix slip out early, AMD confirms patch in progress
AMD has confirmed at least some of its microprocessors suffer a microcode-related security vulnerability, the existence of which accidentally emerged this month after a fix for the flaw appeared in a beta BIOS update from PC maker Asus.
All we know for now is that the security issue is a "microcode signature verification vulnerability." Microcode is information typically loaded into the processor by the system firmware or operating system at boot time that dictates the way various parts of the chip work, to put it simply. Microcode can be used to add and fix functionality within the processor without having to physically replace the component, which is convenient.
Crucially, the format of the microcode is usually proprietary to the maker of the processor (in this case, AMD) so people generally can't come up with their own microcode and heavily customize their CPUs. There are also defense mechanisms in place to ensure only official microcode can be loaded, which usually includes checking the digital signature of the code before it's loaded.
We're speculating here but a microcode signature verification vulnerability may involve being able to load into an AMD processor microcode that should be rejected, but isn't, and thus someone may be able to tweak the way their CPUs function, or stop the thing from working entirely. Usually microcode can only be loaded by a privileged process, such as the OS kernel or BIOS firmware, and while something or someone malicious on your system with that level of access is already pretty bad, you probably don't want them to start screwing with a microcode-related vulnerability either.
