19th Ave New York, NY 95822, USA

Security researchers discover flaws in AMD chips but raise eyebrows with hasty disclosure

A newly discovered set of vulnerabilities in the AMD chips is making waves not because of the magnitude of the defects, but rather because of the rush, of the market ready to disclose them to the researchers. When was the last time a bug had its own professional shooting video and a PR representative, yet the affected business was only alerted 24 hours in advance? The flaws may be real, but the precedent set here is unsavory.

The flaws in question were discovered by CTS Labs, a cybersecurity research company in Israel, and received a catchy set of names: Ryzenfall, Masterkey, Fallout, and Chimera, with associated logos, a dedicated website, and a white paper describing them.

Up to now, quite normal: major bugs like Heartbleed and of course Meltdown and Specter also have names and logos.

The difference is that in these cases the parties involved, such as Intel, the OpenSSL team and AMD, were quietly alerted well in advance. This is the concept of "responsible disclosure", and gives developers the first way to solve a problem before it becomes public.

There is a legitimate debate about the degree of control that large firms should exercise in advertising their own weaknesses, but generally, in the interest of user protection, the convention tends to be followed. In this case, however, the CTS Labs team has seen its faults on AMD completely formed and with little warning.

The flaws discovered by the team are real, although they require administrative privileges to run a cascade of actions, which means that the use of the latter requires considerable access to the target system. The research describes some as backdoors deliberately included in chips by the Taiwanese company ASmedia, which partners with many manufacturers to produce components.

The requirement of access makes them much more limited than those of Meltdown and Specter, which exploited problems in the management of memory and architecture. They are certainly serious, but the way they were published has raised suspicions on the web.

Why extremely technical video shot on green screen with composite stock backgrounds? Why tactics afraid to call the use of AMD in the military? Why do not bugs have CVE numbers, the standard tracking method for almost any serious problem? Why did AMD have so little time to answer? Why not, if the FAQ suggests, some fixes could be created in a few months, at least delay posting until they are available? And what is with the disclosure that CTS "may have, directly or indirectly, an economic interest in the performance" of AMD? This is not a common disclosure in situations like this.

(I contacted PR representative for defects [!] for answers to some of these questions.)

It's hard to shake the idea that there is a kind of grudge against AMD at play. This does not make the flaws any less serious, but it leaves a bad taste in the mouth .

AMD issued a statement saying, "We are studying this report, which we have just received, to understand the methodology and the merit of the results." Hard to do much more in a day.

As always with these big bugs, will the severity of their reach, their seriousness, the users or the businesses be affected and what they can do to prevent them? the data.

Leave a comment