AMD downplays CPU flaw discovery, says hackers would need admin rights anyway

Semiconductor giant AMD said today that attackers wouldn’t likely abuse the vulnerabilities recently found in its products: they would need administrative access, and that kind of access would allow for far more effective attacks than the exploits at the center of the controversy.

“All the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings,” AMD said in a press release today. “Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”

However, as many researchers point out, it’s trivial to gain admin rights in an enterprise (or otherwise multi-tenant) server setup, which renders AMD’s excuse invalid.

The dispute over the seriousness of the vulnerabilities comes after days of controversy over the way they were revealed. On March 12, researchers and CTS Labs disclosed 13 critical vulnerabilities affecting some AMD processors, giving the vendor no time to properly assess the situation, let alone produce a fix. News that CTS Labs disclosed their findings just 24 hours after notifying AMD of the flaws drew massive backlash from the cybersecurity community.

Patching critical hardware flaws can take weeks, even months, considering the quality assurance workload. By this account, CTA Labs’ rushed disclosure can be considered reckless, to say the least.

But CTS Labs CTO Yaron Luk-Zilberman comes to the firm’s defense with a proposal of his own: consider amendments to the current Responsible Disclosure program.

“A better way, would be to notify the public on day 0 that there are vulnerabilities and what is the impact. To notify the public and the vendor together. And not to disclose the actual technical details ever unless it’s already fixed. To put the full public pressure on the vendor from the get go, but to never put customers at risk,” said Luk-Zilberman.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Filip Truta. Read the original post at: