Archive for AMD

AMD And Microsoft Kick Out Fixes For Spectre

Posted in Commentary with tags , on April 12, 2018 by itnerd

AMD has begun rolling out microcode updates for its processors affected by the Spectre vulnerability. Specifically variant 2 of Spectre. It has been supplied to PC and motherboard makers to include in upcoming BIOS updates. Which I am going to guess will drop fairly quickly. On top of that, it will cover AMD processors going back to 2011.

You should also note that even with the BIOS update, you will need a patch from Microsoft as well. They’ve released an update in the form of KB4093112, which also includes special OS-level patches for AMD users with regard to the Spectre v2 vulnerability.

Thus, I’d be checking your motherboard manufacturer’s website and Windows Update for these updates.

Advertisements

AMD Comments On Chip Flaws: Nothing To See Here

Posted in Commentary with tags on March 21, 2018 by itnerd

AMD has finally commented on the security flaws in its Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile chips, identified in a frankly dodgy manner by CTS Labs a week ago. In a post on the AMD website on Tuesday, Mark Papermaster, senior VP and CTO of AMD, had this to say. Oh as an aside, if the name sound familiar to frequent readers of this blog, this is why:

It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues

At least we know these flaws are real now. But in AMD’s opinion you would have to be highly skilled to exploit these flaws. In short, there’s nothing to see here. But they’re still going to fixed via firmware updates that are coming real soon now. No timeframe on those fixes just yet. But it appears to be a measured response. Far more measured than how these bugs were disclosed by CTS Labs, who wasn’t mentioned once in the post. That tells you all you need to know about what AMD thinks of CTS Labs.

 

Linus Torvalds Calls Out CTS Labs Report Of AMD CPU Flaws….. So What Is The Truth About This?

Posted in Commentary with tags on March 15, 2018 by itnerd

Earlier this week I told you about a company called CTS Labs who went public with flaws that are allegedly in AMD CPUs after only giving AMD a day to respond. Then they explained why they went that route yesterday, which left me calling “BS” on their explanation. But now things have gotten real with Linus Torvalds basically calling the company and their report out on Google+. I encourage you to scroll through the entire discussion as it is very interesting, but here’s some screenshots of some highlights involving the man himself in chronological order:

linusLinus1linus2Linus3

Tell us how you really feel Linus.

But in all seriousness, he makes some very good points in ways that only he can make them. Which is entertaining to read. While I didn’t consider the stock manipulation part, I did say this yesterday:

The cynic in me says that this company who nobody had heard of before yesterday was looking for a way to get their name in the news. So when they tripped over this issue…. Assuming that this discovery is accurate of course seeing as AMD hasn’t yet confirmed it…. They went into “beast mode” to create a slick website with equally slick videos to get their message out before speaking to AMD and giving them a day to respond. Of course knowing that they could not respond that quickly. Then when the 24 hours were up, BOOM, you get this. This whole thing sounds really fishy to me.

What makes this whole thing plausible is an investigation by Gamers Nexus which found the following regarding CTS Labs:

  • AMDFlaws.com, was registered mere weeks ago
  • The backgrounds in CTS-Labs videos explaining the flaws and its research appear to be green screens of offices rather than physical locations.
  • They have a disclaimer on their website that suggests that they have an “economic interest” and have made statements to that effect.

None of this is a smoking gun. But it all sounds kind of suspicious.

As for AMD stock, it doesn’t look like it’s changed all that much since this whole affair began. Clearly investors feel that what CTS Labs has to say falls under the category of “nothing to see here, move along”.

But let’s take the other side of the argument. There’s this person who has claimed to have verified that these flaws are real:

Dan Guido is the CEO of a company called Trail Of Bits. They are an IT security firm out of NYC and they do have a reputation that is positive from what I have heard. Thus it would suggest that the flaws are real. But there’s so much “noise” surrounding this rather craptastic disclosure that it is next to impossible to separate fact from fiction. Thus my suggestion is that we all need to take a deep breath and actually determine what the facts really are. It could be CTS Labs is telling the truth. But they delivered it in such a horrible manner that nobody trusts them. The bottom line is that we need to get to the bottom of this sooner rather than later. Because the longer that this sits out there with a lack of facts, the more the “noise” will increase. And that’s not good for anyone.

