Researchers from CTS Labs found serious and potentially dangerous flaws in computer chips manufactured by AMD.
But exactly how CTS disclosed the vulnerabilities has raised concerns among security researchers: It allegedly didn’t give AMD enough time to respond and get fixes ready before going public.
Some skeptics believe that CTS might have a financial interest in seeing AMD flounder in response.
The flaws are unlikely to affect individual users, and will be most concerning to big businesses using AMD chips.
CTS has also been criticized for failing to provide key technical details of the vulnerabilities.
On Tuesday, an Israeli-based security firm named CTS Labs revealed a series of “critical” vulnerabilities affecting computer processors made by $11 billion chipmaker AMD — serious flaws that, in the wrong hands, could allow hackers access to otherwise-secure systems.
While the dangers posed by these vulnerabilities may well be real, the whole episode is raising eyebrows among the security community. First, CTS didn’t follow security industry protocol in revealing these flaws to the world. That, coupled with the fact that CTS didn’t disclose certain key technical details, has some experts scratching their heads.
And AMD doesn’t appear to be happy about it, either. In an official blog entry, AMD said that it is investigating the claims made by CTS, but expressed disapproval for the way the vulnerabilities were disclosed.
“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” the post reads.
Despite the uncertainty, though, the vulnerabilities appear to be real. Still, unless you’re in the IT department of a Fortune 500 company, you probably shouldn’t worry too much about the CTS report.
“This is not something the general public should lose sleep over. Enterprise customers will have to deal with this more as their threat models and workloads are significantly different and these vulnerabilities would expose them to more risk,” Jake Williams, founder of security firm RenditionSec, told Business Insider.
AMD had no official comment beyond the blog entry. CTS did not immediately respond to a request for comment.
CTS appears to have flouted normal protocol
CTS unveiled the flaws on a slick website, amdflaws.com, which comes complete with showy graphics and a 20-page whitepaper explaining the vulnerabilities in high-level terms. They even gave the vulnerabilities flashy names: “Ryzenfall,” “Fallout,” “Masterkey,” and “Chimera” — echoing Google’s high-profile disclosures of the “Spectre” and “Meltdown” security vulnerabilities earlier this year.
The CTS-made website also includes a video of both the CEO and the CFO of CTS-Labs talking about the vulnerabilities in front of what appears to be a greenscreen.
But it’s exactly the level of sophistication in the announcement that has security researchers suspicious: The way that CTS handled the disclosure, and the website itself, are “highly unusual” in the security industry, says RenditionSec’s Williams.
On the amdflaws.com website, CTS says that it “has shared this information with AMD, Microsoft, and a …read more
Source:: Business Insider