Slashdot Mirror

← Back to Stories (view on slashdot.org)

AMD Says Patches Coming Soon For Chip Vulnerabilities (securityweek.com)

Posted by msmash on from the up-next dept.

wiredmikey writes: After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) says patches are coming to address several security flaws in its chips. In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.

84 comments

  1. Response Intel vs AMD by Anonymous Coward · · Score: 0

    Intel Response:
                    Take this untested BIOS update that could cause data corruption and reboots
                    Purchase a new CPU

    AMD Response:
                          Apply this BIOS update

    1. Re:Response Intel vs AMD by Fly+Swatter · · Score: 1

      Nice try, but these don't look related to meltdown or spectre at all. It's a problem with their 'secure' management layer, intel already fixed theirs a while back - what took AMD so long :P

    2. Re:Response Intel vs AMD by mark-t · · Score: 4, Insightful
      First of all, this story has nothing to do with Meltdown or Spectre. It is about a set of AMD-specific bugs. Secondly, AMD wasn't affected by Meltdown. Nobody pretended it wasn't affected by Spectre other than people who didn't understand that when it was mentioned that "AMD was not affected", it was in reference to Meltdown only. The apparent disinformation is not acceptable, but is at least understandable because the news of both was publicly released essentially simultaneously and it would have been easy to misinterpret that AMD was unaffected as applying to both. This should have been more clearly worded in the initial release that made the statement. Nonetheless, a clarification was made when it became apparent that this is what people were believing.

      Finally, AMD's response to this is vastly more consumer-friendly than Intel's with respect to their own issues, because it only requires applying patches to existing hardware instead of having to go out and buy new hardware.

      --
      File under 'M' for 'Manic ranting'
    3. Re:Response Intel vs AMD by Khyber · · Score: 4, Informative

      "It is about a set of AMD-specific bugs"

      No, no it is not. It's about a set of bugs in a specific range of ASMedia chipsets that AMD uses in their products, which are also in use on plenty of Intel motherboards, which means they're likely just as vulnerable.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    4. Re:Response Intel vs AMD by Anonymous Coward · · Score: 0

      Intel Response:

                      Take this untested BIOS update that could cause data corruption and reboots

                      Purchase a new CPU

      AMD Response:

                            Apply this BIOS update

      Either way the PC market was close to death as PC manufacturers have either shut their doors or have moved to greener pastures. The few that are left are struggling. Now with the AMD/Intel vulnerabilities coming to light the trust in the PC is all but gone now and we will see a mass exodus from PC to tablets and smartphones. Even Apple is set to eliminate their oldest line, the Macintosh, and about time as well. X86 is a relic from the 1980s and the security issues are stemming from one inherent issue, X86 is from a time when PCs were a stand alone product with no connectivity with the exception of the BBS/dial-up services. They were still vulnerable top viruses since security meant little to them. Today X86 is even more vulnerable with internet connectivity and AMD/Intel only tried to fix those issues for the last 10 years, and messed up horribly. The future is in Android/iOS based devices that are built with security in mind, not Windows/MacOS which rely on insecure X86.

    5. Re:Response Intel vs AMD by Anonymous Coward · · Score: 0

      different problems are different.

      And you are an idiot.

    6. Re: Response Intel vs AMD by Anonymous Coward · · Score: 0

      "If a BIOS can be re-flashed, it can be flashed back again"

      How is this about AMDs architecture? That is not limited to AMD, that's every computer.

    7. Re:Response Intel vs AMD by Anonymous Coward · · Score: 0

      Thats a yes then. Idiot child

    8. Re:Response Intel vs AMD by Anonymous Coward · · Score: 1

      BIOS rootkits aren't new. In fact, they're extremely old. They're also trivially mitigated by disabling BIOS flashing from within your BIOS, and only turning the feature on when you intend to flash. This is basic hardening that I dearly hope most sysadmins do.

    9. Re: Response Intel vs AMD by postbigbang · · Score: 0

      It would be good to read about the problem to understand to have a context to the answer: https://amdflaws.com/#TABLE-vu...

