AMD promises fixes coming for new processor security vulnerabilities


AMD this week responded to the disclosure of a set of security vulnerabilities affecting its processors, acknowledging that the flaws exist and promising it will release fixes in the coming weeks. The flaws in question, disclosed last week by CTS-Labs, involve 13 critical security vulnerabilities (spread across four families: Masterkey, Fallout, RyzenFall, and Chimera) found throughout AMD's Ryzen and EPYC product lines.

AMD is quick to point out that the issues are not related to its "Zen" CPU architecture or the Meltdown and Spectre flaws disclosed earlier this year. Rather, they impact the AMD Secure Processor embedded in some products, as well as the chipset in some socket AM4 and TR4 platforms. Further, AMD claims that attackers seeking to exploit these flaws would require administrative access to execute them, meaning they'd already have unrestricted access to the system. From AMD:

Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues.

In its original disclosure, CTS-Labs claimed that Masterkey, Ryzenfall, and Fallout could take "several months" to fix, but AMD says that it plans to release firmware patches "in the coming weeks." For more on AMD's planned release timeline, as well as the technical details surrounding each flaw, check out AMD's full response.

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl

  • AMD Secure Processor = Intel Management Engine. Same kind of ****!
  • only a few weeks ago AMD was saying how their processors were superiour to those from Intel as they were not affected by security vulnerabilities..  how ironic
  • the scinic in me would believe that this is intel's response to those claims. However I doubt intel could be as incompetent as cts labs and viceroy have been. 
  • Not really. There is no real flaw here, AMD are just doing this for PR reasons. If an attacker already has admin access to your system (needed to apply these 'attacks') then it's game over. Nothing AMD can do will help you.
  • ...or Intel for that matter
  • <p>You know these vulnerabilities are really bogus. CTS Labs was a hit job/stock manipulation (even has a financial disclaimer they have an interest!). AMD just has to do PR since every media outlet gobbled it up</p>
  • Vulnerabilities that assume the attacker already has total control of the system... One class of vulnerabilities are about a chipset also used by some Intel motherboards, and the only one persisting over a reboot requires updating the BIOS through the OS, if the MB is setup to allow it (not sure if Intel CPUs can detect non-standard BIOS, for some reason there is no mention of Intel in the CTS-Labs whitepaper or website). edit: they are still vulnerabilities, but nowhere near the severity of Meltdown or Spectre1-2
  • So if the CPU is only vulnerable in case the OS was compromised before: in what way could a hacker profit from CPU/chipset flaws any further?
  • Correct, your system must be compromised before.... this whole thing was a stock manipulation/hit job sham. The company was created soon after Ryzen was released and they claimed a financial interest with this latest security publishing... LOL
  • This whole CATS thing is weird... They're trying to make a bigger deal of this than it is, and are acting quite suspiciously themselves. I think the heal story here is figuring out exactly what their angle is.
  • CTS you mean