AMD confirms microcode vulnerability revealed in beta BIOS update

S

Skye Jacobs

Posts: 582   +13
Staff
What just happened? AMD has confirmed a security vulnerability in some of its processors, which was inadvertently revealed through a beta BIOS update from Asus. The flaw, described as a "microcode signature verification vulnerability," came to light before AMD could officially disclose it, sparking concerns in the cybersecurity community.

The vulnerability was first noticed by Tavis Ormandy, a security researcher at Google's Project Zero. Ormandy spotted a reference to the flaw in the release notes of an Asus beta BIOS update for one of its gaming motherboards. "It looks like an OEM leaked the patch for a major upcoming CPU vulnerability," Ormandy wrote in a public mailing list post.

AMD has since acknowledged the issue. The company has not yet specified which of its products are affected but has indicated that mitigations are being developed and deployed.

The vulnerability appears to be related to the microcode and seems to circumvent the process that ensures only official, AMD-signed microcode can be loaded into the processor. Exploiting this vulnerability requires not only local administrator access to the targeted system but also the capability to develop and execute malicious microcode, according to AMD. This high bar for exploitation suggests that while the vulnerability is serious, it's not something that could be easily weaponized by casual attackers.

While the full extent of the vulnerability's impact is not yet known, security experts have begun speculating about its potential consequences. Demi Marie Obenour, a software developer for Invisible Things, suggested that if an attacker could load arbitrary microcode, they might be able to compromise critical security features such as System Management Mode (SMM), Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP), and Dynamic Root of Trust for Measurement (DRTM).

The recent discovery of a microcode signature verification vulnerability is not an isolated incident. Over the years, AMD has faced several security challenges across its product lines.

In March 2018, researchers from CTS Labs uncovered a series of vulnerabilities affecting AMD's Ryzen and Epyc processors. These flaws, collectively known as RYZENFALL, MASTERKEY, CHIMERA, and FALLOUT, posed security risks to both consumer and enterprise-grade processors. Exploiting the vulnerabilities required administrative access, according to AMD.

In August 2024, a more widespread vulnerability named "Sinkclose" was disclosed. This flaw in the System Management Mode potentially exposed hundreds of millions of devices to security risks. In this case, exploiting the vulnerability required kernel-level access, making it a threat primarily to "seriously breached systems," AMD said at the time.

Permalink to story:

AMD confirms microcode vulnerability revealed in beta BIOS update

 
Loadedaxe said:
That is the same thing I said.
Click to expand...
That depends on how you read it. There is nothing wrong with being a fan of something. However the term "fanboi/fanboy" was coined to highlight the difference between normal people and the people who berate brands/companies/etc out of a desire to tear them down or out of malice.
 
ZedRM said:
That depends on how you read it. There is nothing wrong with being a fan of something. However the term "fanboi/fanboy" was coined to highlight the difference between normal people and the people who berate brands/companies/etc out of a desire to tear them down or out of malice.
Click to expand...
I am well aware of what a fanboy is. Someone often characterized by intense loyalty to a brand, franchise, or idea. However, the true meaning goes beyond simple admiration. At its core, being a fanboy reflects a deep emotional connection, where personal identity and pride are interwoven with the thing one admires. It speaks to a passion that can fuel creativity, community, and belonging.

But this same devotion can sometimes create blind spots, where constructive criticism is dismissed, and alternative views are outright rejected. When enthusiasm turns into stubborn devotion, it risks isolating individuals and overshadowing the object of admiration itself. True fandom, on the other hand, allows room for appreciation, growth, and balanced perspectives.

I am also at the understanding of normal. Normal is a concept both universal and deeply personal. It reflects what society deems typical or expected, yet it is shaped by culture, experience, and individual perspective. What feels normal to one person may seem strange to another, highlighting the fluid and subjective nature of the word.

Normal isn’t just about fitting in, it’s a moving target, evolving as we grow and as the world around us changes. It can be comforting, but it can also limit, encouraging conformity while discouraging the extraordinary. To truly understand 'normal,' we must acknowledge its duality: both its grounding stability and its potential for restriction.

I simply made a comment of here comes the Intel fans to jump all over the issue. Just like AMD fans tend to "tear down" Intel. Its a "norm" on TS.

My comment did not need policing, it was simple sarcasm.
But feel free, police away.
 
Loadedaxe said:
I am well aware of what a fanboy is. Someone often characterized by intense loyalty to a brand, franchise, or idea. However, the true meaning goes beyond simple admiration. At its core, being a fanboy reflects a deep emotional connection, where personal identity and pride are interwoven with the thing one admires. It speaks to a passion that can fuel creativity, community, and belonging.

But this same devotion can sometimes create blind spots, where constructive criticism is dismissed, and alternative views are outright rejected. When enthusiasm turns into stubborn devotion, it risks isolating individuals and overshadowing the object of admiration itself. True fandom, on the other hand, allows room for appreciation, growth, and balanced perspectives.

I am also at the understanding of normal. Normal is a concept both universal and deeply personal. It reflects what society deems typical or expected, yet it is shaped by culture, experience, and individual perspective. What feels normal to one person may seem strange to another, highlighting the fluid and subjective nature of the word.

Normal isn’t just about fitting in, it’s a moving target, evolving as we grow and as the world around us changes. It can be comforting, but it can also limit, encouraging conformity while discouraging the extraordinary. To truly understand 'normal,' we must acknowledge its duality: both its grounding stability and its potential for restriction.

I simply made a comment of here comes the Intel fans to jump all over the issue. Just like AMD fans tend to "tear down" Intel. Its a "norm" on TS.

My comment did not need policing, it was simple sarcasm.
But feel free, police away.
Click to expand...
Wow. Over-reaction much? CTHO.
 
Last edited:
You must log in or register to reply here.

Similar threads

zohaibahd
AMD confirms Zen 5 silicon is also vulnerable to "EntrySign" BIOS microcode bug
Replies
9
Views
134
ChipBoundary
C
S
Google researchers uncover critical security flaw in all AMD Zen processors
Replies
6
Views
139
Joeg1484
J
S
Apple patches actively exploited zero-day vulnerability on iOS devices
Replies
0
Views
149
Skye Jacobs
S

Latest posts

Back