      --
      ---- Teach Peace. It's Cheaper Than War.
    10. Re:Response Intel vs AMD by alvinrod · · Score: 4, Informative

      It's even a little bit more constrained than that. It's about a set of bugs that require admin rights to exploit in a specific range of ASMedia chipsets that AMD uses in their products.

      For these to be a problem for you, you've probably already got a bigger set of problems. That doesn't mean that they shouldn't be patched, but that a far bigger deal has been made over this than necessary.

    11. Re:Response Intel vs AMD by Anonymous Coward · · Score: 0

      If a BIOS can be re-flashed, it can be flashed back again

      You've been able to flash a bios in consumer hardware without a dedicated eeprom writer for over twenty years. Stop spreading FUD.

    12. Re:Response Intel vs AMD by DamnOregonian · · Score: 2

      That's partially true. The flaws affect both the ASMedia chips, and the embedded ARM system management processor in the CPU. Parent was not wrong.

    13. Re:Response Intel vs AMD by DamnOregonian · · Score: 2

      You're wrong on a lot of levels.
      First, this does absolutely affect the AMD CPUs (as well as the ASMedia chipset controllers)
      Second, an exploited administrator account is not a bigger deal than an owned chipset or system management controller.
      You are free to run any code you want on your main CPU. The SMU requires signed code for a very good reason- because it can transparently prevent you from actually updating its code, and transparently do... well, whatever the fuck it wants, up to and including preventing you from knowing it is there. There are no bigger problems than flaws at this level.

    14. Re:Response Intel vs AMD by postbigbang · · Score: 1

      Did you read the vulnerability, and how it is instantiated? Of do you just play a geek on TV?

      --
      ---- Teach Peace. It's Cheaper Than War.
    15. Re:Response Intel vs AMD by postbigbang · · Score: 0

      Read about the architecture of the vulnerability. It's a hidden rootkit. You can't checksum it, or really even probe it: https://amdflaws.com/#TABLE-vu...

      --
      ---- Teach Peace. It's Cheaper Than War.
    16. Re: Response Intel vs AMD by Anonymous Coward · · Score: 0

      I'm not going to read a hit piece.

    17. Re: Response Intel vs AMD by Anonymous Coward · · Score: 0

      there will be no exodus from PCs to other platforms. PCs have their roles in the market. the gaming industry and corporate clients still need very beefy desktops/workstations. just because YOU don't need a PC does not mean that nobody needs one. you are either a troll or have a limited mindset.

    18. Re: Response Intel vs AMD by postbigbang · · Score: 1

      Good grief.

      What if there are actual facts inside? Would that interest you?

      --
      ---- Teach Peace. It's Cheaper Than War.
    19. Re:Response Intel vs AMD by Anonymous Coward · · Score: 0

      Intel we do not really care even when we gets 30 days to fix the problem

      AMD gets 24 hours

    20. Re: Response Intel vs AMD by Anonymous Coward · · Score: 0

      K I looked. It's BS that says every AMD user is affected. But I'm on old stuff, so that's a lie.

    21. Re: Response Intel vs AMD by postbigbang · · Score: 1

      Go to: https://blog.trailofbits.com/2... then here: https://community.centminmod.c...

      Enjoy.

      --
      ---- Teach Peace. It's Cheaper Than War.
    22. Re:Response Intel vs AMD by Anonymous Coward · · Score: 0

      Sure, you could just try to ad hominem your way out of this -- it is, after all, your third attempt so far. Or you could man the fuck up and admit that this:

      If a BIOS can be re-flashed, it can be flashed back again. This is an architectural problem that isn't going to be easily fixed. Every sysadmin is going to have to look for unscheduled reboots, which is the first sign that something got root, then re-flashed the system with the vulnerabilities cited, likely with a malware payload.

      Was the dumbest gods-damned thing anyone even pretending to be a techie has ever said, ever. Like SAs don't already investigate unscheduled reboots anyway? Never mind out-of-band firmware changes without a CR?

