AMD is investigating a report that claims several of the company’s processors are vulnerable to more than a dozen security flaws.
The chipmaker said in a statement Tuesday that it is “actively investigating and analyzing” findings by CTS Labs, a largely unknown Tel Aviv-based cybersecurity startup founded last year.
Hours earlier, the startup posted a website, a research paper, and a video describing 13 vulnerabilities, which it had branded Ryzenfall, Master Key, Fallout, and Chimera, which it’s claimed could allow attackers to obtain sensitive data from AMD’s Ryzen and EPYC processors, used on millions of devices.
Specifics of the vulnerabilities were not specified in detail in the whitepaper, leading many to approach with caution and skepticism.
What is known is that the flaws are not easily exploited — an attacker must gain administrative privileges first, which can be obtained using malware to escalate a logged-in user’s privileges. That level of access means a machine is already compromised.
Sister site CNET has the full rundown of each set of vulnerabilities.
But the discovery and publication of these flaws has been met with ire from many high profile names in the security community for how the researchers discovered and disclosed the flaws.
The researchers gave AMD less than 24 hours to examine at the vulnerabilities and respond before publishing their report. In almost every responsible vulnerability disclosure, companies are given at least 90 days to fix a flaw — which can be extended, if agreed to by the discoverer, if certain conditions are met.
In the case of Meltdown and Spectre, the other most recent round of chip vulnerabilities that impacted Intel, ARM and some AMD chips, researchers gave the manufacturers more than six months to issue fixes and patches.
AMD threw shade at the firm, saying it was “unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings.”
Hours after the research was first published, security researcher Dan Guido confirmed that the bugs were real, after the research team had contacted him to review their work
“Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works,” he said in a tweet.
He told ZDNet that he believes that he is so far “the only one that’s seen” specifics of the vulnerabilities.
Up until shortly before this article was published, it wasn’t clear if the vulnerabilities were even real.
The findings had security researchers on edge all day. One security professional told me that the manner in which this report was released has only made researchers suspicious of the company, the findings, but also the researchers’ motives.
Reddit went into full “conspiracy man” mode, calling the legitimacy of the company into question.
Guido’s remarks give credence to the validity of the research, but how the Israeli research firm approached disclosure will be remembered as a lesson in how not to publish security research.
Contact me securely
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
Lawsuits threaten infosec research — just when we need it most
NSA’s Ragtime program targets Americans, leaked files show
Leaked TSA documents reveal New York airport’s wave of security lapses
US government pushed tech firms to hand over source code
Millions of Verizon customer records exposed in security lapse
Meet the shadowy tech brokers that deliver your data to the NSA
Inside the global terror watchlist that secretly shadows millions
FCC chairman voted to sell your browsing history — so we asked to see his
198 million Americans hit by ‘largest ever’ voter records leak
Britain has passed the ‘most extreme surveillance law ever passed in a democracy’
Microsoft says ‘no known ransomware’ runs on Windows 10 S — so we tried to hack it
Leaked document reveals UK plans for wider internet surveillance