Security researchers discover flaws in AMD chips but raise eyebrows with hasty disclosure


40542713281 3ea5bad40d k - Security researchers discover flaws in AMD chips but raise eyebrows with hasty disclosure

A newly discovered set of vulnerabilities in the AMD chips is making waves not because of the magnitude of the defects, but rather because of the rush, of the market ready to disclose them to the researchers. When was the last time a bug had its own professional shooting video and a PR representative, yet the affected business was only alerted 24 hours in advance? The flaws may be real, but the precedent set here is unsavory.

The flaws in question were discovered by CTS Labs, a cybersecurity research company in Israel, and received a catchy set of names: Ryzenfall, Masterkey, Fallout, and Chimera, with associated logos, a dedicated website, and a white paper describing them.

Up to now, quite normal: major bugs like Heartbleed and of course Meltdown and Specter also have names and logos.

The difference is that in these cases the parties involved, such as Intel, the OpenSSL team and AMD, were quietly alerted well in advance. This is the concept of "responsible disclosure", and gives developers the first way to solve a problem before it becomes public.

There is a legitimate debate about the degree of control that large firms should exercise in advertising their own weaknesses, but generally, in the interest of user protection, the convention tends to be followed. In this case, however, the CTS Labs team has seen its faults on AMD completely formed and with little warning.

The flaws discovered by the team are real, although they require administrative privileges to run a cascade of actions, which means that the use of the latter requires considerable access to the target system. The research describes some as backdoors deliberately included in chips by the Taiwanese company ASmedia, which partners with many manufacturers to produce components.

The requirement of access makes them much more limited than those of Meltdown and Specter, which exploited problems in the management of memory and architecture. They are certainly serious, but the way they were published has raised suspicions on the web.

Why extremely technical video shot on green screen with composite stock backgrounds? Why tactics afraid to call the use of AMD in the military? Why do not bugs have CVE numbers, the standard tracking method for almost any serious problem? Why did AMD have so little time to answer? Why not, if the FAQ suggests, some fixes could be created in a few months, at least delay posting until they are available? And what is with the disclosure that CTS "may have, directly or indirectly, an economic interest in the performance" of AMD? This is not a common disclosure in situations like this.

(I contacted PR representative for defects [!] for answers to some of these questions.)

It's hard to shake the idea that there is a kind of grudge against AMD at play. This does not make the flaws any less serious, but it leaves a bad taste in the mouth .

AMD issued a statement saying, "We are studying this report, which we have just received, to understand the methodology and the merit of the results." Hard to do much more in a day.

As always with these big bugs, will the severity of their reach, their seriousness, the users or the businesses be affected and what they can do to prevent them? the data.

What's Your Reaction?

Cute Cute
0
Cute
Geeky Geeky
0
Geeky
LOL LOL
0
LOL
Love Love
0
Love
OMG OMG
0
OMG
WIN WIN
0
WIN
WTF WTF
0
WTF
Like Like
0
Like
Dislike Dislike
0
Dislike
Damn Damn
0
Damn
Angry
0
Angry
Cry
0
Cry

0 Comments

Your email address will not be published. Required fields are marked *

You may also like

More From: Tech

DON'T MISS

Choose A Format
Personality quiz
Series of questions that intends to reveal something about the personality
Trivia quiz
Series of questions with right and wrong answers that intends to check knowledge
Poll
Voting to make decisions or determine opinions
Story
Formatted Text with Embeds and Visuals
List
The Classic Internet Listicles
Countdown
The Classic Internet Countdowns
Open List
Submit your own item and vote up for the best submission
Ranked List
Upvote or downvote to decide the best list item
Meme
Upload your own images to make custom memes
Video
Youtube, Vimeo or Vine Embeds
Audio
Soundcloud or Mixcloud Embeds
Image
Photo or GIF
Gif
GIF format
%d bloggers like this: