AMD today posted its own technical assessment of security issues raised by CTS Labs, an Israeli startup that caused a ruckus last week by disclosing to the public 13 supposedly "critical" flaws impacting AMD's Ryzen and Epic processor lines. Though AMD acknowledged that the vulnerabilities do in fact exist, the chip designer downplayed the situation on the basis that each of exploits requires administrative access.
"It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research," AMD stated in a blog post.
In other words, you're already hosed if a bad actor manages to gain administrative access to a system or network. Furthermore, AMD points out that all modern operating systems and enterprise-grade hypervisors have a slew of built mitigations to prevent hackers from gaining administrative privileges in the first place.
AMD's assessment is in stark contrast to that of CTS Labs, which most would agree handled the situation poorly. For one, it gave AMD less than 24 hours to respond to its finding, versus an industry standard of 90 days. The firm's reasoning was that it wasn't disclosing the technical details to the public, only to AMD and select companies like Microsoft, so users would not be at risk. Nevertheless, even CTS Labs has since acknowledged that it could have done better.
"We are a small group of security researchers. We have no past experience with making publications, and there is no question we messed this one up. We certainly learned some hard lessons here," CTS Labs told TechPowerUp.
The original article I wrote on the topic should have been more skeptical. It didn't take long for questions to arise. Of particular note was a separate website called Viceroy Research putting out a report saying "AMD is worth $0.00 and will have no choice but to file for Chapter 11 bankruptcy in order to effectively deal with the repercussions of recent discoveries." According to The Register, Viceroy Research said it had a short position on AMD's stock and intended to increase its position—meaning that Viceroy had a direct financial stake in seeing AMD's stock decline in value. It's not clear if Viceroy is related to the security researchers in any way, but CTS Labs also disclosed that it "may have, either directly or indirectly, an economic interest in the performance of securities of the companies whose products are the subject of our reports."
Whatever the case might be, AMD has analyzed the flaws and come to the conclusion that they're not as serious as CTS Labs made them out to be, which based on what we know appears to be accurate. Other security experts who have examined the flaws in detail say the same thing. For example, researchers at Trail of Bits, an independent security firm with no apparent skin in the game, said "there is no immediate risk of exploitation of these vulnerabilities for most users." Trail of Bits also noted that "even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities," requiring an effort that is "beyond the reach of most attackers."
That's not to say AMD is standing pat. The company said it's working on BIOS updates that mitigate the issues, and it doesn't expect these to have a performance impact.