      This "new and terrifying" capacity to push a bios update has been a known attack vector probably longer than you've been alive, and even the shittiest little startup shops out there have the basic monitoring systems in place to detect what you describe. Now, maybe you meant to say something that wasn't gobsmacking fucking ignorant, but you failed at that, and rather than just admit it, you're going to sit there and try to lecture your betters? Go fuck yourself.

    23. Re: Response Intel vs AMD by Anonymous Coward · · Score: 0

      Lol idiot kids are idiots. That never changes

    24. Re: Response Intel vs AMD by Anonymous Coward · · Score: 0

      there will be no exodus from PCs to other platforms. PCs have their roles in the market. the gaming industry and corporate clients still need very beefy desktops/workstations. just because YOU don't need a PC does not mean that nobody needs one. you are either a troll or have a limited mindset.

      You are truly nothing more than a fucktard that knows nothing. A mass exodus a href="https://www.forbes.com/sites/adamhartung/2016/04/15/pc-sales-in-q1-drop-more-than-10-are-you-surprised-do-you-care/#511d115273bb"> is already happening. There is nothing a PC can do that a tablet cannot. The reverse will not be true as there will be things a tablet can do that a PC cannot. Within five years there will be no need for a PC other than for stupid old fucks like you. The microchip division Intel is hemorrhaging money and soon AMD will face the same fate as Microsoft and Sony get away from X86 for their gaming systems and they will go with ARM or some other microprocessor architecture as they go portable much like Nintendo. Face it, you old fucks love old even if it means staying with insecure relics from another era. I have facts while you have nothing.

      http://fortune.com/2017/10/10/...

    25. Re: Response Intel vs AMD by Anonymous Coward · · Score: 0

      Only 1 is related to asmedia, the other 3 are AMD.
      Even then, there's currently zero evidence that the asmedia related bug isn't unique to the AMD chipset implementation. The fanboy ISM around this issue is quite pathetic and kinda proves CTS-labs point about harm minimisation.

    26. Re: Response Intel vs AMD by Brockmire · · Score: 1

      I just updated a mobo's bios last updated in 2012. It doesn't support downgrading after installing a bios from a certain point. That wasn't the first mobo with downgrade prevention I've seen, either. I don't think you know wtf you're talking about.

    27. Re: Response Intel vs AMD by Brockmire · · Score: 0

      What are you, in fucking sales or something? You're fucking stupid. This is a tech site. We just about all have multiple, beefy computers and do actual fucking work with them. Fuck off.

    28. Re: Response Intel vs AMD by postbigbang · · Score: 1

      Did it have an onboard PSP? Did it need auth to that PSP? Did it use any security co-processor? That's the point. Right now you can bypass the auth. Anything could be there, and you would have NO way of finding it. Go ahead and install a new BIOS. The new BIOS still can't see what's on that PSP. Downgrade prevention isn't the problem. It's that you can't audit what's there, and code in the PSP prior to the BIOS install *will still be executed* unless you cut off the PSP entirely, and that's not gonna happen because doing so disables a lot of functionality in the processor.

      --
      ---- Teach Peace. It's Cheaper Than War.
    29. Re: Response Intel vs AMD by Anonymous Coward · · Score: 0

      What are you, in fucking sales or something? You're fucking stupid. This is a tech site. We just about all have multiple, beefy computers and do actual fucking work with them.

      Fuck off.

      Oooh, TRIGGERED! You poor little snowflake, having a meltdown like you are an autistitard or something. Face it, the PC and Macintosh are almost done and I have provided sources backing my claims up. Where are your sources? Oh, that's right you are the one that is so fucking stupid because you have no sources other than "I USE COMPUTERS SO TEY AIN'T DYIN" type of anecdote. Just because stupid little fucks like you use a PC doesn't mean the rest of society is using them. In fact PCs and Mac are only being purchased by old fucktarded baby boomers and a few Gen xers. Most Gen Xers and millenials are moving away from such shit and going towards tablets and smartphones.

  2. AMD just needs to force MB makers to push out by Joe_Dragon · · Score: 3, Insightful

    AMD just needs to force MB makers to push out updates?? And down the road what about cpu bios updates that work on ANY MB?

