Lunes, 24 Febrero 2020
Ultimas noticias
Casa » Researchers find 13 vulnerabilities in AMD chips

Researchers find 13 vulnerabilities in AMD chips

26 Marcha 2018

CTS said the newly discovered flaws could compromise AMD's new chips that handle applications in the enterprise, industrial and aerospace sectors, as well as consumer products. Let us know in the comments. Meanwhile, some security researchers are disputing the severity of the flaws, given that they require administrative access to systems. Masterkey on the other hand, requires that "an attacker be able to re-flash the BIOS with a specially crafted BIOS update". In nearly every responsible vulnerability disclosure, companies are given at least 90 days to fix a flaw - which can be extended, if agreed to by the discoverer, if certain conditions are met. The important part is where the vulnerability exists in the chain, which the CTS Labs research paper does not detail. Several of them open the door to malware that may survive computer reboots and reinstallations of the operating system, while remaining virtually undetectable by most endpoint security solutions. "We will update this blog as news develops".

The real danger of these vulnerabilities is their pervasive nature. Questions are being raised against the researchers as well. This sentence in particular, is a good example of some of the charged writing found throughout the paper.

The scenario is reminiscent of the unconventional disclosure of security flaws in heart implants manufactured by St Jude Medical in 2016. Instead of waiting a full year to reveal these vulnerabilities, CTS Labs made a decision to inform the public of its discovery.

AMD issued an initial statement saying that the company was investigating the report to understand the "methodology and merit" of the findings. This is a far cry from typical security research practice. However, the statement AMD provided to PCWorld implied that the company wasn't given the usual amount of time to investigate the vulnerabilities internally, which is typically about 90 days. Some have questioned if that's exactly what CTS-Labs is trying to do. However, the presentation of these findings, and the way this information is being spread, is an issue. "Critically, CTS-Labs says that Ryzenfall has the potential to "[expose] customer to the risk of covert and long-term industrial espionage". There now are no publicly available patches for the issues, due in part to the fact that CTS Labs provided little time for AMD to respond.

Chimera appears to be two sets of potential manufacturer backdoors affecting the Ryzen chipset.

Trump aseguró que la construcción del muro comenzará "de inmediato"
Un funcionario de la Casa Blanca se limitó a decir que "es el tuit del presidente", sin responder a más preguntas. De esa cantidad, 700.000 millones de dólares van destinados a Defensa y 591.000 millones al resto del Gobierno .

Fraser Perring, a researcher with Viceroy, told CyberScoop that Viceroy received an advanced email with CTS Labs' research from an anonymous source.

Through the frenzy of security community researchers what seems to be a resounding note is that these flaws, while potentially real, are hard to gauge without the full technical breakdown that has not yet been published. "It is now believed that Viceroy Research had access to CTS Labs" information ahead of time and had its own PDF pre-written. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed, the research group adds. With that in mind, it seems quite likely that Viceroy Research has a financial incentive to go after AMD. Luk-Zilberman previously ran a hedge fund, NineWells Capital Partners, based out of NY.

But the discovery and publication of these flaws has been met with ire from many high profile names in the security community for how the researchers discovered and disclosed the flaws. Why was AMD given so little time to respond? It looks like this news caused a rather sharp downturn around 10.30am U.S. time (news published at 10am USA time), but it has more than recovered now.

CTS-Labs claims to have found 13 critical security vulnerabilities in AMD's chips. With that said, they are unlikely to be almost as drastic and damning as they are being dressed up to be.

Researchers find 13 vulnerabilities in AMD chips