Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
AMD Security

AMD Says Patches Coming Soon For Chip Vulnerabilities (securityweek.com) 84

wiredmikey writes: After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) says patches are coming to address several security flaws in its chips. In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.

This discussion has been archived. No new comments can be posted.

AMD Says Patches Coming Soon For Chip Vulnerabilities

Comments Filter:
  • by Joe_Dragon ( 2206452 ) on Wednesday March 21, 2018 @09:10AM (#56296833)

    AMD just needs to force MB makers to push out updates?? And down the road what about cpu bios updates that work on ANY MB?

    • They can also push out new microcode updates to the OS vendors, you can get microcode updates via BIOS and via the OS. If you'r on i.g Debian/Ubuntu you can install "amd64-microcode or intel-microcode" depending on if you use an AMD or Intel CPU. Microsoft and Apple probably include them in an update as well.
      • However looking at this particular issue this is not a microcode update so it must be done via a BIOS update, sorry for the confusion.
    • And if someone has already owned the SMU, they can make you think you installed the BIOS, but replace the little blurb of SMU code in it transparently, allowing you to think you've fixed the problem, without actually having done so!
      But no, this isn't a problem.
  • "Vulnerabilities" (Score:5, Insightful)

    by TimothyHollins ( 4720957 ) on Wednesday March 21, 2018 @09:11AM (#56296837)

    This was nothing more than a poorly sourced hitpiece.

    The list of vulnerabilities require administrator access. I doubt real security researchers would even consider that a vulnerability. There was nothing "disastrous" to report, and the claim by CTS Labs that it would "take 2 years to fix" the reported flaws was nothing short of outright lying. I wouldn't be surprised if Intel recently funded independent Israeli security researchers for goodwill.

    http://www.tomshardware.com/ne... [tomshardware.com]

    • Re: (Score:2, Funny)

      by Anonymous Coward


      The list of vulnerabilities require administrator access. I doubt real security researchers would even consider that a vulnerability.

      It's a vulnerability, it's just not one that warrants much concern. This [xkcd.com] comic comes to mind, though the caption should be "they can install drivers, replace the entire system, read any file they want, sniff all my packets, login to my facebook, my email, etc.. but at least they can't replace my BIOS, or read super-secret areas of the CPU!"

    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
      • A vulnerability is a vulnerability

        You've never heard of the concept of "risk" have you.

    • The real problem is that if someone were to get admin access, they could plant the malware where there was no way of finding it.

      Still though, this was clearly a hit piece by CTS Labs in hopes of capitalizing on the fall out. The shorts must be crapping themselves. With how quickly AMD responded with fixes, my bet is that they already knew about it. For something this serious, you not only want to fix the problem, but test the living hell out of it to make sure you're not inadvertently breaking something

      • Right on all accounts. This article dearly needs you modded up.
        The only thing I would change is, "they could also plant malware where there was no way of finding it, or removing it."
    • Pull power cable. Plug USB boot drive in. Boot from USB. Flash malicious code to hardware because I'm root on my boot stick.

      No, these vulnerabilities are just fine, according to you.

      • by Anonymous Coward

        Pull power cord.

        Discover that the computer isn't allowing to boot from anything but the HDD.

        Discover that the BIOS is password protected.

        Put USB boot media back in pocket.

        Put on your most disappointed face.

        Don't assume the people trying to keep you out are total idiots.

      • by Bert64 ( 520050 )

        If you have physical access you could also:

        clone the drive
        backdoor the existing install
        install a hardware keylogger
        modify the hardware

        and all manner of other things. As many people have said, yes it's a bug but it's nowhere near as serious as people have been claiming.

    • I doubt real security researchers

      Hi. Real security researcher here. You have no idea what you're talking about. These days, systems that run "higher" than root on the main CPU are ubiquitous from the embedded to desktop range. Getting root/administrator access is only the first step. This presents a single easy target for above-root access to a machine. This is a big deal. Quit shilling.

      • by Anonymous Coward

        Hi,

        Real security researcher, software developer, and system administrator here with 20+ years experience. In the "real world" we call an attacker getting admin access "you're screwed", and gaining access to replace the BIOS or some super-secret part of the chip isn't really much more of a compromise. I'm sure there's _some_ systems out there where this is a "big deal", but for the vast majority of computer owners, system administrators, and corporations, this is a non-event.

        It _is_ a vulnerability, but it

        • You're completely full of shit, or grossly ignorant. I suspect the latter- you're simply out of your league, here.
          I suspect you don't really know much about secure zones in processors.
          To start, replacing the BIOS in a virus isn't really feasible. The possible variations the virus must contend with (BIOS/EFI variations) in order to put in a custom owned BIOS really only leaves room for very custom jobs.
          The PSP however is fixed. If you have an AMD processor, the PSP can be owned with a simple root exploit,
      • Comment removed based on user account deletion
  • What about Intel's Meltdown flaw? Fixed yet?
  • by emil ( 695 ) on Wednesday March 21, 2018 @10:53AM (#56297475)

    I do not want a Platform Security Processor, Management Engine, or any other hardware on my CPU that I cannot control.

    These products serve absolutely no purpose for the general consumer - they are only useful in enterprise (corporate) environments for centralized control.

    I would like the option to destroy the PSP on any CPU that I own.

    If you refuse to manufacture CPUs lacking this component, then give customers the ability to request an unlock code that forever physically disables a component that is both dangerous and (to them) irrelevant. The request could work similarly to cell phone programs that unlock bootloaders.

    AMD, make no mistake - home users emphatically do not want the PSP.

    • by DamnOregonian ( 963763 ) on Wednesday March 21, 2018 @11:37AM (#56297849)
      This is what I wish people would take away from this :(
      Instead, they're too busy trying to ravenously defend AMD's misstep.
      We have got to get these closed ring -1 black box processors out of our fucking equipment. It's horse shit.
    • by Bert64 ( 520050 )

      Or provide a PSP that users can control and load their own software onto, or disable if they wish.

      Home users may not want it, but large vendors absolutely do want it to enforce drm and other user-hostile "features".

    • by sl3xd ( 111641 )

      I do not want a Platform Security Processor, Management Engine, or any other hardware on my CPU that I cannot control.

      These products serve absolutely no purpose for the general consumer - they are only useful in enterprise (corporate) environments for centralized control.

      Mass production means we get features we don't need. CPU's and motherboards are designed to suit all buyers. It's cheaper to include the feature everywhere than it is to support an additional model.

      Even in the 1990's, manufacturers were including features the customer didn't want (like integrated sound and video hardware), because it was cheaper to standar

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...