    1. Re:AMD just needs to force MB makers to push out by F.Ultra · · Score: 2

      They can also push out new microcode updates to the OS vendors, you can get microcode updates via BIOS and via the OS. If you'r on i.g Debian/Ubuntu you can install "amd64-microcode or intel-microcode" depending on if you use an AMD or Intel CPU. Microsoft and Apple probably include them in an update as well.

    2. Re:AMD just needs to force MB makers to push out by DamnOregonian · · Score: 1

      And if someone has already owned the SMU, they can make you think you installed the BIOS, but replace the little blurb of SMU code in it transparently, allowing you to think you've fixed the problem, without actually having done so!
      But no, this isn't a problem.

    3. Re:AMD just needs to force MB makers to push out by F.Ultra · · Score: 1

      However looking at this particular issue this is not a microcode update so it must be done via a BIOS update, sorry for the confusion.

    4. Re: AMD just needs to force MB makers to push out by Anonymous Coward · · Score: 0

      So what do you expect they do? AMD is doing everything they can. No product is perfect, of course some products have bugs. They are sending out patches to vendors. what else can they do?

    5. Re: AMD just needs to force MB makers to push out by Brockmire · · Score: 1

      So you think mythical malware that takes advantage of this already has such countermeasures tested and working? You're trying hard.

    6. Re: AMD just needs to force MB makers to push out by DamnOregonian · · Score: 1

      No, I don't...
      But it's not a difficult target if you've got control of the ARM on the AMD CPU.
      I'm not trying hard at all. On the contrary- people are trying really hard to defend this as "not a big deal" and I'm saying it IS. And I'm qualified to say so.

  3. "Vulnerabilities" by TimothyHollins · · Score: 5, Insightful

    This was nothing more than a poorly sourced hitpiece.

    The list of vulnerabilities require administrator access. I doubt real security researchers would even consider that a vulnerability. There was nothing "disastrous" to report, and the claim by CTS Labs that it would "take 2 years to fix" the reported flaws was nothing short of outright lying. I wouldn't be surprised if Intel recently funded independent Israeli security researchers for goodwill.

    http://www.tomshardware.com/ne...

    1. Re:"Vulnerabilities" by Anonymous Coward · · Score: 2, Funny


      The list of vulnerabilities require administrator access. I doubt real security researchers would even consider that a vulnerability.

      It's a vulnerability, it's just not one that warrants much concern. This comic comes to mind, though the caption should be "they can install drivers, replace the entire system, read any file they want, sniff all my packets, login to my facebook, my email, etc.. but at least they can't replace my BIOS, or read super-secret areas of the CPU!"

    2. Re:"Vulnerabilities" by Gaygirlie · · Score: 2, Insightful

      That's ridiculous. A vulnerability is a vulnerability, and these vulnerabilities let a malicious actor install persistent, undetectable badware -- that's pretty fucking bad, IMHO. Yes, the vulns require admin rights, but it's not like there aren't plenty of ways of getting those; you can fool people to install/run something with admin-rights, there are plenty of sysadmins/repair-technicians/etc. who could install such badware on a system, state-sponsored actors almost definitely have a good bunch of unreleased hacks that allow for privilege-escalation and so on.

      It's obviously a good thing that AMD is going to patch the vulnerabilities and no, I am not claiming that they are anywhere near as bad as CTS Labs made them out to be, but closing your eyes and going "LALALALALALA" doesn't mean they aren't bad.

    3. Re:"Vulnerabilities" by upl8n87447 · · Score: 2

      The real problem is that if someone were to get admin access, they could plant the malware where there was no way of finding it.

      Still though, this was clearly a hit piece by CTS Labs in hopes of capitalizing on the fall out. The shorts must be crapping themselves. With how quickly AMD responded with fixes, my bet is that they already knew about it. For something this serious, you not only want to fix the problem, but test the living hell out of it to make sure you're not inadvertently breaking something else.

    4. Re:"Vulnerabilities" by Anonymous Coward · · Score: 0

      That's ridiculous. A vulnerability is a vulnerability, and these vulnerabilities let a malicious actor install persistent, undetectable badware -- that's pretty fucking bad, IMHO. Yes, the vulns require admin rights (...)

