AMD confirms chip vulnerability, says report exaggerated danger
(Bloomberg) -- Advanced Micro Devices Inc., Intel Corp.’s main rival in computer microprocessors, said a report earlier this month alleging that its chips have widespread, fundamental vulnerabilities greatly exaggerated the severity of the threat.
There are 13 potential exploits that will be fixed within weeks through software updates, the chipmaker said Tuesday in a statement. There’s no evidence that of any of those holes has been used for malevolent purposes, and it would be extremely difficult to use any of them to attack computers, the Sunnyvale, California-based company said. AMD saw reports of unusual trading activity in its stock about a week ago when an Israeli company called CTS Labs went public with a report on the flaws and has reported it to the relevant authorities.
The chip industry was stung at the beginning of the year when Alphabet Inc.’s Google revealed that a flaw in all modern microprocessors may allow hackers to steal data such as passwords or encryption keys previously thought to be secure. AMD argued at the time that its chips were less at risk than those from Intel, which dominates the market for computer microprocessors.
“It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system,” AMD’s Chief Technology Officer Mark Papermaster said in the statement, referring to the recent report. “Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”
The issue isn’t related to the vulnerabilities Google identified in January and isn’t caused by AMD’s Zen architecture, a new design that underpins all of its new chips, AMD said in its statement. The chipmaker said that, unlike the more widespread Spectre and Meltdown issues identified in January, software fixes for the currently discovered vulnerabilities won’t slow down computers.
On March 12, CTS Labs contacted AMD about the potential exploits. Then the firm went public 24 hours later with its report, according to AMD.
“The vulnerabilities we have discovered allow bad actors who infiltrated the network to persist in it, surviving computer reboots and re-installations of the operating system, while remaining virtually undetectable by most endpoint security solutions,” CTS said in the report. “This allows attackers to engage in persistent virtually undetectable espionage, buried deep in the system and executed from AMD’s Secure Processor and chipset.”
CTS estimated that it would take “many months” to address the issue. The researcher didn’t give AMD that amount of time to fix the holes before drawing public attention to them, something that goes against standard practice in these situations.
“I fault CTS Labs for not following industry-standard coordinated disclosure procedure,” said Ben Gras, a researcher at Vrije University in Amsterdam who focuses on hardware security flaws. “A widely accepted practice in these situations is to coordinate with the vendor and affected parties during a window of confidentiality before publicizing security sensitive information, reducing the impact of the research while still maintaining transparency. As it stands, this leads me to believe they are not acting in good faith, and make me interpret other aspects of this report skeptically.”
--With assistance from Jeremy Kahn and Gwen Ackerman