AMD admits to new batch of critical processor flaws and promises fixes
AMD has confirmed that some of its processors contain vulnerabilities after they were found by CTS Labs researchers. In all, 13 critical flaws were found, including RyzenFall, MasterKey, Fallout and Chimera. They affect a range of AMD products.
The flaws are not dissimilar to the previous Meltdown/Spectre vulnerabilities, and CTS Labs gave AMD just 24 hours' notice before going public. The chipmaker says that patches are on the way, and tries to suggest that the vulnerabilities are not a cause for major concern.
In a statement posted on its website today, AMD says: "On March 12, 2018, AMD received a communication from CTS Labs regarding research into security vulnerabilities involving some AMD products. Less than 24 hours later, the research firm went public with its findings. Security and protecting users’ data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. This is our first public update on this research, and will cover both our technical assessment of the issues as well as planned mitigation actions."
The company says that it is already working on patches which will be released "in the coming weeks".
AMD goes to some lengths to try to downplay the severity of the vulnerabilities which have been detailed online:
It's important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues.
Mark Papermaster, AMD's Senior Vice President and Chief Technology Officer, says that the patches will take the form of BIOS updates. He stresses that -- unlike the Spectre and Meltdown patches -- these will not result in a performance hit.