Chip maker AMD faces claims of new bugs

Two months after the world learned of two massive bugs inherent in widely used computer processor chips, security researchers in Israel claim to have found another set of critical security vulnerabilities, this time affecting Advanced Micro Devices processor chips.

On Mar. 12, 2018, researchers at CTS-Labs announced that they had discovered 13 separate vulnerabilities and manufacturer backdoors inside four AMD processor lines, which are used in desktops, laptops, and servers. According to the researchers, the flaws allow a malicious attacker with sufficient login credentials to permanently install malware onto AMD secure processors allowing for "virtually undetectable" espionage.

Researchers said the security flaws are so numerous and rudimentary that CTS researchers questioned whether the chip manufacturer was conducting adequate oversight of its products.

In a statement to FCW, an AMD spokesperson said the company was "investigating this report, which we just received" suggesting they had only recently been notified. It is standard practice in the information security research community to inform a company about security vulnerabilities months in advance of disclosing them to the public.

Later, the company released a statement on its investor relations blog saying it is actively investigating the incident, but that CTS-Labs was "previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings."

Security researcher Kevin Beaumont took a skeptical and critical tone of the disclosures on Twitter, calling the CTS-Labs white paper "trash" with "literally no technical information" and criticizing the company for its disclosure timeline.

"I mean seriously, if there's a vulnerability, don't run to the press with professionally shot videos talking about 'asking experts' for more info and saying 'lives at risk,'" said Beaumont.

CTS Labs could not be immediately reached for comment to respond to questions about when their researchers decided to inform AMD about the vulnerabilities.

Security researcher Dan Guido said on Twitter that his company had been asked to review the CTS findings before the white paper went out, and that "the bugs are real, accurately described in their technical report…and their exploit code works."

Curtis Dukes, executive vice president at the Center for Internet Security and a former director of the National Security Agency's Information Assurance Directorate, told FCW it would be "disappointing" if it turned out that CTS-Labs gave AMD short notice about the vulnerabilities before going public.

"You can't expect a company to respond in less than 24 hours with risk mitigation guidance," he said.

Dukes said it was not clear from the research whether the attacks are remotely exploitable.

"If remotely exploitable, I would rate the vulnerabilities as critical. If not…then it's still serious but other defensive measures can be employed to reduce risk of exploit," he said.