      If you let malicious code run with admin rights then you are already pwned, period, no further vulnerability required to screw you as hard as the badware's author wants to.

    5. Re:"Vulnerabilities" by thegarbz · · Score: 1

      A vulnerability is a vulnerability

      You've never heard of the concept of "risk" have you.

    6. Re:"Vulnerabilities" by Gaygirlie · · Score: 1

      A vulnerability is a vulnerability

      You've never heard of the concept of "risk" have you.

      Already addressed that in my comment, but, unsurprisingly, the foam dripping from your mouth as you were about to pop a ragevein must have hindered your reading-comprehension skills.

    7. Re:"Vulnerabilities" by Gaygirlie · · Score: 2

      Badware that cannot be detected or removed by completely formatting the system is still a step worse.

    8. Re:"Vulnerabilities" by MachineShedFred · · Score: 1

      Pull power cable. Plug USB boot drive in. Boot from USB. Flash malicious code to hardware because I'm root on my boot stick.

      No, these vulnerabilities are just fine, according to you.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    9. Re:"Vulnerabilities" by Anonymous Coward · · Score: 0

      In the era of flashable everything with zero signature checks, you simply cannot fully trust hardware once it's been compromised. Firmware rootkits have been a thing for a long time, and state sponsored attacks have used these esoteric methods before. Hardware manufactures continue to release vulnerable systems. Everything old is new again.

    10. Re:"Vulnerabilities" by DamnOregonian · · Score: 1

      I doubt real security researchers

      Hi. Real security researcher here. You have no idea what you're talking about. These days, systems that run "higher" than root on the main CPU are ubiquitous from the embedded to desktop range. Getting root/administrator access is only the first step. This presents a single easy target for above-root access to a machine. This is a big deal. Quit shilling.

    11. Re:"Vulnerabilities" by DamnOregonian · · Score: 1

      Right on all accounts. This article dearly needs you modded up.
      The only thing I would change is, "they could also plant malware where there was no way of finding it, or removing it."

    12. Re:"Vulnerabilities" by Gaygirlie · · Score: 1

      Firmware-rootkits, yes, but you seemingly fail to comprehend that the PSP is a completely autonomous system that's running at all times and can access anything and everything, and if the badware reciding there doesn't want you knowing about it, you won't know about it. Firmware-rootkits, the kind mentioned in the article, can be detected. Also, the PSP is running a complete OS of its own, so it can do a lot more sophisticated stuff. Like I said, this is a step worse. No, it's not an entirely new concept or anything, but it just takes the old ideas and moves them even further along. (Not that Intel's ME is any better. Stupid god damn black boxes that shouldn't even exist.)

    13. Re:"Vulnerabilities" by Anonymous Coward · · Score: 1

      Pull power cord.

      Discover that the computer isn't allowing to boot from anything but the HDD.

      Discover that the BIOS is password protected.

      Put USB boot media back in pocket.

      Put on your most disappointed face.

      Don't assume the people trying to keep you out are total idiots.

    14. Re:"Vulnerabilities" by TheRaven64 · · Score: 1

      Think about supply-chain trojans: Someone who has access to your computer before you unpack it can (fairly easily) install malware that is not detectable and is not erased when you re-image the machine. That's probably not a concern for individuals, but for anyone worried about corporate espionage or nation state adversaries, it's a problem.

      --
      I am TheRaven on Soylent News
    15. Re:"Vulnerabilities" by Bert64 · · Score: 2

      If you have physical access you could also:

      clone the drive
      backdoor the existing install
      install a hardware keylogger
      modify the hardware

      and all manner of other things. As many people have said, yes it's a bug but it's nowhere near as serious as people have been claiming.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    16. Re:"Vulnerabilities" by Anonymous Coward · · Score: 1

      Hi,

      Real security researcher, software developer, and system administrator here with 20+ years experience. In the "real world" we call an attacker getting admin access "you're screwed", and gaining access to replace the BIOS or some super-secret part of the chip isn't really much more of a compromise. I'm sure there's _some_ systems out there where this is a "big deal", but for the vast majority of computer owners, system administrators, and corporations, this is a non-event.

