AMD vows to fix newly-disclosed processor vulnerabilities
The company was given just 24 hours' notice before the flaws were made public.
Semiconductor company AMD has finally acknowledged there's a problem with its Platform Security Processor. Earlier this month Israel-based CTS labs found 13 critical vulnerabilities (including RyzenFall, MasterKey, Fallout and Chimera) with AMD's product, which could allow attackers to access sensitive data, install malware and gain complete access to compromised machines (although doing so would require admin access). Today, AMD has published a statement that largely underplays the threat, but claims that patches will be coming soon.
The announcement comes against a wider backdrop of controversy involving responsible disclosure. When researchers find vulnerabilities in products they typically give companies 90 days to respond -- sometimes even longer, depending on the seriousness of the flaw in question. Google gave Intel around 200 days to fix Meltdown and Spectre before revealing them to the public, for example. The idea, of course, is to give companies an opportunity to get a fix out there before nefarious individuals find a way to capitalize on the vulnerability themselves.
But CTS Labs told AMD about the problem just 24 hours before disclosing it to the public -- certainly not long enough for the company do to anything about it. Although CTS Labs didn't disclose any technical information about the issue that could have harmed AMD users in any way, its premature revelation has caused ripples in the industry. Linux creator Linus Torvalds, for example, told ZDNet "It looks more like stock manipulation that a security advisory to me."
However, CTS Labs maintains it did the right thing, claiming that they didn't think AMD would be able to fix the problem for "many, many months, or even a year" anyway. CTS Labs' CTO Ilia Luk-Zilberman has also posted a letter on the AMDflaws site in which he explains his gripe with the 90-day response window and why he believes revealing vulnerabilities to everyone at once (consumers and media, as well as the companies in question), puts pressure on the relevant parties to get things fixed.
That certainly appears to be the case with AMD, which says that patch updates can be expected through BIOS updates (without affecting performance) in the coming weeks -- a fair response having been caught so off guard. The issue now, however, would be other security research companies similarly doing away with the 90-day 'rule'. If vulnerabilities were made public the moment they were discovered, they'd never be out of the news, and it would be a real challenge for everyone concerned to know where the risks really were.
