AMD downplays publicly disclosed security flaws, plans to release fixes in the coming...

[Shawn Knight]

AMD on Tuesday issued its first public update regarding security vulnerabilities involving select products publicly disclosed by Israeli-based security firm CTS-Labs on March 13. In today’s update, AMD said it has been working to rapidly assess the claims and develop mitigation plans where needed.

If you recall, AMD was given less than 24 hours notice prior to CTS going public with its alleged findings. The short turnaround sparked widespread criticism regarding potential motives behind the disclosure as standard practice in the security community is to give 90 days notice before going public.

Mark Papermaster, AMD’s senior vice president and chief technology officer, seemingly downplayed the matter, saying the security issues are not related to its Zen CPU architecture or the Google Project Zero exploits announced in early January. Instead, they are linked to the firmware managing the embedded security control processor (AMD Secure Processor) and the chipset used in some AM4 and socket TR4 desktop platforms.

He also pointed out that all of the issues raised by CTS require administrative access to a system, “a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.”

Papermaster says that any attacker gaining unauthorized admin access “would have a wide range of attacks at their disposal well beyond the exploits identified in this research.” What’s more, he notes that all modern operating systems and enterprise-quality hypervisors have “many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues.”

Papermaster pointed to a “useful clarification” of the difficulties associated with successfully exploiting the issues in this post from Trail of Bits.

The chipmaker said it has completed its assessment and is already working on developing and deploying mitigations. Patches through BIOS updates are expected in the coming weeks and shouldn’t have an impact on performance, we're told.

Permalink to story.

https://www.techspot.com/news/73804-amd-downplays-publicly-disclosed-security-flaws-plans-release.html

 

[Evernessince]

I wasn't expecting fixes so quickly. It took Intel significantly longer but then again these aren't nearly as bad. I'm all for more security, even if these security flaws required admin access in the first place this will help protect users from themselves.

I'm still not a fan of how these were disclosed. The handling of these flaws by CTS was the worst I've ever seen.

 

[wiyosaya]

Flaws, yes, but nothing worth shorting stock over.

 

[nonews]

Ryzenfall!? sound like one of the Intel fanboy.

These guys had nothing better to do tried to play administrator to see what kind of damage they can wreak havoc on their system.

 

[Kotters]

The whole thing is a really shady affair. Incestuous relationships, convenient "leaks," and scaremongering language abound. GamersNexus has a good few videos on it.

 

[captaincranky]

I see this thread is going to turn into the same old sh!t. Intel can't do anything right, and AMD can't do anything wrong. Isn't that so, fanbois?

 

[Steve]

I see this thread is going to turn into the same old sh!t. Intel can't do anything right, and AMD can't do anything wrong. Isn't that so, fanbois?

To be fair these exploits were a bad joke, at least the way they beat AMD up over them. They knew very well if the standard 90 days was given this would never make the news as there'd be nothing to report. They admitted this was an attempt to manipulate share prices to profit.

"AMD downplays publicly disclosed security flaws" By down play we at TechSpot actually mean they addressed it, and bloody quickly as well.

 

[captaincranky]

Well @Steve Did anybody really expect chipzilla to play fair? Arguably Intel stepped in its own poop, by allowing these "flaws" to be "exposed". But then what could go wrong on this turf? Would they drive the people here who already hate Intel and already plan to buy AMD do it sooner? Not that much of a big deal in the grand scheme of things at Techspot

The fact remains that here, Intel can't do anything right, and AMD can't do anything wrong, even if or when that's not the case.

So, my post was in "advance response", to the string of pro AMD rhetoric responses surely to come.

If an AMD CPU doesn't benchmark as well as a comparable Intel unit, there will surely be an excuse of justification for it.The games that an AMD GPU plays better than an Nvidia card, are the only ones worth playing anyway.

Say it ain't so Steve.

...[ ]..."AMD downplays publicly disclosed security flaws" By down play we at TechSpot actually mean they addressed it, and bloody quickly as well.

I'll consider myself "schooled, in "reading between the euphemisms". .

 

[Steve]

Well @Steve Did anybody really expect chipzilla to play fair? Arguably Intel stepped in its own poop, by allowing these "flaws" to be "exposed". But then what could go wrong on this turf? Would they drive the people here who already hate Intel and already plan to buy AMD do it sooner? Not that much of a big deal in the grand scheme of things at Techspot

The fact remains that here, Intel can't do anything right, and AMD can't do anything wrong, even if or when that's not the case.

So, my post was in "advance response", to the string of pro AMD rhetoric responses surely to come.

