[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[Guest]

8 minutes ago, LAwLz said:

Source?

It's not mentioned in the article linked.

 

[LAwLz]

Gotta love the hypocrisy on this forum.

 

Intel has a security issue?

FUCK INTEL! I HOPE THEY GET SUED! WOHO AMD! INCOMPETENT MORONS CAN'T EVEN DESIGN A SECURE PROCESSOR!

 

AMD has security issues?

FUCK INTEL! I BET THIS IS FUNDED BY INTEL JUST TO MAKE AMD LOOK BAD! BY THE WAY NO NEED TO BE SCARED YOU GUYS! AMD PROCESSORS ARE SUPER SECURE!

 

 

How about we all calm down until we actually know what is going on?

It was announced just a few hours ago and I doubt people have even had the time to properly read through the white papers yet, much less analyzed the risks properly yet.

Remember, with Meltdown and Spectre there was A TON of misinformation being spread around based on assumptions or incomplete facts. I suspect the same thing will happen here. Don't believe everything you read on the Internet.

 

Edit: Also, regardless of whether or not it is a smear campaign (and regardless of who is behind it), the information and potential exploits should be taken seriously. You don't ignore potentially serious issues just because you don't like how the information was presented or obtained.

[Guest]

1 hour ago, rcmaehl said:

WTF Intel. Should send all this info at your local news stations,

"Intel pays big money to smear AMDs name" sounds like a big news, and because you have the evidence maybe someone will publish that story.

[LAwLz]

6 minutes ago, Energycore said:

They're not obligated by law, but this should be treated just like a breach of journalism code (you know which incident I'm referring to, let's not discuss whether or not that was a breach). If a journalist shows blatant disregard for such code, it's on us to call them out and ultimately stop consuming their media.

Who are you talking about breaching the "journalism code" in this case? CTS-Labs? They are not journalists, and "stop consuming their media" would be a horrible, absolutely horrible advice because all you're doing is turning a blind eye to problems while letting black hats run amok with them.

Do you mean all the news outlets reporting on this? Once again, turning a blind eye won't solve the problem. It will just make things even worse.

 

 

10 minutes ago, Energycore said:

Either way this doesn't seem legit, looking at @rcmaehl's info.

What do you mean it doesn't seem legit? What actual information in his post points to this being a hoax?

 

6 minutes ago, Some Random Member said:

-snip-

I don't see anything in that thread even remotely pointing towards Intel being behind this.

[cj09beira]

is intel being shady again?  

Spoiler

 

 

 

[DoctorWho1975]

When was the domain registered?

[Mira Yurizaki]

6 minutes ago, Some Random Member said:

WTF Intel. Should send all this info at your local news stations,

"Intel pays big money to smear AMDs name" sounds like a big news, and because you have the evidence maybe someone will publish that story.

What's your proof that Intel paid for this?

[hobobobo]

Quote

Although we strive for accuracy and completeness to support our opinions, and we have a good-faith belief in everything we write, all such information is presented "as is," without warranty of any kind– whether express or implied – and CTS does not accept responsibility for errors or omissions. CTS reserves the right to change the contents of this website and the restrictions on its use, with or without notice, and CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate.

The bolded part is pure genius

 

amdflaws.com/disclaimer is a good read, the

" Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. "

part is pretty great too

 

 

edit:

from their site:

Quote

 

MASTERKEY: Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update.

RYZENFALL: Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges.

FALLOUT: Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges.

CHIMERA: A program running with local-machine elevated administrator privileges. Access to the device is provided by a driver that is digitally signed by the vendor.

 

 

Cool security vulnerabilty that requires admin rights or bios flash

 

 

[JoostinOnline]

4 minutes ago, M.Yurizaki said:

What's your proof that Intel paid for this?

Ask Linus, he's on their payroll, right?  

[LAwLz]

1 minute ago, M.Yurizaki said:

What's your proof that Intel paid for this?

