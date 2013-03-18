from the I'm-going-back-to-using-an-Abacus dept.
Security Researchers Publish Ryzen Flaws, Gave AMD 24 hours Prior Notice
Through the advent of Meltdown and Spectre, there is a heightened element of nervousness around potential security flaws in modern high-performance processors, especially those that deal with the core and critical components of company business and international infrastructure. Today, CTS-Labs, a security company based in Israel, has published a whitepaper identifying four classes of potential vulnerabilities of the Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processor lines. AMD is in the process of responding to the claims, but was only given 24 hours of notice rather than the typical 90 days for standard vulnerability disclosure. No official reason was given for the shortened time.
[...] At this point AMD has not confirmed any of the issues brought forth in the CTS-Labs whitepaper, so we cannot confirm in the findings are accurate. It has been brought to our attention that some press were pre-briefed on the issue, perhaps before AMD was notified, and that the website that CTS-Labs has setup for the issue was registered on February 22nd, several weeks ago. Given the level of graphics on the site, it does look like a planned 'announcement' has been in the works for a little while, seemingly with little regard for AMD's response on the issue. This is compared to Meltdown and Spectre, which was shared among the affected companies several months before a planned public disclosure. CTS-Labs has also hired a PR firm to deal with incoming requests for information, which is also an interesting avenue to the story, as this is normally not the route these security companies take. CTS-Labs is a security focused research firm, but does not disclose its customers or research leading to this disclosure. CTS-Labs was started in 2017, and this is their first public report.
CTS-Labs' claims revolve around AMD's Secure Processor and Promontory Chipset, and fall into four main categories, which CTS-Labs has named for maximum effect. Each category has sub-sections within.
Severe Security Advisory on AMD Processors from CTS.
Also at Tom's Hardware, Motherboard, BGR, Reuters, and Ars Technica.
(Score: -1, Offtopic) by Anonymous Coward on Wednesday March 14, @12:58PM
(Score: 2) by The Mighty Buzzard on Wednesday March 14, @01:01PM (2 children)
People, distribute your shit as something other than a compiled document format or I won't be reading it unless it's directly necessitated by my job. I don't need your bitch asses telling me the fonts and layout I have to view your document in. It pisses me off.
(Score: 0) by Anonymous Coward on Wednesday March 14, @01:05PM (1 child)
(Score: 2) by The Mighty Buzzard on Wednesday March 14, @01:24PM
Heh, that's from back when Axl wasn't near so much of a little bitch. Glad I'm not the only ancient person here.
(Score: 0) by Anonymous Coward on Wednesday March 14, @01:10PM
Step One: you build hardware with a backdoor.
Step Two: world+dog get use of your "secret" backdoor. Who'da thunk it?
It happened a thousand times or so, Totally Unexpected every single time.
(Score: 0) by Anonymous Coward on Wednesday March 14, @01:10PM (2 children)
I thought this was already debunked yesterday? I heard they are actual unplanned behaviours that you need physical root access to take advantage of, at which point the point is moot. Also the big deal with meltdown/spectre was the performance hit of fixing them, but no mention of that in this case.
Further that the people behind this are known stock manipulators, without any security expertise, and may have also been funded by intel (although that last part seemed to be only wild speculation).
(Score: 0) by Anonymous Coward on Wednesday March 14, @01:24PM
Earlier discussions:
https://www.reddit.com/r/AMD_Stock/comments/844vht/techies_discuss_amdflawscom/ [reddit.com]
(Score: 0) by Anonymous Coward on Wednesday March 14, @01:27PM
Problem is not whether you need root for it. Problem is whether you need a new computer after it.
Local root exploits do regularly surface, at least a few every year. Add a payload that persists till you scrap the hardware, and suddenly they become MUCH more profitable.