AMD Promises Ryzen Security Flaws Fix Within Weeks
Samuel Wan / 5 years ago
AMD Provides Comprehensive Response to Ryzen Security Flaws
Since launch last year, AMD’s new Ryzen processors have been a great success. Last week, however, a major hurdle popped up. A new report from security firm CTS revealed a series of 4 new exploits focused on Zen. At the time, CTS suggested that the vulnerabilities were game-changing. More troubling, the company only gave AMD 24 hours notice before going public. Due to the short timing, AMD is only now ready with their response. In great news for AMD users, the company will roll out patches soon within weeks.
First up, there a few major takeaways for Chimera, Ryzenefall, Masterkey and, Fallout. First, the exploits are real and exist on AMD hardware. However, they require low-level metal administrative access meaning virtual machines are safe. Next, all of the flaws relate to the AMD Secure Processor (PSP) and ASMedia chipsets and not to the Zen design itself. The fixes will come in the form of firmware and BIOS updates. More importantly, there is to be no performance impact at all. Finally, there is no relationship of the exploits to Spectre or Meltdown.
Quick AMD Response Raises Questions About CTS Disclosure
Given all of this information, it makes the CTS disclosure abnormal. CTS first claimed the exploits were so serious that they needed to make them public ASAP and that they were Zen hardware flaws. However, these exploits aren’t that serious, especially compared to earlier Intel ME and other TPM flaws. It also requires direct access and not remote access like some Intel ME bugs. The ASMedia bug is also likely not limited to just AMD chipsets. Finally, since AMD is able to roll out fixes within weeks through software, the industry standard 90 day disclosure period should have been followed. In fact, the short notice probably did more harm to users than not.
Since the CTS report came out, there has been a lot of speculation about the motive. Viceroy Research, a stock-shorting firm, claimed within hours of the release that AMD would be dead within 30 days. The alarmist tone led critics to suggest that there was an unethical relationship between the two though that has been denied. Other critics suggest motive from Intel to divert attention from Meltdown and Spectre but there is no evidence of that. Whatever the case, the whole debacle has unfortunately only hurt the reputation of security researchers as a whole.
By supporting eTeknix, you help us grow and continue to bring you the latest news, reviews, and competitions. Follow us on Facebook and Twitter to keep up with the latest technology, share your favourite articles, chat with the team and more. Also check out eTeknix YouTube, where you’ll find our latest video reviews, event coverage and features in 4K!