Last week, an Israeli security outfit published details of security flaws that affected AMD processors, and we’ve now had official word from AMD acknowledging that the bugs in question are indeed real – although it added that they’re difficult to exploit, and that fixes are coming.
Israeli firm CTS Labs highlighted 13 vulnerabilities in its white paper, and unusually, only gave AMD 24 hours’ notice before making the research public. The vulnerabilities affected Ryzen and Ryzen Pro CPUs, as well as EPYC server processors.
Addressing the bugs, AMD’s CTO Mark Papermaster underlined the fact that root-level (administrator) OS access is needed to be able to leverage exploits against the vulnerabilities. That means they’re difficult to exploit – and anyone who managed to get unauthorized admin access to a machine could wreak all sorts of havoc on it, bugs notwithstanding.
Papermaster clarified that fixes are in the pipeline, and that firmware patches would be released via BIOS updates to tackle the Masterkey, Ryzenfall and Fallout groups of vulnerabilities. A fourth group of flaws, known as Chimera, which affects systems using the ‘Promontory’ chipset, will receive attention via mitigating patches delivered through BIOS updates.
AMD said (opens in new tab) it is “working with the third-party provider that designed and manufactured the ‘Promontory’ chipset on appropriate mitigations”.
In all cases, AMD asserted that there will be no impact on the performance of the patched PC, which isn’t the case with Intel’s cures for Meltdown and Spectre, as they can cause some level of slowdown (particularly for older processors, or those who aren’t running Windows 10).
AMD said it would provide further analysis and updates on its mitigation plans in the coming weeks.