A set of vulnerabilities recently discovered in AMD chips is making waves not because of the scale of the defects, but rather because of the precipitation, ready to be marketed by the researchers. When was the last time a bug had its own professional shooting video and a PR representative, yet the affected business was only alerted 24 hours in advance? The flaws may be real, but the precedent set here is unsavory.
The flaws in question were discovered by CTS Labs, a cybersecurity research company in Israel, and received a catchy set of names: Ryzenfall, Masterkey, Fallout and Chimera, with associated logos, a dedicated website and a white paper describing them.
Up to now, quite normal: major bugs like Heartbleed and of course Meltdown and Specter also have names and logos.
The difference is that in these cases, the parties involved, such as Intel, the OpenSSL team and AMD, were discreetly alerted well in advance. This is the concept of “responsible disclosure”, and gives developers the first way to solve a problem before it becomes public.
There is a legitimate debate about the degree of control that large firms should exercise in advertising their own weaknesses, but generally, in the interest of user protection, the convention tends to be followed. In this case, however, the CTS Labs team presented its faults on AMD completely formed and with little warning.
The flaws discovered by the team are real, although they require administrative privileges to run a cascade of actions, which means that the use of the latter requires considerable access to the target system. The research describes some as backdoors deliberately included in chips by the Taiwanese company ASmedia, which partners with many manufacturers to produce components.
The requirement of access makes them much more limited than the likes of Meltdown and Specter, who exploited problems in the management of memory and architecture. They are certainly serious, but the way they were published has raised suspicions on the web.
Why the extremely non-technical video shot on green screen with stock backgrounds composed? Why tactics afraid to call the use of AMD in the military? Why do not bugs have CVE numbers, the standard tracking method for almost any serious problem? Why did AMD have so little time to answer? Why not, if the FAQ suggests, some fixes could be created in a few months, at least delay posting until they are available? And what is with the disclosure that CTS “may have, directly or indirectly, an economic interest in the performance” of AMD? This is not a common disclosure in situations like this.
(I contacted the PR representative for defects (!) For answers to some of these questions.)
It’s hard to shake the idea that there is some kind of grudge against AMD at play. This does not make the flaws less serious, but it leaves a bad taste in the mouth .
AMD issued a statement saying “We are studying this report, which we have just received, to understand the methodology and merit of the results.” Hard to do much more in a day.
As always with these big bugs, will the actual reach of their scope, severity, users or businesses be affected, and what they can do to prevent it? check the data.
Featured image: Fritzchens Fritz / Flickr