AMD’s CTO Mark Papermaster released a blog post which both acknowledges the security vulnerabilities first shown by a CTS Labs report last week, while also laying the foundation how they would be addressed.
Though the company had already acknowledged the report, and at least one other independent security company validated the claims, we had yet to hear from AMD officially on the potential impact and what fixes might be possible for these concerns. At same time, many question if CTS Labs may want to aid AMD short sellers in many a fast buck.
Papermaster in the blog post calls out the short period of time AMD was given with this information, quoting “less than 24 hours” from the time it was notified to the time the story was public on news outlets and blogs across the world. It is important to detail for some that may not follow the security landscape clearly that this has no relation to the Spectre and Meltdown issues that are affecting the industry and what CTS did find has nothing to do with the Zen architecture itself. Instead, the problem revolves around the embedded security protocol processor. While this is an important distinction, to many customers this some like engineering PR speak.
AMD states that it has “rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations.” Rapidly is an understatement – going from blindsided to an organized response is a delicate process and AMD has proven its level of sincerity with the priority it placed on this.
The post points out that “any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.” Which is very true. If you give someone admin and/or physical access to a machine, you are giving away the keys to the kingdom
AMD provides a breakdown of the vulnerabilities, the potential impact of the security risk, and what the company sees as its path to address them. Both sets that affect the secure processor in the Ryzen and EPYC designs are addressable with a firmware update for the secure unit itself, distributed through a standard BIOS update.
When it comes to the Promontory chipset issue, AMD is utilizing a combination of a BIOS update and further work with ASMedia to further enhance the security updates.
Click To Enlarge
The net take away is AMD has acted fast and clearly address the issues raised. In, short, the AMD family of CPUs and APUs are still great choices and safe choices to buy and use.
CTS Labs never spoke to AMD bfore releasing the report. That is a common practice in the industry. Instead they released a press release with all the right buzzwords to cause hype and hysteria. Many have questioned if the real goal was not computing safety but to profit in stock-shorting scheme.