      It _is_ a vulnerability, but it's not one that's that massive of a concern. Are you _really_ going to take down your critical system just to patch the BIOS on a machine that if someone got admin access they've already gained all the marbles in the box? In the vast, vast majority of cases the answer is going to be no. And that's generally going to be the correct answer.

      If you really _are_ a security researcher, you're a good example of what's the matter with the security "industry". The people I'm talking about express the attitude that "Security==everything", and security==yes/no. That's foolish. Real security is a series of tradeoffs, and extremely specific to the domain, and is NEVER 100%.

    17. Re:"Vulnerabilities" by hairyfeet · · Score: 2

      Which is why I am SOO HAPPY when shit like this happens, because these "extra chips" that the user doesn't have control over? Need to DIAF. It was a bad idea from conception to execution and the sooner the world realizes that these were only shoehorned in so Hollywood and the big corps could bake in DRM to screw users easier? The quicker we can get these damned things removed and move on.

      If the PTBs want these chips? Let them be in enterprise class units so they can pay for them and everyone else can avoid them like the STDs they are, but there is NO REASON to bake this shit into every PC on the planet and shit like this just illustrates why.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    18. Re:"Vulnerabilities" by thegarbz · · Score: 1

      the foam dripping from your mouth

      Not foam, just a TL;LD.

      I don't really get worked up about much, not even enough to read to the end of most sentences.

    19. Re:"Vulnerabilities" by Anonymous Coward · · Score: 0

      And you shouldn't assume that the millions of PCs that are purchased per year are actually configured with any firmware settings than the defaults. Major corporations don't even use BIOS passwords, why the hell would you think that the majority of personal computers would be?

      If the defaults allow you to install malware, then there are automatically going to be "vulnerable" systems. it's the default. And, if you "exploit" this (not really exploiting a vulnerability when you're just loading on different code, other than the fact it allows you to run unsigned code on their ill-advised and un-asked-for management engine), it can survive OS reinstalls, disk swaps, etc.

      But I guess that's not an issue? Because less than 1% of people have turned on a BIOS password?

      Who is the total idiot again?

    20. Re:"Vulnerabilities" by Anonymous Coward · · Score: 1

      Who's the idiot? You. No doubt. "OMG OMG THE SKY IS FALLING!!! UNKNOWN LITTLE MEN ARE GOING TO SHOW UP EVERYWHERE AND PWN EVERYTHING!"

      Jesus Christ. If major companies doesn't use BIOS passwords, that's on them, for starters. Exactly how you're going to get onto their premises and why you think they'd leave you alone to fiddle with their computers, I leave for you to explain further.

      Finally, yes, I suppose if you infiltrated the supply line you'd get a free reign, but you still have utterly failed, every time when asked to, to explain how this is different when we are talking about AMD as opposed to anyone else. The rule is, if you have physical access to the hardware, it's game over.

      NO MATTER WHO MADE THE HARDWARE!

      Fucking moron. Running around, yelling at the top of your lungs and kicking in open doors, pretending it's a fucking huge deal. STFU.

    21. Re: "Vulnerabilities" by Anonymous Coward · · Score: 0

      And the Intel ME default password issue required physical access to the device but compare the outcry over that and this. Welcome to the ugly side of fanboys.

    22. Re:"Vulnerabilities" by DamnOregonian · · Score: 1

      You're completely full of shit, or grossly ignorant. I suspect the latter- you're simply out of your league, here.
      I suspect you don't really know much about secure zones in processors.
      To start, replacing the BIOS in a virus isn't really feasible. The possible variations the virus must contend with (BIOS/EFI variations) in order to put in a custom owned BIOS really only leaves room for very custom jobs.
      The PSP however is fixed. If you have an AMD processor, the PSP can be owned with a simple root exploit, and owned forever, knowing nothing more than that about the system.
      You're what's wrong with this fucking country- people who speak from positions of knowledge when they have none.

  4. Intel by 110010001000 · · Score: 0

    What about Intel's Meltdown flaw? Fixed yet?

