Slashdot Mirror

← Back to Stories (view on slashdot.org)

AMD Says Patches Coming Soon For Chip Vulnerabilities (securityweek.com)

Posted by msmash on from the up-next dept.

wiredmikey writes: After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) says patches are coming to address several security flaws in its chips. In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.

18 of 84 comments (clear)

  1. AMD just needs to force MB makers to push out by Joe_Dragon · · Score: 3, Insightful

    AMD just needs to force MB makers to push out updates?? And down the road what about cpu bios updates that work on ANY MB?

    1. Re:AMD just needs to force MB makers to push out by F.Ultra · · Score: 2

      They can also push out new microcode updates to the OS vendors, you can get microcode updates via BIOS and via the OS. If you'r on i.g Debian/Ubuntu you can install "amd64-microcode or intel-microcode" depending on if you use an AMD or Intel CPU. Microsoft and Apple probably include them in an update as well.

  2. "Vulnerabilities" by TimothyHollins · · Score: 5, Insightful

    This was nothing more than a poorly sourced hitpiece.

    The list of vulnerabilities require administrator access. I doubt real security researchers would even consider that a vulnerability. There was nothing "disastrous" to report, and the claim by CTS Labs that it would "take 2 years to fix" the reported flaws was nothing short of outright lying. I wouldn't be surprised if Intel recently funded independent Israeli security researchers for goodwill.

    http://www.tomshardware.com/ne...

    1. Re:"Vulnerabilities" by Anonymous Coward · · Score: 2, Funny


      The list of vulnerabilities require administrator access. I doubt real security researchers would even consider that a vulnerability.

      It's a vulnerability, it's just not one that warrants much concern. This comic comes to mind, though the caption should be "they can install drivers, replace the entire system, read any file they want, sniff all my packets, login to my facebook, my email, etc.. but at least they can't replace my BIOS, or read super-secret areas of the CPU!"

    2. Re:"Vulnerabilities" by Gaygirlie · · Score: 2, Insightful

      That's ridiculous. A vulnerability is a vulnerability, and these vulnerabilities let a malicious actor install persistent, undetectable badware -- that's pretty fucking bad, IMHO. Yes, the vulns require admin rights, but it's not like there aren't plenty of ways of getting those; you can fool people to install/run something with admin-rights, there are plenty of sysadmins/repair-technicians/etc. who could install such badware on a system, state-sponsored actors almost definitely have a good bunch of unreleased hacks that allow for privilege-escalation and so on.

      It's obviously a good thing that AMD is going to patch the vulnerabilities and no, I am not claiming that they are anywhere near as bad as CTS Labs made them out to be, but closing your eyes and going "LALALALALALA" doesn't mean they aren't bad.

    3. Re:"Vulnerabilities" by upl8n87447 · · Score: 2

      The real problem is that if someone were to get admin access, they could plant the malware where there was no way of finding it.

      Still though, this was clearly a hit piece by CTS Labs in hopes of capitalizing on the fall out. The shorts must be crapping themselves. With how quickly AMD responded with fixes, my bet is that they already knew about it. For something this serious, you not only want to fix the problem, but test the living hell out of it to make sure you're not inadvertently breaking something else.

    4. Re:"Vulnerabilities" by Gaygirlie · · Score: 2

      Badware that cannot be detected or removed by completely formatting the system is still a step worse.

    5. Re:"Vulnerabilities" by Bert64 · · Score: 2

      If you have physical access you could also:

      clone the drive
      backdoor the existing install
      install a hardware keylogger
      modify the hardware

      and all manner of other things. As many people have said, yes it's a bug but it's nowhere near as serious as people have been claiming.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    6. Re:"Vulnerabilities" by hairyfeet · · Score: 2

      Which is why I am SOO HAPPY when shit like this happens, because these "extra chips" that the user doesn't have control over? Need to DIAF. It was a bad idea from conception to execution and the sooner the world realizes that these were only shoehorned in so Hollywood and the big corps could bake in DRM to screw users easier? The quicker we can get these damned things removed and move on.

