The Disclosure of AMD's Chip Flaws is Shrouded in Shadiness

An Israeli security house may take found 13 security flaws in AMD processors. The trouble? It only gave the chipmaker 24 hours to fix the vulnerabilities before making them public.

On Tuesday, CTS-Labs decided to disclose the bugs with a splashy website and fashionable graphics to kick. Still, the short disclosure time means that AMD itself is withal trying to confirm whether the vulnerabilities are existent.

"We are investigating this study, which nosotros merely received, to empathize the methodology and merit of the findings," AMD said in an email.

The situation is certainly not ideal; if real, the vulnerabilities probably have no immediate gear up. Why CTS-Lab ignored the standard practice of giving a vendor 90 days to accost the flaws isn't known. Only the incident raises questions over whether the Israeli security firm had the public's best interest in mind with Tuesday'southward disclosure.

To be clear, the vulnerabilities may indeed exist legit. One respected security researcher Dan Guido has verified the findings, although CTS-Labs did pay him for the work. These vulnerabilities take been found in AMD's Ryzen, EPYC branded chips, which are used in servers, desktops and laptop devices.

The most serious flaw deals with a security protection congenital into the processors. CTS-Labs claims a bad actor could exploit this vulnerability to permanently install malware on to the chips.

Ryzen Chip Flaws 2

Other flaws can let a hacker move from one compromised estimator to some other, gain access over the entire system, and execute malicious code. In addition CTS-Labs defendant the Ryzen chipsets of being shipped with manufacturer-created backdoors that tin can allow a bad actor inject malware similar a keylogger on to the afflicted reckoner.

Fortunately, there is some good news. Guido tweeted that all the vulnerabilities crave a hacker to first proceeds administrative privileges (or root access) to the computer. This can be done if the attacker can play a trick on you into installing some malware.

The other piece of good news is that the security firm CTS-Labs decided to redact the technical data around the vulnerabilities. This will help prevent hackers from exploiting the flaws. Simply on the flip side, outside experts accept had no style to quickly reproduce and confirm the findings.

CTS-Labs and then far hasn't responded to questions from PCMag about Tuesday's disclosure. The company is relatively unknown and was founded only in 2022.

Simply what'south articulate is that CTS-Labs took some time to develop its slick website about the vulnerabilities, which says the security firm revealed the problems to warn the public. It goes on to claim that AMD may need several months to fix the flaws.

However, that aforementioned website also includes a disclaimer that suggests CTS-Labs may stand to benefit financially from the Tuesday'due south disclosure past betting against AMD's stock.

"Nosotros may have, either directly or indirectly, an economical interest in the operation of the securities of the companies whose products are the discipline of our reports," the disclaimer says. (On the same twenty-four hours, one short seller also published a report, calling the uncovered flaws fatal to AMD'due south business.)

The whole episode is raising eyebrows across the Information technology security community. Jon Bottarini, a technical programme manager at issues bounty plan provider HackerOne, said the incident has been a case study in "what not to practice" when information technology comes to reporting security vulnerabilities.

"Responsible disclosure should be the prime directive for security researchers, and by but allowing AMD 24 hours to respond earlier CTS-Labs notified the press, CTS stood to exercise more harm than adept," he said in an email.

Others have pointed out that CTS-Labs tried to leverage printing coverage to promote the vulnerabilities, even as the flaws have however to be fully verified and understood.

"The only real public exploit hither at the moment is a press exploit. This situation should not be happening," wrote Kevin Beaumont, a Britain-based security proficient, in a blog post.