"If you repeat a lie often enough, people will believe it, and you will even come to believe it yourself."

[Energycore]

Just now, LAwLz said:

Who are you talking about breaching the "journalism code" in this case? CTS-Labs? They are not journalists, and "stop consuming their media" would be a horrible, absolutely horrible advice because all you're doing is turning a blind eye to problems while letting black hats run amok with them.

Do you mean all the news outlets reporting on this? Once again, turning a blind eye won't solve the problem. It will just make things even worse.

I think I didn't make myself clear, that was an analogy. These people aren't journalists and we can't "stop consuming their media". What I meant is that they did a breach of the standard procedure of vulnerability disclosure and as such should have that called out.

 

Just now, LAwLz said:

What do you mean it doesn't seem legit? What actual information in his post points to this being a hoax?

TL;DR: The company that disclosed these vulnerabilities created their YouTube Channel 3 days ago, registered their domain the 22nd of Feb, disabled any chance of retort in the video comments and disclosed a lot of vulnerabilities that are useless - see the post we linked you twice for more details.

Just now, cj09beira said:

is intel being shady again?  

  Hide contents

 

 

 

Just another reason to call out CNBC also. Rather than an attack from Intel itself, it seems like someone wants to tank AMD prices so they can profit from short-selling their shares (short selling is when you borrow some shares, sell them at a high price, buy them low then give them back and keep the difference).

 

Just now, hobobobo said:

" Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. "

Hehe I laughed at that too

[JoostinOnline]

I hope this isn't true. But if it is, at least it doesn't affect so many generations. Honestly though, I wish it was the other way around and Zen was the one immune. It's been so long since AMD has made a good CPU, and I hate for it to be negatively affected. 

[cj09beira]

1 minute ago, Energycore said:

I think I didn't make myself clear, that was an analogy. These people aren't journalists and we can't "stop consuming their media". What I meant is that they did a breach of the standard procedure of vulnerability disclosure and as such should have that called out.

 

TL;DR: The company that disclosed these vulnerabilities created their YouTube Channel 3 days ago, registered their domain the 22nd of Feb, disabled any chance of retort in the video comments and disclosed a lot of vulnerabilities that are useless - see the post we linked you twice for more details.

Just another reason to call out CNBC also. Rather than an attack from Intel itself, it seems like someone wants to tank AMD prices so they can profit from short-selling their shares (short selling is when you borrow some shares, sell them at a high price, buy them low then give them back and keep the difference).

 

Hehe I laughed at that too

i bet some people also want in while price is low as they start to see that amd is probably only going up from here

[Energycore]

Just now, cj09beira said:

i bet some people also want in while price is low as they start to see that amd is probably only going up from here

Yeah, possibly. That's also a possible reason why Bitcoin has been dumping hard every day at noon EST since a week ago.

[Mira Yurizaki]

7 minutes ago, JoostinOnline said:

I hope this isn't true. But if it is, at least it doesn't affect so many generations. Honestly though, I wish it was the other way around and Zen was the one immune. It's been so long since AMD has made a good CPU, and I hate for it to be negatively affected. 

The nature of this flaw is that you need physical access to the machine and you have to install compromised software.  i.e., it's a PEBKAC type of issue.

 

It's same kind of "vulnerability" described in this: https://blogs.msdn.microsoft.com/oldnewthing/20100114-00/?p=15273

Edited March 13, 2018 by M.Yurizaki

[LAwLz]

5 minutes ago, Energycore said:

I think I didn't make myself clear, that was an analogy. These people aren't journalists and we can't "stop consuming their media". What I meant is that they did a breach of the standard procedure of vulnerability disclosure and as such should have that called out.

There is no standard procedure for vulnerabilities disclosures.

What should we call them out for exactly? Should we say "shame on you"? That won't change anything.

Yeah they should have given AMD time to fix these things but they didn't. It's not good but we have to live with their decisions and make the best out of it.

