Technology

AMD Gets Less Than A Day’s Notice To Fix Spectre-like Security Flaws

AMD, CTS-Labs
TheDigitalWay / Pixabay

AMD had relatively less exposure to the Meltdown and Spectre flaw compared to Intel. However, an Israeli firm now claims that it has found 13 critical vulnerabilities in AMD’s Ryzen processor and EPYC chipsets. EPYC processors are found in servers, while Ryzen chips power desktop and laptop computers.

The vulnerabilities were disclosed on Tuesday by CTS Labs. According to the researchers, these vulnerabilities could allow hackers access to sensitive data across millions of devices. The said flaws are located in the part of the processors where the device usually stores sensitive data like passwords and encryption keys, notes CNET.

“You’re virtually undetectable when you’re sitting in the secure processor,” said CTS Labs co-founder and Chief Financial Officer Yaron Luk-Zilberman. “An attacker could sit there for years without ever being detected.”

CTS Labs, which was founded just last year, revealed the flaw by posting a website (named amdflaws.com), a video, and a research paper. The Tel Aviv-based cybersecurity startup referred to the vulnerabilities as Ryzenfall, Master Key, Fallout, and Chimera.

One good thing, however, is most of these vulnerabilities would need administrative access, i.e., the hacker would first need to control the system. What was interesting to note was that the security firm gave AMD only 24 hours to fix the flaws before making them public.

The short disclosure time meant that AMD might not have had enough time to confirm the vulnerabilities itself.  In a statement, the chip maker said, “We are investigating this report, which we just received, to understand the methodology and merit of the findings.”

Even if the vulnerabilities are real, it would take some time for the chip maker to come up with the fix, thus leaving millions of devices vulnerable. One independent and respected security researcher, Dan Guido, has confirmed the vulnerabilities in AMD chips, but he was paid by CTS Labs to carry out the work, notes PC Mag.

“Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works,” he tweeted.

Why CTS Labs ignored the standard practice of giving a vendor a 90 day window to address the flaws isn’t very clear. It may be that CTS Labs could benefit financially from Tuesday’s disclosure by taking a position against AMD’s stock, according to PCMag.

A disclaimer on the website that disclosed the flaw read: “We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.” One short seller even published a report, referring to the flaws as crucial to AMD’s business.

Further, CTS Lab’s extremely short disclosure time also raises a question over the Israeli firms’ intentions, i.e., if it had the public’s best interest in mind while making the disclosure.  Many big names in the security community have criticized the way the Israeli firm discovered and disclosed the flaws. It must be noted that Google researchers gave Intel six months to fix the Spectre and Meltdown flaws.

AMD too took a jab at the security firm saying it is very unusual for “a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings.”

However, one good thing that CTS Labs did was to redact the technical information around the vulnerabilities. This will hopefully prevent hackers from exploiting the vulnerabilities. On the other hand, it will also slow third-party experts in confirming the flaws and coming up with the fix.

The latest vulnerability follows the Meltdown and Spectre that created havoc earlier this year. The flaws mainly affected PCs dating back two decades, carrying chips from Intel and ARM. When these flaws were first revealed, AMD said design differences saved its chips from getting affected.

As of now, it is not clear how much time it will take AMD to patch the vulnerabilities. According to CTS Labs, it has still not heard anything from AMD, and researchers claim it could take months to fix the vulnerabilities, notes CNET.

If the latest vulnerabilities are anything near to the Meltdown and Spectre, then AMD would surely have to work very hard to patch the issues. Intel and Microsoft are still managing patches for the Meltdown and Spectre considering the initial patches they released caused more problems than solving them.