Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
AMD Security

AMD Says Patches Coming Soon For Chip Vulnerabilities (securityweek.com) 84

wiredmikey writes: After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) says patches are coming to address several security flaws in its chips. In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.

This discussion has been archived. No new comments can be posted.

AMD Says Patches Coming Soon For Chip Vulnerabilities

Comments Filter:
  • by Joe_Dragon ( 2206452 ) on Wednesday March 21, 2018 @10:10AM (#56296833)

    AMD just needs to force MB makers to push out updates?? And down the road what about cpu bios updates that work on ANY MB?

    • They can also push out new microcode updates to the OS vendors, you can get microcode updates via BIOS and via the OS. If you'r on i.g Debian/Ubuntu you can install "amd64-microcode or intel-microcode" depending on if you use an AMD or Intel CPU. Microsoft and Apple probably include them in an update as well.
      • However looking at this particular issue this is not a microcode update so it must be done via a BIOS update, sorry for the confusion.
    • And if someone has already owned the SMU, they can make you think you installed the BIOS, but replace the little blurb of SMU code in it transparently, allowing you to think you've fixed the problem, without actually having done so!
      But no, this isn't a problem.
  • "Vulnerabilities" (Score:5, Insightful)

    by TimothyHollins ( 4720957 ) on Wednesday March 21, 2018 @10:11AM (#56296837)

    This was nothing more than a poorly sourced hitpiece.

    The list of vulnerabilities require administrator access. I doubt real security researchers would even consider that a vulnerability. There was nothing "disastrous" to report, and the claim by CTS Labs that it would "take 2 years to fix" the reported flaws was nothing short of outright lying. I wouldn't be surprised if Intel recently funded independent Israeli security researchers for goodwill.

    http://www.tomshardware.com/ne... [tomshardware.com]

    • Re: (Score:2, Funny)

      by Anonymous Coward


      The list of vulnerabilities require administrator access. I doubt real security researchers would even consider that a vulnerability.

      It's a vulnerability, it's just not one that warrants much concern. This [xkcd.com] comic comes to mind, though the caption should be "they can install drivers, replace the entire system, read any file they want, sniff all my packets, login to my facebook, my email, etc.. but at least they can't replace my BIOS, or read super-secret areas of the CPU!"

    • Re: (Score:3, Insightful)

      by Gaygirlie ( 1657131 )

      That's ridiculous. A vulnerability is a vulnerability, and these vulnerabilities let a malicious actor install persistent, undetectable badware -- that's pretty fucking bad, IMHO. Yes, the vulns require admin rights, but it's not like there aren't plenty of ways of getting those; you can fool people to install/run something with admin-rights, there are plenty of sysadmins/repair-technicians/etc. who could install such badware on a system, state-sponsored actors almost definitely have a good bunch of unrelea

      • A vulnerability is a vulnerability

        You've never heard of the concept of "risk" have you.

        • A vulnerability is a vulnerability

          You've never heard of the concept of "risk" have you.

          Already addressed that in my comment, but, unsurprisingly, the foam dripping from your mouth as you were about to pop a ragevein must have hindered your reading-comprehension skills.

          • the foam dripping from your mouth

            Not foam, just a TL;LD.

            I don't really get worked up about much, not even enough to read to the end of most sentences.

    • The real problem is that if someone were to get admin access, they could plant the malware where there was no way of finding it.

      Still though, this was clearly a hit piece by CTS Labs in hopes of capitalizing on the fall out. The shorts must be crapping themselves. With how quickly AMD responded with fixes, my bet is that they already knew about it. For something this serious, you not only want to fix the problem, but test the living hell out of it to make sure you're not inadvertently breaking something

      • Right on all accounts. This article dearly needs you modded up.
        The only thing I would change is, "they could also plant malware where there was no way of finding it, or removing it."
    • Pull power cable. Plug USB boot drive in. Boot from USB. Flash malicious code to hardware because I'm root on my boot stick.

      No, these vulnerabilities are just fine, according to you.

      • by Anonymous Coward

        Pull power cord.

        Discover that the computer isn't allowing to boot from anything but the HDD.

        Discover that the BIOS is password protected.

        Put USB boot media back in pocket.

        Put on your most disappointed face.

