AMD processors impacted by 13 serious flaws, says CTS Labs

[HEXUS]

Four classes of security vulnerabilities exist in Ryzen and EPYC, says cyber-security firm.

Read more.

[afiretruck]

So, if I understood this correctly, you either need local admin rights or physical access (and a possible BIOS passphrase?) to be able to take advantage of these vulnerabilities? Or does Chimera only require the signed driver to be loaded?

If so, these are nothing like as bad as Specter and Meltdown, thankfully.

Also, it sounds like most of these can be fixed with firmware updates.

[GinoLatino]

Coincidentally this has been released just before AMD is about to release the new Ryzen 2 chips.

[philehidiot]

So, if I understood this correctly, you either need local admin rights or physical access (and a possible BIOS passphrase?) to be able to take advantage of these vulnerabilities? Or does Chimera only require the signed driver to be loaded?

If so, these are nothing like as bad as Specter and Meltdown, thankfully.

Also, it sounds like most of these can be fixed with firmware updates.

I wonder if Intel has employed the services of CTS? A dedicated microsite called "amdflaws"?! This after AMD processors aren't hit as badly by the Spectre/Meltdown issues and get better publicity over it.

Fishy.

[Nifl]

Ummm... all these "exploits" require an admin to run or install something. This is beyond silly. I also think that this is an Intel-sponsored thing.

[watercooled]

From what I've read I have to agree - a bit of hyperbole to frighten investors who won't bother to understand what it actually is. And an impossibly short notice period is just a joke - something is obviously malicious about it. Even the language used is strange, they're making wild assumptions and implying things they simply cannot know, and acting like security flaws are unheard of.

[philehidiot]

Ummm... all these "exploits" require an admin to run or install something. This is beyond silly. I also think that this is an Intel-sponsored thing.

I think the only way you'd be able to guarantee doing this is to get physical access, find a root / admin unlocked terminal and have a rubber ducky ready at your disposal. I can't see these being exploitable remotely unless you have someone surfing some very dodgy websites on the admin login and you manage to exploit their horniness.

Maybe I'm just naive?

[CAT-THE-FIFTH]

So,where is the corresponding Intelflaws?? Maybe someone can investigate what links this company might have with Intel.

Hmm,they look rather dodgy too:

https://news.ycombinator.com/item?id=16576516
https://www.reddit.com/r/Amd/comment...en_epyc_chips/

There's far more damning evidence than that:

24 hour disclosure instead of industry standard 90/180 day
Domain records for "amdflaws.com" were created on the Feb, 22, 2018 for this "16 years in operation" company.
It was also registered not directly but by "domainsbyproxy.com" thus no real contact information of the domain is public. It was used by fraudsters before.
Amdflaws links to a YT video, with comments disabled

YT Channel with video was just just March of this year

This sketchy "we might have economic interest by disclosing these vulnerability" from their disclaimer

Exploits have insane requirements like being able to defeat OEM BIOS flash protections and Windows' driver signing...

They talk about a company called Viceroy who does dodgy stuff:

https://m.fin24.com/Economy/treasury...kless-20180201

Cape Town – National Treasury has spoken out against Viceroy Research, labelling its report on Capitec as reckless.

Viceroy released a report on Capitec this week, labelling the bank a "'loan shark" and alleged the bank "engaged in reckless lending".

In a statement released on Thursday afternoon, Treasury said: “Until two weeks ago, Viceroy operated anonymously and opaquely, and the reckless way in which it has released its report is clear proof that it is not acting in the public interest nor in the interest of financial stability in South Africa.”

Look who is trying to push AMD stock price down:

https://viceroyresearch.files.wordpr...3-mar-2018.pdf

AMD – The Obituary

Apparently they "wrote that" in a few hours.

Apparently there is concerted effort to push AMD stock price down:

https://www.thestreet.com/video/1446...ock-lower.html

TheStreet's founder and Action Alerts PLUS Portfolio Manager Jim Cramer said there's a concerted effort to keep shares of Advanced Micro Devices lower.

[CAT-THE-FIFTH]

Another stinker from them:

https://amdflaws.com/disclaimer.html

Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.

From CNET:

https://www.cnet.com/news/amd-has-a-...aw-of-its-own/

The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly.

Second Edit!!

It only was started in 2017 - umm,wasn't 2017 when Intel/AMD were told of the Spectre/Meltdown flaws?

[hpv9]

toms hardware says "CTS-Labs released the information in an unusual fashion. Typically, semiconductor vendors are given 90 days to respond to vulnerabilities before they're disclosed to the public, but CTS-Labs provided AMD with only a 24-hour notice"

[CAT-THE-FIFTH]

toms hardware says "CTS-Labs released the information in an unusual fashion. Typically, semiconductor vendors are given 90 days to respond to vulnerabilities before they're disclosed to the public, but CTS-Labs provided AMD with only a 24-hour notice"

The domain was apparently registered in June 2017. Great timing or what??

[jimbouk]

Oh no - if someone flashes my bios they can change how my computer works! Or an admin on my machine can read data. Shock horror.

Someone's earning some money from this in a dubious manner...

[MLyons]

Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports

Hmmmmmm something-smells-fishy-and-it-certainly-isnt-fish.jpg

[yeeeeman]

So, if I understood this correctly, you either need local admin rights or physical access (and a possible BIOS passphrase?) to be able to take advantage of these vulnerabilities? Or does Chimera only require the signed driver to be loaded?

If so, these are nothing like as bad as Specter and Meltdown, thankfully.

Also, it sounds like most of these can be fixed with firmware updates.

I wonder if Intel has employed the services of CTS? A dedicated microsite called "amdflaws"?! This after AMD processors aren't hit as badly by the Spectre/Meltdown issues and get better publicity over it.

Fishy.

Yeah, this looks very suspicious to me also. I mean, look at amdflaws page. Someone worked a great deal of time on it to make it very nice and easy to read - that AMD has flaws...
To be sincere, this looks like a 1st of April joke.
I am 99% that this is just a scam or something...

[Hoonigan]

To all of those that were singing AMD's praises when this came out about Intel a few weeks ago..

PAHAHAHAHAHAHAHAHHHAHAHAAHAHAHA!!!!11!!11!!!!11ONEONE!!!1!!111!!!1ONE!!!!ONEONEONE!!!!11!!!!!!!

[Tabbykatze]

To all of those that were singing AMD's praises when this came out about Intel a few weeks ago..

PAHAHAHAHAHAHAHAHHHAHAHAAHAHAHA!!!!11!!11!!!!11ONEONE!!!1!!111!!!1ONE!!!!ONEONEONE!!!!11!!!!!!!

Considering how obvious this is a sham and a smear campaign using "vulnerabilities" that can be exploited on any processor. Back into the box you go.

Next time, properly read the article and the thread, lest you make out yourself to be any more of a fool next time.

On topic, there is a disclaimer in the whitepaper discussing that the paper is only opinion and not subject to facts. Theres some interesting investigations over on the AMD reddit.