    1. Re:Intel by Gaygirlie · · Score: 1

      There was this Ars Technica-article at https://arstechnica.com/gadget... that talks about it, but unfortunately the article doesn't mention any dates. It's a couple of weeks old now, so the microcodes have possibly started to circulate via Windows Update by now?

    2. Re:Intel by Anonymous Coward · · Score: 0

      That's old news. This is about AMD vulnerabilities and hoping your MB vendor puts out an update. Please try to keep up.

    3. Re:Intel by Anonymous Coward · · Score: 0

      What about Intel's Meltdown flaw? Fixed yet?

      Fixed dozens of times. Rumor has it that some of those fixes came reasonably close to actually working too!

    4. Re:Intel by Anonymous Coward · · Score: 0

      It must be fixed. My computer WITH AN INTEL CPU is running slower than it used to.

    5. Re:Intel by DamnOregonian · · Score: 1

      That is the most transparent whataboutism I have ever seen.... I suppose at least you're honest.
      Can you help me understand why the blatent defensive shilling for AMD? It's cancerous here.

    6. Re:Intel by Anonymous Coward · · Score: 0

      Do you want to know what's cancerous around here?

      It's all the cock-munching little Intel fanboys who keep trying to conflate spectre and meltdown, and implying that AMD is just as bad as Intel, or even worse. They are also continuously trying to find every last little scrap of bad news they can find about AMD, and inflate it out of every proportion, because they can't handle Intel looking like shit and their brainless fanboyism making them look like gigantic idiots, so they have to make even bigger fools of themselves.

      Those are the truly cancerous types.

    7. Re:Intel by Highdude702 · · Score: 1

      It's almost like trump owns AMD as much hate as they get online..

    8. Re:Intel by DamnOregonian · · Score: 1

      The rabid AMD defenders who amazingly shit all over Intel when they had the same fucking problem in their IME, but try to act like this isn't an issue definitely remind of Trump Trolls.

  5. Sure by ArchieBunker · · Score: 2

    You just have to buy a new CPU, motherboard, and RAM.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  6. just dont expose the hypervisor. by Anonymous Coward · · Score: 0

    Anybody who exposes the hypervisor in such a way that can allow any remote access wouldn't be in charge of a data-center anyways. This was never a risk to the datacenter. This could be exploited on home systems and poorly administered bare-metal systems tho.

  7. AMD, please remove the PSP by emil · · Score: 3, Insightful

    I do not want a Platform Security Processor, Management Engine, or any other hardware on my CPU that I cannot control.

    These products serve absolutely no purpose for the general consumer - they are only useful in enterprise (corporate) environments for centralized control.

    I would like the option to destroy the PSP on any CPU that I own.

    If you refuse to manufacture CPUs lacking this component, then give customers the ability to request an unlock code that forever physically disables a component that is both dangerous and (to them) irrelevant. The request could work similarly to cell phone programs that unlock bootloaders.

    AMD, make no mistake - home users emphatically do not want the PSP.

    1. Re:AMD, please remove the PSP by DamnOregonian · · Score: 4, Insightful

      This is what I wish people would take away from this :(
      Instead, they're too busy trying to ravenously defend AMD's misstep.
      We have got to get these closed ring -1 black box processors out of our fucking equipment. It's horse shit.

    2. Re:AMD, please remove the PSP by Bert64 · · Score: 2

      Or provide a PSP that users can control and load their own software onto, or disable if they wish.

      Home users may not want it, but large vendors absolutely do want it to enforce drm and other user-hostile "features".

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    3. Re:AMD, please remove the PSP by sl3xd · · Score: 1

      I do not want a Platform Security Processor, Management Engine, or any other hardware on my CPU that I cannot control.

      These products serve absolutely no purpose for the general consumer - they are only useful in enterprise (corporate) environments for centralized control.

      Mass production means we get features we don't need. CPU's and motherboards are designed to suit all buyers. It's cheaper to include the feature everywhere than it is to support an additional model.