If an AMD CPU doesn't benchmark as well as a comparable Intel unit, there will surely be an excuse of justification for it.The games that an AMD GPU plays better than an Nvidia card, are the only ones worth playing anyway.

Say it ain't so Steve.

I'll consider myself "schooled, in "reading between the euphemisms". .

Well maybe I should have said "we at TechSpot should mean..."

Anyway just ignore the AMD fanboys and just fanboys in general, that's what I do

 

[avioza]

I see this thread is going to turn into the same old sh!t. Intel can't do anything right, and AMD can't do anything wrong. Isn't that so, fanbois?

Sorry, team blue has to eat a little crow. If you were following the previous vulnerability discovery thread they were pretty quick to go for the jugular.

Intel still wins with the general public though since most people don't care that much about the details anyway.

 

[Evernessince]

I see this thread is going to turn into the same old sh!t. Intel can't do anything right, and AMD can't do anything wrong. Isn't that so, fanbois?

I think you are trying to make the right point on the wrong article. It's pretty widely concluded that the way the disclosure was done was very poorly.

Intel had damning information well in advance and decided to cash out on its customers instead of focusing on helping them and they tried to push blame to AMD. On the other side, AMD had zero forewarning of these security flaws and handled them quickly, despite have zero notice and being hit by a drive-by from the very company that claims to want to help them.

So yeah, Intel screwing customers over and pushing around blame is undoubtedly bad. If people are calling for the SEC to investigate Intel it should be obvious those business practices were dubious.

 

[Angga B]

I don't see any strongly determined local privileged administrator with unrestriced access able to hack INTO any system he use be it OS, hypervisor, database, drivers, connected devices, or even processors as FLAWS.

Heck, there are even legal competitions with rewardful bounty for any hackers given the required facilities/tools to break into any given system provided to them. And they do break, within hours if not days. On the other hand many advances in software and hardware require people to be able to HACK their system to make it worked with the new functions/system calls they desired to. At least during the development stage.

In that matter one can even call it as FEATURES.

Proof? XDA-Community. I enjoyed their magnificent works very much.

 

[Flebbert]

I am still very happy how quick this was realised with minimal impact to the stock market.

Thanks Steve for being over this, I know this was stock manipulation but happy with AMDs response as well. They didn't react but responded to the situation when they could have easily shot from the hip on this one.

 

[captaincranky]

I think you are trying to make the right point on the wrong article. It's pretty widely concluded that the way the disclosure was done was very poorly.

Point taken. I'm going to save this post to a text file, and lay in wait until the next AMD fanbois fiesta takes place, and repost it. (y)

Intel had damning information well in advance and decided to cash out on its customers instead of focusing on helping them and they tried to push blame to AMD. On the other side, AMD had zero forewarning of these security flaws and handled them quickly, despite have zero notice and being hit by a drive-by from the very company that claims to want to help them.

But then, Intel waiting to disclose their vulnerabilities couldn't have worked out better for AMD, since they already had their new processor line in place when it happened. It would would suck for AMD if they had to say, "well yeah, Intel CPUs have issues, but all we have to offer in lieu of them, is our 28 nm under performing space heaters", if you see my point

...[ ]...So yeah, Intel screwing customers over and pushing around blame is undoubtedly bad. If people are calling for the SEC to investigate Intel it should be obvious those business practices were dubious.

Well, people are always calling for the SEC to investigate something or other. But whimper as they will, nothing much ever happens, unless they catch somebody as dirty as Bernie Madoff.

How about after the Tesla Auto-pilot" crash, when Musk dumped a bunch of Tesla stock right afterwards. Did anything get done about that?

So, the SEC can pretty much investigate Intel all they want, and the crew here can b!tch about Intel's, "lack of politesse", all they want. At the end of the day, "Intel is too big to fail", just like those mean old banks. Sorry, but it's true.

Apple is "too big to fail as well". After all, that would put 100,000 Chinese out of work. Although 100,000 lost jobs in a country of over 1.4 billion, doesn't seem like a really big spike in China's unemployment rate, now does it?

 

[Puiu]

@Evernessince @captaincranky @everybodyelse
Both of you are making really good points, but I think it's best if we just move on now. No point arguing over nothing.
Intel does not fear any investigation and these flaws are not worth our time. Let's find a better topic to argue about.

 

[misor]

Not one desktop/laptop chipmaker is safe from vulnerabilities... I wonder on the mobile side if there are flaws in SOCs used in tablets and smartphones...

