Security firm CTS Labs of Israel claims to have discovered 13 critical vulnerabilities in AMD processors, including its latests model Ryzen chips.
This is in itself is not totally shocking given the Spectre and Meltdown flaws. What may be more shocking is how CTS Labs handled their discovery. They released a whitepaper detailing the alleged AMD processor vulnerabilities only 24 hours after informing the manufacturer. Traditionally, researchers give manufacturers and designers 90 days to investigate the vulnerabilities themselves and develop patches when a security hole is discovered in their product.
Naturally, the sudden exposure of the AMD flaws led to significant controversy in the cybersecurity community.
AMD released a statement on the subject: “We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise.”
Ilia Luk-Ziberman—CTO of CTS Labs—released a statement in response to the criticism, explaining his actions in the context of the ease at which the faults were found and their severity: “It took time to set-up the working environment to start communication with the AMD Secure processor, but after reaching a full working setup and understanding of the architecture – we started finding vulnerabilities. One, and another and another. And not complex, crazy logical bugs, but basic mistakes – like screwing up the digital signatures mechanism.”
“The main problem in my eyes,” he continues, “with this model is that during these 30/45/90 days, it’s up to the vendor if it wants to alert the customers that there is a problem. And as far as I’ve seen, it is extremely rare that the vendor will come out ahead of time notifying the customers…The second problem is – if the vendor doesn’t fix it in time – what then?”
Latest posts by Ben Canner (see all)
- How Can You Ensure Privileged Account Security? - January 17, 2020
- Ten Identity Governance and Administration Vendors to Watch in 2020 - January 14, 2020
- Solutions Review Releases New 2020 Buyer’s Guide for Identity Governance and Administration - January 14, 2020