News Categories

AMD will release fixes for newly disclosed security flaws in the coming weeks

By Koh Wanzi - on 21 Mar 2018, 11:56am

AMD will release fixes for newly disclosed security flaws in the coming weeks

AMD has finally released its findings on CTS-Labs’ report that its Ryzen and EPYC processors are vulnerable to no less than 13 security flaws.

In short, the vulnerabilities exist, despite the dubious nature of the disclosure and the questionable interview that CTS-Labs gave AnandTech.

CTS-Labs methods, its conduct, and some of the resulting media coverage also gave the impression that this was a malicious hit on AMD. Furthermore, no one had even heard of the Israeli security firm before this.

That said, AMD’s response appears to tie up pretty neatly what was a fairly messy affair.

Image Source: AMD

To sum things up, an attacker would need admin access to exploit the vulnerabilities. The system in question would also have to already have its security compromised.

In addition, unlike the Spectre flaws plaguing chipmakers, the flaws reside in the firmware managing the embedded security control processor in the affected CPUs and the chipset, not the x86 architecture. This means they’re technically simpler to fix, and AMD will release BIOS updates and firmware patches via OEMs and ODMs. No CPU microcode updates are required.

AMD says that all issues will be addressed in the coming weeks, and the patches are not expected to have any performance impact.

In the same post, AMD’s Mark Papermaster also addressed the potential risk to enterprise systems. CTS-Labs initially made it seem like there was a serious enterprise-level threat, although it later walked this back somewhat in its interview with AnandTech, where it acknowledged the limited utility of the vulnerabilities.

In a similar vein, Papermaster had the following to say:

Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues.

However, AMD stopped short of releasing further details on the vulnerabilities, but it said that we can expect more information on the exploits and related mitigation plans in the coming weeks.

Source: AMD

Join HWZ's Telegram channel here and catch all the latest tech news!
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.