AMD Says Patches Coming Soon For Chip Vulnerabilities (securityweek.com) 12
wiredmikey writes: After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) says patches are coming to address several security flaws in its chips. In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.
AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.
AMD just needs to force MB makers to push out updates?? And down the road what about cpu bios updates that work on ANY MB?
This was nothing more than a poorly sourced hitpiece.
The list of vulnerabilities require administrator access. I doubt real security researchers would even consider that a vulnerability. There was nothing "disastrous" to report, and the claim by CTS Labs that it would "take 2 years to fix" the reported flaws was nothing short of outright lying. I wouldn't be surprised if Intel recently funded independent Israeli security researchers for goodwill.
That's ridiculous. A vulnerability is a vulnerability, and these vulnerabilities let a malicious actor install persistent, undetectable badware -- that's pretty fucking bad, IMHO. Yes, the vulns require admin rights, but it's not like there aren't plenty of ways of getting those; you can fool people to install/run something with admin-rights, there are plenty of sysadmins/repair-technicians/etc. who could install such badware on a system, state-sponsored actors almost definitely have a good bunch of unrelea
The real problem is that if someone were to get admin access, they could plant the malware where there was no way of finding it.
Still though, this was clearly a hit piece by CTS Labs in hopes of capitalizing on the fall out. The shorts must be crapping themselves. With how quickly AMD responded with fixes, my bet is that they already knew about it. For something this serious, you not only want to fix the problem, but test the living hell out of it to make sure you're not inadvertently breaking something
There was this Ars Technica-article at https://arstechnica.com/gadget... [arstechnica.com] that talks about it, but unfortunately the article doesn't mention any dates. It's a couple of weeks old now, so the microcodes have possibly started to circulate via Windows Update by now?