        Don't assume the people trying to keep you out are total idiots.

      • by Bert64 ( 520050 )

        If you have physical access you could also:

        clone the drive
        backdoor the existing install
        install a hardware keylogger
        modify the hardware

        and all manner of other things. As many people have said, yes it's a bug but it's nowhere near as serious as people have been claiming.

    • I doubt real security researchers

      Hi. Real security researcher here. You have no idea what you're talking about. These days, systems that run "higher" than root on the main CPU are ubiquitous from the embedded to desktop range. Getting root/administrator access is only the first step. This presents a single easy target for above-root access to a machine. This is a big deal. Quit shilling.

      • by Anonymous Coward

        Hi,

        Real security researcher, software developer, and system administrator here with 20+ years experience. In the "real world" we call an attacker getting admin access "you're screwed", and gaining access to replace the BIOS or some super-secret part of the chip isn't really much more of a compromise. I'm sure there's _some_ systems out there where this is a "big deal", but for the vast majority of computer owners, system administrators, and corporations, this is a non-event.

        It _is_ a vulnerability, but it

        • You're completely full of shit, or grossly ignorant. I suspect the latter- you're simply out of your league, here.
          I suspect you don't really know much about secure zones in processors.
          To start, replacing the BIOS in a virus isn't really feasible. The possible variations the virus must contend with (BIOS/EFI variations) in order to put in a custom owned BIOS really only leaves room for very custom jobs.
          The PSP however is fixed. If you have an AMD processor, the PSP can be owned with a simple root exploit,
      • Which is why I am SOO HAPPY when shit like this happens, because these "extra chips" that the user doesn't have control over? Need to DIAF. It was a bad idea from conception to execution and the sooner the world realizes that these were only shoehorned in so Hollywood and the big corps could bake in DRM to screw users easier? The quicker we can get these damned things removed and move on.

        If the PTBs want these chips? Let them be in enterprise class units so they can pay for them and everyone else can avoi

  • What about Intel's Meltdown flaw? Fixed yet?
    • There was this Ars Technica-article at https://arstechnica.com/gadget... [arstechnica.com] that talks about it, but unfortunately the article doesn't mention any dates. It's a couple of weeks old now, so the microcodes have possibly started to circulate via Windows Update by now?

    • You just have to buy a new CPU, motherboard, and RAM.

    • That is the most transparent whataboutism I have ever seen.... I suppose at least you're honest.
      Can you help me understand why the blatent defensive shilling for AMD? It's cancerous here.
  • by emil ( 695 ) on Wednesday March 21, 2018 @11:53AM (#56297475)

    I do not want a Platform Security Processor, Management Engine, or any other hardware on my CPU that I cannot control.

    These products serve absolutely no purpose for the general consumer - they are only useful in enterprise (corporate) environments for centralized control.

    I would like the option to destroy the PSP on any CPU that I own.

    If you refuse to manufacture CPUs lacking this component, then give customers the ability to request an unlock code that forever physically disables a component that is both dangerous and (to them) irrelevant. The request could work similarly to cell phone programs that unlock bootloaders.

    AMD, make no mistake - home users emphatically do not want the PSP.

    • by DamnOregonian ( 963763 ) on Wednesday March 21, 2018 @12:37PM (#56297849)
      This is what I wish people would take away from this :(
      Instead, they're too busy trying to ravenously defend AMD's misstep.
      We have got to get these closed ring -1 black box processors out of our fucking equipment. It's horse shit.
    • by Bert64 ( 520050 )

      Or provide a PSP that users can control and load their own software onto, or disable if they wish.

      Home users may not want it, but large vendors absolutely do want it to enforce drm and other user-hostile "features".

    • by sl3xd ( 111641 )

      I do not want a Platform Security Processor, Management Engine, or any other hardware on my CPU that I cannot control.

      These products serve absolutely no purpose for the general consumer - they are only useful in enterprise (corporate) environments for centralized control.

      Mass production means we get features we don't need. CPU's and motherboards are designed to suit all buyers. It's cheaper to include the feature everywhere than it is to support an additional model.

      Even in the 1990's, manufacturers were including features the customer didn't want (like integrated sound and video hardware), because it was cheaper to standar

No problem is so large it can't be fit in somewhere.

Working...