www. O S N E W S .com
News Features Interviews
BlogContact Editorials
Security researchers publish Ryzen flaws
By Thom Holwerda on 2018-03-14 00:49:51

Through the advent of Meltdown and Spectre, there is a heightened element of nervousness around potential security flaws in modern high-performance processors, especially those that deal with the core and critical components of company business and international infrastructure. Today, CTS-Labs, a security company based in Israel, has published a whitepaper identifying four classes of potential vulnerabilities of the Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processor lines. AMD is in the process of responding to the claims, but was only given 24 hours of notice rather than the typical 90 days for standard vulnerability disclosure. No official reason was given for the shortened time.

Nothing in technology is safe. As always, my advice is to treat any data on a phone or computer as potentially compromisable.

 Email a friend - Printer friendly - Related stories
Post a new comment
Read Comments: 1-10 -- 11-20 -- 21-29
By Poseidon on 2018-03-14 01:11:40
In the grand scheme of things, expected, and not as huge deal like Intel's Os inside the CPU that can be exploited to get access to everything without anyone knowing and heavy spectre and meltdown vulnerabilities.
Permalink - Score: 2
Comment by ssokolow
By ssokolow on 2018-03-14 01:19:29
The commenters on the Phoronix forums and the people on Reddit who they linked to already made a very convincing case that this is a team of three scammers trying to short AMD stock.


1. The companies have never been heard of before, except for one of them having gotten in trouble for this kind of thing before.

2. The video they posted is green-screened against stock video backgrounds that the Reddit users tracked down.

3. They only gave AMD 24 hours to respond.

4. Once you get past what a time-strapped reporter is likely to read, their websites are meaningless marketing speak and compilations of copy-pastes from security best-practices guides.

5. Very unusually, their disclosure document is written in CFO buzzword speak.

6. If I read it correctly, the "vulnerabilities" are all overblown things which are analogous to the reports Raymond Chen calls out periodically on The Old New Thing for reducing down to "If you let someone through the air-tight hatchway between un-privileged and privileged, they can cause problems."

Here are some of the links I mentioned:


Edited 2018-03-14 01:22 UTC
Permalink - Score: 25
RE: Comment by ssokolow
By acobar on 2018-03-14 01:37:54
Exactly what I was going to post.

I really disavow these days where every news channel regurgitates "facts" before checking them.

Rush-rush is a stupid strategy to follow that is causing a lot of trouble on our societies.

Really hope that, somehow, laws grow terse about "fake news" all around the world and punishment get tough.
Permalink - Score: 7
Nothing with administrator privileges is safe
By kwan_e on 2018-03-14 01:40:41
> Nothing in technology is safe.

But from the article

> All of the exploits require elevated administrator access, with MasterKey going as far as a BIOS reflash on top of that.

Technology is actually remarkably safe when basic security practices are adhered to, like not making admin privileges easy to get in the first place.
Permalink - Score: 7
4 kids in a garage
By unclefester on 2018-03-14 01:41:34
CTS-labs was founded in 2017. It is just four kids in a garage looking for cheap publicity.
Permalink - Score: 4
RE: 4 kids in a garage
By kwan_e on 2018-03-14 02:02:26
> CTS-labs was founded in 2017. It is just four kids in a garage looking for cheap publicity.

While CTS-labs is definitely shady, what about that page says they're just four kids? Do you have any information that says they're lying about their credentials? By linking to that page, you're helping them, not discrediting them.
Permalink - Score: 4
Nothing is safe?
By judgen on 2018-03-14 02:31:12
If i have a database server not connected to the internet and that has been running for 30 years, you are going to tell me that it is not safe. The attack vector on os2 via satelite is very small. And the exploits are mostly forgotten.

Edited 2018-03-14 02:33 UTC
Permalink - Score: 1
RE: Yep
By Kochise on 2018-03-14 04:15:57
Yet Intel's vulnerabilities have been confirmed not to impact AMD cpus, at least not as much. I can understand that AMD might not be the white knight and exempt from flaws, sure its architecture may present quirks as well because sheer complexity of that thing, but come on...

Cpus were vulnerable before it was cool, so there is no magic here, of course people will discover things by scratching the surface. That's why, for instance, editors legally prevent you from disassembling their software in case you might see the dirt under the rug.

Anyway, having various architectures out there is not only good for competition but also prevent cpus monoculture, hence limit impact on exploits. I wish there would be more mips, risc-v, sh-4, 68k out there to give Intel and AMD a friendly little poke.
Permalink - Score: 3
Comment by viton
By viton on 2018-03-14 04:32:13
They tried to look serious like Spectre/Meltdown, but in reality they look ridiculous. If an attacker can reflash your BIOS or already have admin privileges, it’s all over.
Permalink - Score: 10
RE: Comment by viton
By viton on 2018-03-14 05:11:17
There is a good breakdown of this scam

Permalink - Score: 8

Read Comments 1-10 -- 11-20 -- 21-29

Post a new comment



Your comment

If you do not have an account, please use a desktop browser to create one.
LEAVE SPACES around URLs to autoparse. No more than 8,000 characters are allowed. The only HTML/UBB tags allowed are bold & italics.
Submission of a comment on OSNews implies that you have acknowledged and fully agreed with THESE TERMS.
News Features Interviews
BlogContact Editorials
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?