13 Critical Security Vulnerabilities and Manufacturer Backdoors discovered In AMD Ryzen Processors

Can't help but remember all the red team's fanboys crying out for Spectre and Meltdown and how AMD's CPUs are totally secure etc.

 

Ouch!

 

Can't help but think this is becoming a hunt... Intel and AMD sponsoring these sudden exploit finds. Suddenly a lot of exploits come to surface.
Also to be on topic, should they have warned AMD of these exploits before going public ?

 

It's 2018 and it's software/hardware. There will never be a time that there are no vulnerabilities. That being said, a vulnerability that lasts 10+ years is pretty sad.

^ This. If they didn't, and i don't know if they did or didn't, then the real people allowing vulnerabilities to be exploited are the people who make this information public knowledge. I'm not saying the public should never know about this, obviously they should, but considering the fact there's nothing for the public to do in these issues, either intel or AMD, then the information should be announced after they have been fixed, unless there is something that can be done for temporary reasons to halt the exploit on the user end.

 

That being said, a vulnerability that takes 10+ years to detect / exploit is not as sad as one discovered in a relatively new architecture, no?

 

Depends on how long they were being used. No one realistically can say for certain that any issue were not being abused before it was "discovered".

Though again, 10+ years means the whole CPU has not been overhauled in 10+ years, which is simply sad.

 

Doesn't it seem really strange that this was announced on the 1 year anniversary of Ryzen and just happens to have a splashy website name and advertisement style videos? The flaws are probably legit but someone is out for publicity on this one.

 

Check calendar......Hmmm... Not April 1st..... Oh feck! Can someone, anyone, please make a secure processor? Is it even possible?

 

Being an Intel fanboy, I will now demonstrate how a mature person steps up instead of screaming insults: Components/hardware/software have vulnerabilities. They all do; those that are known, those that are unknown, it is just the way it is. All we need is the companies to step up and do what they can to mitigate and accountability for those responsible if they covered it up thus endangering end users. AMD has some really great products right now at competitive prices and this shouldn't be seen as a deterrent.

 

They did post a disclaimer stating it is their opinion not fact.

Legal Disclaimer BACK TO SITE CTS is a research organization. This website is intended for general information and educational purposes. This website does not offer the reader any recommendations or professional advice. **The opinions expressed in this report are not investment advice nor should they be construed as investment advice or any recommendation of any kind.

It summarizes security vulnerabilities, but purposefully does not provide a complete description of such vulnerabilities to protect users, such that a person with malicious intent could not actually exploit the vulnerabilities and try to cause harm to any user of the products described herein. Do not attempt to exploit or otherwise take advantage of the security vulnerabilities described in the website.

The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.

You may republish this website in whole or in part as long as CTS is clearly and visibly credited and appropriately cited, and as long as you do not edit content.

Although we strive for accuracy and completeness to support our opinions, and we have a good-faith belief in everything we write, all such information is presented "as is," without warranty of any kind– whether express or implied – and CTS does not accept responsibility for errors or omissions. CTS reserves the right to change the contents of this website and the restrictions on its use, with or without notice, and CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate.

 

We really need a lot more information...they "supposedly" gave AMD notice but only 24 hours before this "news" was published...when standard practice is 90 days. Just saying.

 

Let set a few things straight about this as I'm no fan of AMD CPUs. Haven't had one in years but I find this a bit suspect.
This is a no-name startup that simply pops out of nowhere. They have professional PR representation, videos, ads, and a dedicated info weblink that's hyperbol towards AMD? And no one caught this?
https://amdflaws.com/. <---LOL ok it must be legit

From what I've read this rogue group gave AMD less than 24 hours to look at the vulnerabilities and respond before this was published for all to see in it's glory. From watching videos about journalism the standard vulnerability disclosure calls for 90 days notice, so companies have time to address flaws and respond about it. This in of itself makes the claims shady and unethical even if what they claim is remotely true. This is a huge conflict of interest how and when this is presented.

But what I also found interesting is the fact that this comes from the same area in Israel where Intel has facilities for their core design teams and manufacturing plants Nah, that must be just a coinkydink right?
Or perhaps made to look like a coinkydink.

I find this report regardless if true or not true to be incredibly disingenuous. And won't be surprised if the bread crumbs lead back to a conspirator causing drama. I am not fully convinced this is from Intel either. As it's way to obvious. That's also a red flag.

 

This is shady af, and should be taken with a huge grain of salt.
The white paper ends saying all of these "vulnerabilities" require admin level privleges.
Seems like a complete smear job to me.

 

Does that sound like a ransom blackmail?
What is the point to give 24 hours?

 

I hope this is not to hard to fix
if its true

 

Is that you Intel? Lol.
I'm using my I5 fearlessly,, but keeping a backup.

 

Less than 24 hours from letting AMD know till sending it out = malicious intent.