 

I think people should focus less on these crazy conspiracy theories (just look at how many people are now saying Intel is behind this, with 0 evidence) and instead focus on the things we do know, in order to assess the situation.

 

 

11 minutes ago, Energycore said:

TL;DR: The company that disclosed these vulnerabilities created their YouTube Channel 3 days ago, registered their domain the 22nd of Feb, disabled any chance of retort in the video comments and disclosed a lot of vulnerabilities that are useless - see the post we linked you twice for more details.

Why does it matter when they created their youtube channel? Also, do you seriously believe retorts should be made in Youtube comments? I am willing to bet that 99.99% of people who has read this story has no idea what any of it means, even those who has really strong opinions. Just look at the Meltdown and Spectre press, and how few people even understood how the exploits worked, yet felt like they could comment on the severity of it. I actually think disabling comments on this is a good idea, because I can already see conspiracy theories and misinformation starting to spread.

Why does it matter when they registered their domain?

What makes you think these vulnerabilities are useless? Have you read through the whitepaper or are you just blindly trusting what you read someone say on the Internet?

 

I have looked at the link you and someone else posted. It contains next to actual information or facts.

[Bananasplit_00]

this is pretty interesting, something is defo up and the flaws dont seem that bad anyway tbh

[hobobobo]

1 minute ago, LAwLz said:

I think people should focus less on these crazy conspiracy theories (just look at how many people are now saying Intel is behind this, with 0 evidence) and instead focus on the things we do know, in order to assess the situation.

Those people themselves state they have economic interest in this and that all of the flaws uncovered require either bios flash or admin rights, i dunno what more there is to assess, unless they kept some of the juicier vulnerabilities to themselves

[LAwLz]

4 minutes ago, hobobobo said:

Those people themselves state they have economic interest in this and that all of the flaws uncovered require either bios flash or admin rights, i dunno what more there is to assess, unless they kept some of the juicier vulnerabilities to themselves

Vulnerabilities can be very serious even if they require admin privilege or BIOS flashing.

I will withhold my judgement until I have read through the information we got (actual information, not what some reddit post or whatever says), and I recommend you do the same.

[LAwLz]

19 minutes ago, M.Yurizaki said:

The nature of this flaw is that you need physical access to the machine and you have to install compromised software.  i.e., it's a PEBKAC type of issue.

 

It's same kind of "vulnerability" described in this: https://blogs.msdn.microsoft.com/oldnewthing/20100114-00/?p=15273

I haven't read through the whitepaper yet but where does it say you need physical access? For the BIOS vulnerability it might be needed (although you can update BIOS without physical access), but for the ones that just need admin privilege I don't see why they couldn't be done remotely.

[Notional]

This entire ordeal seems like an investment scam. A company short selling shares followed by some scummy "security firm", releasing a "white paper" full of nonsense. 

 

I doubt Intel is behind this, but it seems like an attack on AMD shares for scummy investors. How very bizarre.

[DildorTheDecent]

wonder how many shekels they got lol.

 

thejewsdidthis.gif

[Mira Yurizaki]

1 minute ago, LAwLz said:

I haven't read through the whitepaper yet but where does it say you need physical access? For the BIOS vulnerability it might be needed (although you can update BIOS without physical access), but for the ones that just need admin privilege I don't see why they couldn't be done remotely.

Well if you can update BIOS without physical access, there you go. But updating BIOS looked like a first step in compromising the system.

[lewdicrous]

Is this Intel in disguise?

[LAwLz]

1 minute ago, M.Yurizaki said:

Well if you can update BIOS without physical access, there you go. But updating BIOS looked like a first step in compromising the system.

Again, I haven't read the entire thing yet (barely started) but it seems to me like it is only one or a few out of the 13 exploits that has to do with the BIOS.

It's not a 13 step process where installing a compromised BIOS is the first step. It's 13 different attacks, some of which has to do with the BIOS.