 

[Danny101]

Well @Steve Did anybody really expect chipzilla to play fair? Arguably Intel stepped in its own poop, by allowing these "flaws" to be "exposed". But then what could go wrong on this turf? Would they drive the people here who already hate Intel and already plan to buy AMD do it sooner? Not that much of a big deal in the grand scheme of things at Techspot

The fact remains that here, Intel can't do anything right, and AMD can't do anything wrong, even if or when that's not the case.

So, my post was in "advance response", to the string of pro AMD rhetoric responses surely to come.

If an AMD CPU doesn't benchmark as well as a comparable Intel unit, there will surely be an excuse of justification for it.The games that an AMD GPU plays better than an Nvidia card, are the only ones worth playing anyway.

Say it ain't so Steve.

I'll consider myself "schooled, in "reading between the euphemisms". .

Well maybe I should have said "we at TechSpot should mean..."

Anyway just ignore the AMD fanboys and just fanboys in general, that's what I do

I stick exclusively with AMD. Not because I think they're better but because it works for my budget. If they make a mistake, I would expect them to get raked over the coals and rightfully so. These days performance seems to be affected more by software than hardware and the wrangling over exclusive API agreements. I would hope the FTC would step in to determine malfeasance, if any. Whether you drive a Chevy or a Ford, the rules of the road is still the same.

 

[RaXoR]

Well @Steve Did anybody really expect chipzilla to play fair? Arguably Intel stepped in its own poop, by allowing these "flaws" to be "exposed". But then what could go wrong on this turf? Would they drive the people here who already hate Intel and already plan to buy AMD do it sooner? Not that much of a big deal in the grand scheme of things at Techspot

The fact remains that here, Intel can't do anything right, and AMD can't do anything wrong, even if or when that's not the case.

So, my post was in "advance response", to the string of pro AMD rhetoric responses surely to come.

If an AMD CPU doesn't benchmark as well as a comparable Intel unit, there will surely be an excuse of justification for it.The games that an AMD GPU plays better than an Nvidia card, are the only ones worth playing anyway.

Say it ain't so Steve.

...[ ]..."AMD downplays publicly disclosed security flaws" By down play we at TechSpot actually mean they addressed it, and bloody quickly as well.

I'll consider myself "schooled, in "reading between the euphemisms". .

AMD gets a lot of **** from consumers thanks to their poor performance prior to Ryzen. When the FX chips were around, everyone and their mom would spit on AMD's name and convince people to buy the cheapest i5 available. AMD is not perfect, but in the end they are more customer-centric than Intel. Intel has been known for pulling off anti-competitive and anti-consumer practices behind the scenes in order to cripple AMD's sales. Also Intel ****ed up big time with Spectre and Meltdown. They had potentially known about the problems for longer than the 90 day notice and failed to work on a solution up until the notice was disclosed to them. Let's not forget that one of Intel's CEOs sold most of his stock after learning about the exploits. All of it was disguised as "routine sell off of stock... blah blah." [https://arstechnica.com/information-technology/2018/01/intel-ceos-sale-of-stock-just-before-security-bug-reveal-raises-questions/] There's a good reason many people feel protective over AMD, they actually do deserve it and from the sounds of it, you're an Intel fanboy.

 

[Forebode]

Hopefully the fixes go better than Intel's (initial) fixes. Still, to this day, it's odd that there still are fanboys.

If you have the means(consistently), the timing, the need, and there's no recent negative implications... You're probably going with Intel. The only real bonus I see AMD having is supporting a single socket for such a long time. The idea that you can just upgrade the CPU, while perhaps not getting all the benefits (with older board chipset).. still getting enough to warrant the upgrade of a single part of the system.

If you're OK with a little less Speed, for a little cheaper price, for a lower overclock ceiling (even though 4ghz ryzen > 4ghz intel (but 5ghz intel > 4.1 ghz ryzen). And are OK with either games running slightly slower or play games that mostly run on the gpu.. Or have been burned by intel recently (7700k fiasco or security fix to cpu earlier that year bricking out of warranty chips). Or dislike that chips aren't soldered... AMD will be just fine.

Did AMD get the jump on Intel? Yes. | Does that mean Intel is garbage? No. | Intel had no real competition until recently, in the consumer market. There was little reason to push advancements to customers who had no other option. Now it's good on them to continue to work on new tech without releasing it. It allowed them to release an answer sooner than expected.

