cancel
Showing results for 
Search instead for 
Did you mean: 

General Discussions

AMD investigating chip security flaws after less than 24 hours notice From ZDNET

Just received this email from ZDNET that states a startup Israeli Security company has found more than 10 security flaws in AMD Ryzen and AMD Server chips. AMD at first was skeptical since the Company didn't give AMD enough time but it seems like AMD confirmed the security flaws. Anyone interested can go here: AMD investigating chip security flaws after less than 24 hours notice | ZDNet​ . The article from ZDNET also mentions that CNET has a more in depth analysis of the security flaws : AMD security flaw found in Ryzen, EPYC chips - CNET.

0 Likes
1 Solution
16 Replies

By not giving AMD time to investigate the alleged flaws and publishing it to the public gives Hackers enough time to find the flaws themselves, if true, and use it before AMD has a chance to rectify the problem. That is why Google gave Intel over six months before publishing to the public. I guess that is why Security firms are upset with CTS because now it makes their job many times more difficult since AMD hasn't had a chance to find a fix if the flaws are accurate.

0 Likes

If the flaws are even accurate.  They didn't publish the white paper with their findings, and instead sent that to one other researcher who says it's accurate.  The fact that they gave AMD less than 24 hours to respond when standard protocol is 90 days is ridiculous.  It seems like someone at the company has a vested interest in Intel market share, after all, why not follow standard protocol? 

0 Likes

ZDNET & CNET are not fly by the night websites that publish tabloid style news. These two Tech websites are very reputable. The article you posted as well as Black Zion doesn't say the Flaws are fake. That hasn't be verified by AMD. What those links are saying, which is the same as ZDNET & CNET, is the way AMD was alerted or notified after the discovery. Whether CTS has an ulterior motive or not is not the point. The point is are the Flaws actual or false. If false, AMD has a very good case against CTS and all others that paid CTS for publicizing false information that financially hurt AMD's profits and reputation.

I was just alerting AMD users to what was sent to me in a email from ZDNET. This was the first time I have heard of these flaws and felt it was important to let other know.

0 Likes

It doesn't look like the flaws are fake, but it does look like they basically require direct motherboard access and admin privileges to implement.  Seems like someone was trying to use scare tactics to drop AMDs stock and then resell at a higher price when they rebound after the threat was debunked.

Evidence Suggests Attack on AMD Security Was Financially Motivated

0 Likes

I cut and pasted this comment from the user comments bellow the article on anther website. I think it says it all!

----------

"No address, no land line, 4 persons in Isral set up after June 2017 (after Intel's "Meltdown inside"), ..., but just a website ($4.95/month) and a mobile number +1-585-233-0321!

From the quite cheap guy who reviewed their findings for $16K:

"For the attacks to work, an attacker must first obtain administrator access to a targeted network, Guido said."

For the car thief to steal the car, the car thief must first obtain the car key and access to the car, CommonSense said. What a car thief!"

----------

This one stinks to high heaven!

What really sucks about this too, is that all anyone will hear is the name Ryzen, I promise this is what they were banking on. It isn't even the the Zen or Zen+ chips.

Sounds like the kinda stuff easily fixed with a bios update that never even makes the news when given the industry standard time. The only people this benefits in any way is Intel.

Now I'm mad at myself for buying an i7! Sorry AMD I should know better.

0 Likes

The more I read on this. And I hope it's not true, sure it may be. But I have to think the biggest reason you could have for this is two fold. A. You eliminate the competition. B. You now buy that IP out of bankruptcy for pennies on the dollar. Intel not that I am saying they did this, I don't want to get sued, I would bet would love to have AMD's tech and patents for peanuts.

0 Likes

Okay now that I have read many articles I also have to wonder about the collusion too. For a company that says they released this to the world in the time frame they did and if they didn't have planned collusion with other write ups I find it ABSOLUTELY AMAZING that supporting articles of this issue literally sprung up in minutes of this. You are one heck of a writer if you can do that, this fast and produce articles that typically take days to fine tune. Especially the 24 pager out there.

0 Likes

It's pretty unlikely Intel was involved.  Seems more likely someone hope to use fear tactics to dip AMDs stock, buy it, and then resell when the info was debunked.

They can't really be sued, because the flaws exist, but the nature was massively blow out of proportion.  Highly unethical stuff if true.

0 Likes

The AMD Chip flaws are real and actual and AMD will update BIOS and Firmware to address those flaws. But since the hacker needs to have Full Admin Rights to the computer system, the flaws are just many that a hacker can use if they are able to compromise a system.

This is from ZDNET: AMD on chip flaws: 'Newly outed bugs are real but no big deal, and fixes are coming' | ZDNet

0 Likes

Thanks for the share Matt. It is a shame that in today's world that so much damage is already done by the initial misinformation that was release by many sites. I think so many lose sight of the fact that these are real people and their families that this affects not just a board room and shareholders. Most of these type of things get so blown out of proportion (maybe by design), and only become issues because companies are not allowed ample time to address the issue before going public. We create panic and economic, helping the bad guys, do bad things.

0 Likes

The only Positive thing that came out of all this is that AMD now is aware of some minor CPU flaws that AMD wasn't aware of before.

The positive thing, is that AMD's stock didn't majorly dip and recover.  So ultmately the short sellers were thwarted.

meirelazar
Journeyman III

The first mistake people make is to believe the claims that the people are based in Israel, are currently an Israeli firm, and that the matter was done in good faith.  SEC filings show that the primary player of the 4 listed is associated with a hedge fund business called Nine Wells and the address was in New York City and later moved to Connecticutt.  The claim that they were associated with IDF 8200 is unsubstantiated.  Unit 8200 is a very large unit covering a lot of technical territory.  It is very possible that even if they were part of 8200 that they had no connection whatsoever with Cyber security.  Furthermore, there is an underlying attempt to use Israel's prestige in technology, science, medicine, Mossad, STUXNET, and military accomplishments such as 6 Days War and the Rescue at Entebbee on July 4, 1976 to inflate their credibility.

The methods in the release of this allegations is a total violation of accepted practices of professional IT and security companies giving AMD 24 hours to address issues.  The orchestration of a number of companies with anonymous websites through GoDaddy only recently corroborating each others allegation and making outrageous inflated allegations of the severity of the vulnerabilities with no proof of concept.  Even the name of the hedge fund, Nine Wells, is a poor parody on an old joke in Israel.  A city mentioned in the BIble when Abraham went there was Beer Sheve and it is a major city in the southern region of Israel today.   Beer Sheve means Seven Wells.  Someone came up with a pejorative joke targeting a specific ethnic group saying that one they arrived the name was changed to Five Well because these people stole two of the wells.  Now they added two wells to the original seven.

In conclusion, this was solely an attempt to attack AMD and exploit the wake of the recent security flaws Meltdown and Spectre to defame AMD.  But the biggest lesson to learn from this failed and obvious amateur attack on AMD is the market manipulation that is going on with a massive scale.  There have been as many as 175 million shares shorted.  There have been announcements from Morgan Stanley, Goldman Sachs, and Barclay's attempting to bring down AMD's stock price.  I am surprised that the SEC has not investigated the legality of some of this activity which is more subtle, hidden, and effective against AMD.