CTS Labs Explains Why It Gave AMD A Single Day To Respond To Alleged Chip Flaws….. I Don’t Know If I Believe It Though

Posted in Commentary with tags on March 14, 2018 by itnerd

Yesterday I told you about a company called CTS Labs who went public with flaws that are allegedly in AMD CPUs after only giving AMD a day to respond. That bucks the standard of giving a company 90 days to fix an issue before going public. That’s known as Responsible Disclosure. But these guys clearly don’t buy into that and the question I have is why did they simply give AMD a single day to respond. It truly sounds underhanded. We now have answers on that front via Tom’s Hardware where CTS Labs explained why they went that route:

CTS Labs told us that it bucked the industry-standard 90-day response time because, after it discussed the vulnerabilities with manufacturers and other security experts, it came to believe that AMD wouldn’t be able to fix the problems for “many, many months, or even a year.” Instead of waiting a full year to reveal these vulnerabilities, CTS Labs decided to inform the public of its discovery.

That isn’t to say that CTS Labs revealed the problems without checking their veracity. The company told us that it consulted with other security experts and manufacturers about the issue, provided them with proofs of concept and tutorials for exploiting the vulnerabilities, and waited for their responses before preparing the flaws for public disclosure. Trail of Bits CEO Dan Guido confirmed that his company backed up the findings, for example.

I am sorry but I have a huge problem with this explanation. The cynic in me says that this company who nobody had heard of before yesterday was looking for a way to get their name in the news. So when they tripped over this issue…. Assuming that this discovery is accurate of course seeing as AMD hasn’t yet confirmed it…. They went into “beast mode” to create a slick website with equally slick videos to get their message out before speaking to AMD and giving them a day to respond. Of course knowing that they could not respond that quickly. Then when the 24 hours were up, BOOM, you get this. This whole thing sounds really fishy to me. Besides if we assume that none of these flaws were in the wild, there’s little risk to those who own these processors. AMD could look at this, figure out how to address it, and do in a reasonable manner. But now that these flaws are in the wild, AMD likely will have to rush to get something out to address this. Again, assuming that this discovery is accurate. I really don’t get the warm fuzzies from these guys. I want to see how AMD responds to this, and if it’s proven (key word proven) to be false or having a very limited impact, I hope they take appropriate action against CTS Labs.

AMD May Have Chip Flaws Of Its Own

Posted in Commentary with tags on March 13, 2018 by itnerd

A couple of months ago we heard about Meltdown and Spectre. That was bad as it’s affected everyone who runs a PC, Mac, or pretty much anything else. But it’s about to get worse as we now have the following new chip flaws to worry about:

  • RyzenFall
  • MasterKey
  • Fallout
  • Chimera

The flaws, which are 13 vulnerabilities that fall into the above four buckets, were uncovered by a company called CTS Labs who served up a report via a very slick and fancy website and reportedly only gave AMD 24 hours to respond. That’s a bit of a #fail as we don’t know if their findings are actually valid. Here’s one reason why I am personally skeptical. There’s this disclaimer on the website that I linked to above:

Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.

We’re expected to look past that and take this group seriously? Uh, my gut feeling is not to. But I will suspend disbelief as AMD is investigating and I am sure that every hacker on Earth is too so that they can leverage these flaws, if they are accurate, for pwnage on an epic scale. But if they aren’t accurate, I hope AMD sues them out of existence.

More to come.

 

 

AMD Gets Sued Over Spectre CPU Flaw

Posted in Commentary with tags on February 22, 2018 by itnerd

At least four separate lawsuits have now been filed against AMD alleging violations ranging from securities fraud to breach of warranty, unfair competition, and negligence. The cases, all submitted to a US district court in San Jose, include:

The first three suits seek damages from AMD on behalf of those who bought an AMD processor that has the Spectre flaw. The last one seeks to recover cash for shareholders of AMD who bought AMD stock between between February 21, 2017 and January 11, 2018. Now the first three cases could be merged into a single case, but regardless. This is bad for AMD who joins Intel in circling their legal wagons.

You can fully expect more lawsuits to come AMD’s way. Mark my words.

Amazon, AMD, Apple, ARM, Google, Intel & Microsoft Are Asked To Answer Spectre And Meltdown Questions

Posted in Commentary with tags , , , , , , on January 25, 2018 by itnerd

It seems the Spectre and Meltdown gong show just got real. The leaders of Amazon, AMD, Apple, ARM, Google, Intel and Microsoft have been asked via a letters to answer questions about the two CPU bugs by Republican members of the US House of Representatives.

Specifically, the politicians want to know about a secrecy agreement that was put in place by these same companies. In short the agreement demanded silence from June 2017 which is when researchers recognized the seriousness of the processor design flaws, through the planned date of coordinated disclosure on Tuesday, January 9, 2018. Except that The Register found out about the flaws and dropped the details on an unsuspecting world a week before the deal expired, which caused these companies to scramble to get fixes out.

You have to suspect that this is the first step in the eventual public flogging known as a Congressional Hearing. Given that this is an election year, that won’t end well for any of these companies. But we’ll see if congress decides to go there.