As for Graphics cards... The releases are staggered between the 2 companies. The newest card, per tier, should be better. So to say AMD (or NVID) is better with a card that's being released 4-8 months after the other company, should be a given, and if it falters or comes out even... that's bad. Hear that AMD? that's bad. The thing is, AMD knew it was bad, that's why they pivoted to pushing Freesync. Which is great.., not as good as Gsync.. It's still unclear to me why nvidia doesn't' adopt the tech and offer both technologies. The open tech of VESA-activesync for gamers and Gsync for premium gamers (or hardcore or whatever word would be better). Hopefully Nvid is just sitting on it for the day AMD is more competitive (and mining is no more, or greatly diminished).

 

[wiyosaya]

If the reports of the company shorting AMD stock are true, they have basically screwed themselves at this point. It is a classic case of trickster tricking himself. These problems, if they even warrant that moniker because you need to be at the hardware with administrative access, are going to be fixed with bios updates, where Intel's recent fiasco needs new silicon.

I have several pre-FX AMD builds, and an IVY-E Intel build. With new graphics cards, the IVY-E still has plenty of power as do my AMD builds. I've gone AMD in the past because I see them as the underdog worth, in most cases, my support. For me, it is about getting the best value for my money.

As I see it, this is hardly about fanboys. From my perspective, even an Intel fanboy would have to concede, especially if more evidence comes to light, that any hand Intel had in this is simply dirty business. I am right there with everyone who dislikes that to move forward with Intel at this time, I would would have to buy a new motherboard - that happened the generation after IVY-E for me.

But with pre FX AMD builds, I also have to buy new motherboards. If I were considering a new build at this point, it would be AMD TR or EPYC primarily because of fact that there are plenty of PCI-e lanes - which cost extra on Intel.

As I see it, it was nearly to be expected that Intel would run crying foul at AMD's advance. However, I also see it as Intel's own fault. The enthusiast community has made it known that they do not like buying a new motherboard every generation or so. Yet Intel kept doing the same thing. In addition, Intel's innovation has been nearly non-existent. My IVY preforms nearly as well as the latest generations from Intel. For me, there is no point in upgrading to next gen Intel or later since I am not after bragging rights.

The best thing that could come out of this is that Intel learns a lesson; however, I am not expecting that. I personally do not recall AMD raining on Intel's parade when Core 2 came out, but I may not recollect correctly. If I exclude value for my money, I prefer to go with the company that seems more ethical. At this point in time, it does not seem to be Intel.

It makes a lot of sense to me that if Intel is behind this, they went after EPYC since the server market is lucrative. However, I think it has backfired and may end up hurting Intel. In the hardware community in general, there are quite a few out there that know what they are doing. The only way this smear might have worked would have been if there were few in the hardware community that know what they are doing. To me, again assuming Intel's involvement, that just further shows what Intel thinks of its customers - that Intel's customers thinking of defecting to AMD might be naive enough to panic at a bunch of BS that has no real basis.

We might just see this kind of behavior coming from AMD at some point, but I hope not. For now, Intel has its foot in its mouth - at least as I see it. In the long run, that might be good for the CPU market because it could indicate that Intel has nothing really new in the forge at this time to compete with AMD. Whether Intel likes it or not, it is going to have to innovate - which I view as good for the CPU market.

 

[Kotters]

Sounds like CaptainCranky had taken a short position on AMD stock.

 

[captaincranky]

...[ ].... There's a good reason many people feel protective over AMD, they actually do deserve it and from the sounds of it, you're an Intel fanboy.

What I'm really a fan of, is listening to a bunch of juvenile responses like, "I'm not a fanboy, you're a fanboy, so there"!

As for the rest of your post, (which I edited out), all that amounts to is, "AMD good, Intel bad". Which is, after all, exactly what I predicted would happen, after I made my first post to this thread.

And well, y'all stepped in it. .

 

[Steve]

What I'm really a fan of, is listening to a bunch of juvenile responses like, "I'm not a fanboy, you're a fanboy, so there"!

Checkmate

 

[AMN3S1AC]

I see this thread is going to turn into the same old sh!t. Intel can't do anything right, and AMD can't do anything wrong. Isn't that so, fanbois?

To be fair these exploits were a bad joke, at least the way they beat AMD up over them. They knew very well if the standard 90 days was given this would never make the news as there'd be nothing to report. They admitted this was an attempt to manipulate share prices to profit.

"AMD downplays publicly disclosed security flaws" By down play we at TechSpot actually mean they addressed it, and bloody quickly as well.

It's a pity your original flamebait article was so irresponsibly researched and reported.

 

[Steve]

It's a pity your original flamebait article was so irresponsibly researched and reported.

I never wrote an article about this bud.