Security Researchers Publish Ryzen Flaws, Gave AMD 24 hours Prior Notice

Stefan Mileschin · 16th March 2018, 13:26

Through the advent of Meltdown and Spectre, there is a heightened element of nervousness around potential security flaws in modern high-performance processors, especially those that deal with the core and critical components of company business and international infrastructure. Today, CTS-Labs, a security company based in Israel, has published a whitepaper identifying four classes of potential vulnerabilities of the Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processor lines. AMD is in the process of responding to the claims, but was only given 24 hours of notice rather than the typical 90 days for standard vulnerability disclosure. No official reason was given for the shortened time.

At present, AMD’s official line is:

"At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings."

At this point AMD has not confirmed any of the issues brought forth in the CTS-Labs whitepaper, so we cannot confirm in the findings are accurate. It has been brought to our attention that some press were pre-briefed on the issue, perhaps before AMD was notified, and that the website that CTS-Labs has setup for the issue was registered on February 22nd, several weeks ago. Given the level of graphics on the site, it does look like a planned ‘announcement’ has been in the works for a little while, seemingly with little regard for AMD’s response on the issue. This is compared to Meltdown and Spectre, which was shared among the affected companies several months before a planned public disclosure. CTS-Labs has also hired a PR firm to deal with incoming requests for information, which is also an interesting avenue to the story, as this is normally not the route these security companies take. CTS-Labs is a security focused research firm, but does not disclose its customers or research leading to this disclosure. CTS-Labs was started in 2017, and this is their first public report.

https://www.anandtech.com/show/12525...urs-to-respond

16th March 2018, 13:26	#1
Stefan Mileschin [M] Reviewer Join Date: May 2010 Location: Romania Posts: 148,462	Security Researchers Publish Ryzen Flaws, Gave AMD 24 hours Prior Notice Through the advent of Meltdown and Spectre, there is a heightened element of nervousness around potential security flaws in modern high-performance processors, especially those that deal with the core and critical components of company business and international infrastructure. Today, CTS-Labs, a security company based in Israel, has published a whitepaper identifying four classes of potential vulnerabilities of the Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processor lines. AMD is in the process of responding to the claims, but was only given 24 hours of notice rather than the typical 90 days for standard vulnerability disclosure. No official reason was given for the shortened time. At present, AMD’s official line is: "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings." At this point AMD has not confirmed any of the issues brought forth in the CTS-Labs whitepaper, so we cannot confirm in the findings are accurate. It has been brought to our attention that some press were pre-briefed on the issue, perhaps before AMD was notified, and that the website that CTS-Labs has setup for the issue was registered on February 22nd, several weeks ago. Given the level of graphics on the site, it does look like a planned ‘announcement’ has been in the works for a little while, seemingly with little regard for AMD’s response on the issue. This is compared to Meltdown and Spectre, which was shared among the affected companies several months before a planned public disclosure. CTS-Labs has also hired a PR firm to deal with incoming requests for information, which is also an interesting avenue to the story, as this is normally not the route these security companies take. CTS-Labs is a security focused research firm, but does not disclose its customers or research leading to this disclosure. CTS-Labs was started in 2017, and this is their first public report. https://www.anandtech.com/show/12525...urs-to-respond

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
uTorrent has serious security flaws	Stefan Mileschin	WebNews	0	26th February 2018 18:08
Intel's latest Core processors have serious security flaws	Stefan Mileschin	WebNews	0	24th November 2017 18:44
Google fixes two serious Android security flaws	Stefan Mileschin	WebNews	0	13th September 2016 07:18
QuickTime security flaws lead to its demise on Windows	Stefan Mileschin	WebNews	0	18th April 2016 05:21
NSA discloses most security flaws, but that's not the whole story	Stefan Mileschin	WebNews	0	9th November 2015 18:21
Spy agencies are exploiting flaws in security software	Stefan Mileschin	WebNews	0	23rd June 2015 06:57
The US Navy wants to buy unpatched security flaws	Stefan Mileschin	WebNews	0	15th June 2015 07:30
OS X Yosemite update tackles 'surprise' Mac security flaws	Stefan Mileschin	WebNews	0	28th January 2015 09:13
Apple Patches 144 Security Flaws Across Seven Products	Stefan Mileschin	WebNews	0	20th October 2014 09:46
Two serious security flaws hit Microsoft Windows	Sidney	WebNews	0	9th November 2005 04:54