Slashdot Mirror
Researchers Find Critical Vulnerabilities in AMD's Ryzen and EPYC Processors, But They Gave the Chipmaker Only 24 Hours Before Making the Findings Public (cnet.com)
Alfred Ng, reporting for CNET: Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer. CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on them. Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers. The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly. An AMD spokesperson said, "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said. Zack Whittaker, a security reporter at CBS, said: Here's the catch: AMD had less than a day to look at the research. No wonder why its response is so vague.
These vulnerabilities look like they are almost all problems with the chipset or AMD's equivalent to Intel's Management Engine.
So these aren't quite on par with Spectre and Meltdown.
Some firmware updates should fix almost all of this.
Still, it was sort of an asshole move to only give AMD 24 hours' notice just so they could get their 15 minutes of fame.
And, yes, it's disgusting to see AMD put out products with lots of weaknesses like this.
https://amdflaws.com/ for the actual exploits detailed. the "whitepaper" is mostly fluff, unless you enjoy pretty icons and charts..completely remiss of any technical implementation details outside of how vulnerable Windows is to this flaw. Idiotic green screen video confirms this exploit appears to have more studio production value than actual security value. https://www.youtube.com/watch?...
Good people go to bed earlier.
This all smells fishy. Hand me the tin-foil. I need a hat.
Pretty clearly Intel-funded, yes. The 24h notification period is so short that it can be classified as a malicious attack. Nobody with any understanding of how this works does this unless there are strong overriding concerns. What these corrupt a******* did makes people a lot less secure.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Devil's Advocate: the disclosure(s) is (are) vague as hell on exploit details, let alone demonstrations or proof-of-concepts, so there is that.
All said though, still a dick move by CTS-Labs.
Quo usque tandem abutere, Nimbus, patientia nostra?
Care to inform me how I would be the winner if flaws in hardware become published with ZERO chance for their makers to deliver any kind of patch before malware creators get a chance to exploit them?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
As opposed to Intel, whose chips are perfectly secure. Except Intel had ~5 months to fix the problem before public disclosure (longer than responsible disclosure standards required). AMD is somehow only given 24 hours? That's not just irresponsible disclosure, that's an indirect attack.
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Reporting facts is smearing someone? This is Poe’s Law, right? AMD fans are not this delusional are they?
Look at how the information is delivered. "This site is to inform the public about the vulnerabilities and call upon AMD and the security community to fix the vulnerable products." - but doesn't actually give AMD the time to fix the problem(s).
Look at the website: amdflaws.com
Nice name.
"MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update"
So this is a low impact problem. Yes they try to hype it but the fact is if anyone have access to a computer one should always assume they can gain control.
For just a few years ago people wouldn't even try to portrait it as a problem.
The rest are similar things - bypassing security while still needing physical and/or elevated privileges. Yes there may be problems caused by this, no the problems aren't really bad.
I wouldn't be surprised if Intel spent some $$$ to encourage the group behind this to select the website name, the naming of the exploits (or "exploits" in some cases), how they are presented on the website and the white paper, and lastly to not giving AMD any chance to patch the problems. Add to this the quote above that show an exceptional level of dishonesty.
And if Intel didn't give them anything the group missed out - Intel have dedicated resources for these kind of operations as anyone that have been into computers for a while should know.
Disgusting.