      Even in the 1990's, manufacturers were including features the customer didn't want (like integrated sound and video hardware), because it was cheaper to standardize across the board than to provide a different model that doesn't have it. I'm not sure it's even possible to get an Intel or AMD motherboard without integrated graphics and video.

      If you refuse to manufacture CPUs lacking this component, then give customers the ability to request an unlock code that forever physically disables a component that is both dangerous and (to them) irrelevant.

      Provide an avenue for malware to physically destroy hardware? That's an even worse idea.

      --
      -- Sometimes you have to turn the lights off in order to see.
    4. Re:AMD, please remove the PSP by Anonymous Coward · · Score: 0

      There are a few motherboards with no video outs, meaning that if you have a GPU integrated into the CPU it will have no physical video out but the GPU still is there. If that's an AM4 motherboard (for Ryzen) and you use a Ryzen CPU with no integrated GPU, you have no GPU.
      The high end desktops with quad channel memory (Intel's 2011 sockets and 2066 socket, AMD Threadripper) have no GPU either.

      In older times the GPU was on the motherboard's chipset, but that was optional as you also could get a chipset without GPU. After many years, I discovered that the Nforce 520 LE chipset is in fact a geforce 6150 series chipset (due to output from lspci and such telling me it's the same MCPxx chip in there) but I assume the GPU is disabled as in laser-cut/fused out and the system doesn't know in any way it's there.

      Regarding Intel Management Engine, which is more to the point.. The first version or two were disabled unless you had a "pro" motherboard! (Intel vPro, Q-series chipset like Q35). But you also could still get a 3rd party chipset (nvidia, VIA, etc.) to go with a Core2Duo or Core2Quad. With Core i things, the integration got stronger and they somehow went for an always-on Intel ME. Perhaps it does mundane boring house-keeping things when you turn the PC on (check if the chipset is on fire, etc.)

    5. Re:AMD, please remove the PSP by DamnOregonian · · Score: 1

      I have multiple published CVEs in the NVD. One is a root escalation in Android/Linux.
      I'm not mischaracterizing this. People are trying to downplay it, because they've either got an agenda, or they're simply ignorant fanchildren.

      Linus isn't ignorant... I'd say he's more in-line with a delusional fanchild.
      The premise for his argument as to whether this is a big deal or not hinges on the vileness of the lab that found the problems (which who can argue with? those guys are slime) and the fact that an administrator must apparently be "grossly negligent" in order to allow someone to get root on a system running Linux... Which, excuse me while I laugh.

  8. Service Badges for Vulnerabilities by Anonymous Coward · · Score: 0

    The military has service badges, why not collect tokens for vulnerabilities? https://badgly.com/collections/vuln

  9. Don't need to be rid of them...we need the keys! by Anonymous Coward · · Score: 0

    Or a way to disable OEM signing and run a local key instead, whether store in NVRAM, burned in the SPI flash, or efused into the PSP (last for obvious reasons I don't recommend.)

    So long as it can't be updated or read from userspace during the operation of the computer it is secure, and the benefit to having it external to the processor is that if either the key or algorithm is ever compromised it won't matter because it will still require physical access to compromise the security processor on the system. And with access to the security processor there are many opportunities for the owner/operator of the computer to utilize it for out of band purposes which actually WOULD secure their system, some of which we haven't even dreamed of yet.

    The processor itself isn't the problem, the mandatory blackbox firmware blobs, lack of documentation, and inability for the end user to replace it *ARE*. The same problem exists on all modern ARM SoCs and most devices designed off them (save the SBCs like the Raspberry Pi, etc most of which have the TrustZone infrastructure permanently disabled in the efused/rom stage0 bootloader programmed into the SoC by a manufacturer. Given that many applications today REQUIRE a TrustZone/TPM/Secure Processor to install/run/attest the platform before operation, it is very difficult to find end-user secure platforms before even getting down to OS-level or application specific bugs/attacks.)

  10. You talk bullshit by Anonymous Coward · · Score: 0

    The point is by the time someone/something has a hold of admin level access (which the AMD exploits requires to work), many parts of the system can be compromised in many different ways already, such as planting persistent backdoors everywhere.

    That is why Linus was publicly mocking CTS lab.