What just happened? AMD has confirmed a security vulnerability in some of its processors, which was inadvertently revealed through a beta BIOS update from Asus. The flaw, described as a "microcode signature verification vulnerability," came to light before AMD could officially disclose it, sparking concerns in the cybersecurity community. The vulnerability was first noticed by Tavis Ormandy, a security researcher at Google's Project Zero. Ormandy spotted a reference to the flaw in the release notes of an Asus beta BIOS update for one of its gaming motherboards. "It looks like an OEM leaked the patch for a major upcoming CPU vulnerability," Ormandy wrote in a public mailing list post.AMD has since acknowledged the issue. The company has not yet specified which of its products are affected but has indicated that mitigations are being developed and deployed.The vulnerability appears to be related to the microcode and seems to circumvent the process that ensures only official, AMD-signed microcode can be loaded into the processor. Exploiting this vulnerability requires not only local administrator access to the targeted system but also the capability to develop and execute malicious microcode, according to AMD. This high bar for exploitation suggests that while the vulnerability is serious, it's not something that could be easily weaponized by casual attackers.While the full extent of the vulnerability's impact is not yet known, security experts have begun speculating about its potential consequences. Demi Marie Obenour, a software developer for Invisible Things, suggested that if an attacker could load arbitrary microcode, they might be able to compromise critical security features such as System Management Mode (SMM), Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP), and Dynamic Root of Trust for Measurement (DRTM).The recent discovery of a microcode signature verification vulnerability is not an isolated incident. Over the years, AMD has faced several security challenges across its product lines. // Related StoriesIn March 2018, researchers from CTS Labs uncovered a series of vulnerabilities affecting AMD's Ryzen and Epyc processors. These flaws, collectively known as RYZENFALL, MASTERKEY, CHIMERA, and FALLOUT, posed security risks to both consumer and enterprise-grade processors. Exploiting the vulnerabilities required administrative access, according to AMD.In August 2024, a more widespread vulnerability named "Sinkclose" was disclosed. This flaw in the System Management Mode potentially exposed hundreds of millions of devices to security risks. In this case, exploiting the vulnerability required kernel-level access, making it a threat primarily to "seriously breached systems," AMD said at the time.