A set of vulnerabilities recently discovered in AMD chips is causing a sensation not because of the scale of the defects, but because of the hasty and market-ready way in which they were revealed by the researchers. When was the last time an error had its own professional video and public relations representative, but the affected company only received an alert 24 hours ahead of time? The defects can be real, but the precedent set here is unpleasant.
The flaws in question were discovered by CTS Labs, a cybersecurity research team in Israel, and given a set of catchy names: Ryzenfall, Masterkey, Fallout, and Chimera, with associated logos, a dedicated website and a white book that describes them.
So far, very normal: major errors such as Heartbleed and, of course, Meltdown and Specter also have names and logos.
The difference is that in those cases, the affected parties, such as Intel, the OpenSSL team and AMD, were silently alerted well in advance. This is the concept of "responsible disclosure" and gives developers the opportunity to solve a problem before it is made public.
There is a legitimate debate about how much control big companies must exercise over advertising their own shortcomings, but in general terms with the interest of protecting users, the convention tends to be fulfilled. In this case, however, the CTS Labs team presented its failures in fully formed AMD with little warning.
The flaws discovered by the team are real, although they require administrative privileges to execute a cascade of actions, which means taking advantage of them requires considerable access to the target system. The investigation describes some as backdoors deliberately included in the chips of the Taiwanese company ASmedia, which partners with many manufacturers to produce components.
The access requirement makes them much more limited than Meltdown and Specter, which exploited problems in memory management and architecture level. Certainly, they are serious, but the way they have been publicized has aroused suspicion on the web.
Why was the extremely technical green screen video composed with common funds? Why fear tactics call the use of AMD in the military? Why do not the errors have the CVE numbers, the standard tracking method for almost all serious problems? Why did AMD have so little time to respond? Why not, if, as suggested by the frequently asked questions, some solutions could be created in a matter of months, at least delay the publication until they are available? And what about the disclosure that CTS "may have, directly or indirectly, an economic interest in the performance" of AMD? That is not a common disclosure in situations like this.
(I've contacted the public relations representative on the list of failures (!) To get answers to some of these questions.)
It's hard to shake off the idea that there's some kind of resentment against AMD at stake. That does not make the defects are less serious, but it leaves a bad taste in the mouth.
AMD issued a statement saying that "we are investigating this report, which we have just received, to understand the methodology and the merit of the findings." It is difficult to do much more in one day.
As always with these big mistakes, the real extent of their scope, how serious they really are, if users or businesses will be affected, and what they can do to prevent all information from coming as the experts examine carefully and verify the data.
Featured image: Fritzchens Fritz / Flickr