AMD investigating chip security flaws after less than 24 hours notice

For hours after the security research was first published, it wasn't clear if the flaws were even real.
Written by Zack Whittaker, Contributor

(Image: file photo)

AMD is investigating a report that claims several of the company's processors are vulnerable to more than a dozen security flaws.

The chipmaker said in a statement Tuesday that it is "actively investigating and analyzing" findings by CTS Labs, a largely unknown Tel Aviv-based cybersecurity startup founded last year.

Hours earlier, the startup posted a website, a research paper, and a video describing 13 vulnerabilities, which it had branded Ryzenfall, Master Key, Fallout, and Chimera, which it's claimed could allow attackers to obtain sensitive data from AMD's Ryzen and EPYC processors, used on millions of devices.

Specifics of the vulnerabilities were not specified in detail in the whitepaper, leading many to approach with caution and skepticism.

What is known is that the flaws are not easily exploited -- an attacker must gain administrative privileges first, which can be obtained using malware to escalate a logged-in user's privileges. That level of access means a machine is already compromised.

Sister site CNET has the full rundown of each set of vulnerabilities.

But the discovery and publication of these flaws has been met with ire from many high profile names in the security community for how the researchers discovered and disclosed the flaws.

The researchers gave AMD less than 24 hours to examine at the vulnerabilities and respond before publishing their report. In almost every responsible vulnerability disclosure, companies are given at least 90 days to fix a flaw -- which can be extended, if agreed to by the discoverer, if certain conditions are met.

In the case of Meltdown and Spectre, the other most recent round of chip vulnerabilities that impacted Intel, ARM and some AMD chips, researchers gave the manufacturers more than six months to issue fixes and patches.

AMD threw shade at the firm, saying it was "unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings."

Hours after the research was first published, security researcher Dan Guido confirmed that the bugs were real, after the research team had contacted him to review their work

"Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works," he said in a tweet.

He told ZDNet that he believes that he is so far "the only one that's seen" specifics of the vulnerabilities.

Up until shortly before this article was published, it wasn't clear if the vulnerabilities were even real.

The findings had security researchers on edge all day. One security professional told me that the manner in which this report was released has only made researchers suspicious of the company, the findings, but also the researchers' motives.

Reddit went into full "conspiracy man" mode, calling the legitimacy of the company into question.

Guido's remarks give credence to the validity of the research, but how the Israeli research firm approached disclosure will be remembered as a lesson in how not to publish security research.

Editorial standards