      If the PTBs want these chips? Let them be in enterprise class units so they can pay for them and everyone else can avoid them like the STDs they are, but there is NO REASON to bake this shit into every PC on the planet and shit like this just illustrates why.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  3. Re:Response Intel vs AMD by mark-t · · Score: 4, Insightful
    First of all, this story has nothing to do with Meltdown or Spectre. It is about a set of AMD-specific bugs. Secondly, AMD wasn't affected by Meltdown. Nobody pretended it wasn't affected by Spectre other than people who didn't understand that when it was mentioned that "AMD was not affected", it was in reference to Meltdown only. The apparent disinformation is not acceptable, but is at least understandable because the news of both was publicly released essentially simultaneously and it would have been easy to misinterpret that AMD was unaffected as applying to both. This should have been more clearly worded in the initial release that made the statement. Nonetheless, a clarification was made when it became apparent that this is what people were believing.

    Finally, AMD's response to this is vastly more consumer-friendly than Intel's with respect to their own issues, because it only requires applying patches to existing hardware instead of having to go out and buy new hardware.

    --
    File under 'M' for 'Manic ranting'
  4. Re:Response Intel vs AMD by Khyber · · Score: 4, Informative

    "It is about a set of AMD-specific bugs"

    No, no it is not. It's about a set of bugs in a specific range of ASMedia chipsets that AMD uses in their products, which are also in use on plenty of Intel motherboards, which means they're likely just as vulnerable.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  5. Sure by ArchieBunker · · Score: 2

    You just have to buy a new CPU, motherboard, and RAM.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  6. AMD, please remove the PSP by emil · · Score: 3, Insightful

    I do not want a Platform Security Processor, Management Engine, or any other hardware on my CPU that I cannot control.

    These products serve absolutely no purpose for the general consumer - they are only useful in enterprise (corporate) environments for centralized control.

    I would like the option to destroy the PSP on any CPU that I own.

    If you refuse to manufacture CPUs lacking this component, then give customers the ability to request an unlock code that forever physically disables a component that is both dangerous and (to them) irrelevant. The request could work similarly to cell phone programs that unlock bootloaders.

    AMD, make no mistake - home users emphatically do not want the PSP.

    1. Re:AMD, please remove the PSP by DamnOregonian · · Score: 4, Insightful

      This is what I wish people would take away from this :(
      Instead, they're too busy trying to ravenously defend AMD's misstep.
      We have got to get these closed ring -1 black box processors out of our fucking equipment. It's horse shit.

    2. Re:AMD, please remove the PSP by Bert64 · · Score: 2

      Or provide a PSP that users can control and load their own software onto, or disable if they wish.

      Home users may not want it, but large vendors absolutely do want it to enforce drm and other user-hostile "features".

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  7. Re:Response Intel vs AMD by alvinrod · · Score: 4, Informative

    It's even a little bit more constrained than that. It's about a set of bugs that require admin rights to exploit in a specific range of ASMedia chipsets that AMD uses in their products.

    For these to be a problem for you, you've probably already got a bigger set of problems. That doesn't mean that they shouldn't be patched, but that a far bigger deal has been made over this than necessary.

  8. Re:Response Intel vs AMD by DamnOregonian · · Score: 2

    That's partially true. The flaws affect both the ASMedia chips, and the embedded ARM system management processor in the CPU. Parent was not wrong.

  9. Re:Response Intel vs AMD by DamnOregonian · · Score: 2

    You're wrong on a lot of levels.
    First, this does absolutely affect the AMD CPUs (as well as the ASMedia chipset controllers)
    Second, an exploited administrator account is not a bigger deal than an owned chipset or system management controller.
    You are free to run any code you want on your main CPU. The SMU requires signed code for a very good reason- because it can transparently prevent you from actually updating its code, and transparently do... well, whatever the fuck it wants, up to and including preventing you from knowing it is there. There are no bigger problems than flaws at this level.