Security researchers find flaws in AMD chips but raise eyebrows with rushed disclosure

科技动态 TechCrunch (源链)

A newly discovered set of vulnerabilities in AMD chips is making waves not because of the scale of the flaws, but rather the rushed, market-ready way in which they were disclosed by the researchers. When was the last time a bug had its own professionally shot video and PR rep, yet the company affected was only alerted 24 hours ahead of time? The flaws may be real, but the precedent set here is an unsavory one.

The flaws in question were discovered by CTS Labs, a cybersecurity research outfit in Israel, and given a set of catchy names: Ryzenfall, Masterkey, Fallout, and Chimera, with associated logos, a dedicated website, and a whitepaper describing them.

So far, so normal: major bugs like Heartbleed and of course Meltdown and Spectre got names and logos too.

The difference is that in those cases the affected parties, such as Intel, the OpenSSL team, and AMD were quietly alerted well ahead of time. This is the concept of “responsible disclosure,” and gives developers first crack at fixing an issue before it becomes public.

There’s legitimate debate over just how much control big companies should exert over the publicity of their own shortcomings, but generally speaking in the interest of protecting users the convention tends to be adhered to. In this case, however, the CTS Labs team sprang their flaws on AMD fully formed and with little warning.

The flaws discovered by the team are real, though they require administrative privileges to execute a cascade of actions, meaning taking advantage of them requires considerable access to the target system. The research describes some as backdoors deliberately included in the chips by Taiwanese company ASmedia, which partners with many manufacturers to produce components.

The access requirement makes these much more limited than the likes of Meltdown and Spectre, which exploited problems at the memory handling and architecture level. They’re certainly serious, but the manner in which they have been publicized has aroused suspicion around the web.

Why the extremely non-technical video shot on green screen with stock backgrounds composited in? Why the scare tactics of calling out AMD’s use in the military? Why don’t the bugs have CVE numbers , the standard tracking method for nearly all serious issues? Why was AMD given so little time to respond? Why not, if as the FAQ suggests, some fixes could be created in a matter of months, at least delay the publication until they were available? And what’s with the disclosure that CTS “may have, either directly or indirectly, an economic interest in the performance” of AMD? That’s not a common disclosure in situations like this.

(I’ve contacted the PR representative listed for the flaws (!) for answers to some of these questions.)

It’s hard to shake the idea that there’s some kind of grudge against AMD at play. That doesn’t make the flaws any less serious, but it does leave a bad taste in the mouth.

AMD issued a statement saying that “We are investigating this report, which we just received, to understand the methodology and merit of the findings.” Hard to do much else in a day.

As always with these big bugs, the true extent of their reach, how serious they really are, whether users or businesses will be affected, and what they can do to prevent it are all information yet to come as experts pore over and verify the data.

Featured Image: Fritzchens Fritz / Flickr


Node.js Security Release Summary – March 201... Today, there was a security release for all active Node.js release lines . At time of publishing, several vulnerabilities ranging from very low...
How to Get Your Smart Home Started on the Right Fo... While people who work in technology may recognize how interconnected their personal lives have become, those from other sectors may still be clueless....
Newest Galaxy S8 Oreo build brings Dolby Atmos aud... Before the Android community goes crazy over the Galaxy S9 duo, Samsung is set to release Android Oreo beta updates for the Note 8 and Galaxy S8 phon...
Singapore calls for public feedback on proposed cy... The bill will enable the Cyber Security Agency of Singapore to take a more proactive and holistic approach to tackle cyberthreats. Singapore is seek...
Radware:服务提供商应该如何帮助企业保护数据安全?... 大型、小型、公有、私有、政府、零售、B2B、非盈利组织,黑客不关心被攻击企业的规模或业务。他们正在利用复杂的多矢量DDoS攻击袭击全球网络,试图获取可以从中获利的任何数据。 企业都称自己并没有做好防御这些复杂攻击的准备。一份来自Radware紧急响应团队的报告指出,43%的企业都承认他们没有做足...
TechCrunch责编内容来自:TechCrunch (源链) | 更多关于

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » Security researchers find flaws in AMD chips but raise eyebrows with rushed disclosure

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录