“We have just received a report from a company called CTS-Labs, claiming that there may be security holes in our specific processor products. We are actively conducting investigations and analysis. This company AMD has never heard of, and unusually, The security agency directly disclosed its findings to the media, but did not give AMD reasonable time to investigate and solve problems.Safety is AMD's primary responsibility, and we continue to work hard to ensure the safety of our customers and respond to new security threats. Follow-up progress we will announce the first time."
It can be seen that AMD was caught off guard because of sudden incidents, especially if the discovery of these loopholes did not advance notice and give a quiet period of 90 days in line with industry practice. At present, it is impossible to fully confirm the authenticity of these loopholes.
Even if there are really loopholes, this matter seems very strange.
Foreign authoritative hardware mediaAnandTechIn reporting this matter, it first put forward a series of queries:
1. CTS-Labs gave AMD only 24 hours to know where the problem was. The industry standard was to contact the company in advance after the vulnerability was discovered, and it would take 90 days for it to be open to the public in order to fix the problem. Disclosure of technical details of loopholes.
2. Prior to informing AMD and making public, CTS-Labs first contacted some media to inform them of the situation.
3. CTS-Labs has just been established in 2017 and its qualifications are still shallow. This is just their first public safety report and it has not disclosed any of its customers.
4, CTS-Labs does not have its own official website, announced this vulnerability but specifically established a website called AMDFlaws.com, or just registered on February 22.
5, from the site layout, it looks like it has been prepared in advance for a long time, did not consider AMD's response.
6. CTS-Labs also employs a public relations company to respond to industry and media contacts. This is not a normal security company style.
AnandTech sent an e-mail inquiry to CTS-Labs for these questions and has not received any response.
Many people may be compared to the Meltdown Blowout and Spectre Ghost Vulnerabilities that have recently been buzzing, but the latter has long been recognized by authoritative security groups such as Google, and it has been the first time with Intel, AMD, ARM,Microsoft,AmazonAnd so on, related companies in the industry have made contact and communication to solve the problem. Finally, media explosions are accidental exposures, and it was very close to the lifting of the ban.
It is also worth noting that the vulnerabilities of this exposure are all related to the security coprocessor (ARM A5 architecture module) and chipset (Xiao Shuo outsourced to AMD) of the AMD Zen processor, and the Zen microarchitecture itself. No relationship, not a core level issue.
There are also media reports that if an attacker wants to exploit these vulnerabilities, he must obtain administrator privileges in advance before he can install malicious software through the network. The degree of harm is not the highest, and belongs to the second-class vulnerability.
In the past year, AMD processors can be said to be in full swing. They have continuously made rapid progress in various fields and have been widely recognized by the industry and users. Now that the second-generation Ryzen CPU is about to be released, suddenly there is such a very strange loophole. What is behind the unknown story? It is really worth pondering.
As we progress, we will continue to pay attention.