A newly discovered set of vulnerabilities in AMD [1] chips is making waves not because of the scale of the flaws, but rather the rushed, market-ready way in which they were disclosed by the researchers. When was the last time a bug had its own professionally shot video and PR rep, yet the company affected was only alerted 24 hours ahead of time? The flaws may be real, but the precedent set here is an unsavory one.
The flaws in question[2] were discovered by CTS Labs, a cybersecurity research outfit in Israel, and given a set of catchy names: Ryzenfall, Masterkey, Fallout and Chimera, with associated logos, a dedicated website and a whitepaper describing them.
So far, so normal: major bugs like Heartbleed and of course Meltdown and Spectre got names and logos too.
The difference is that in those cases the affected parties, such as Intel, the OpenSSL team and AMD were quietly alerted well ahead of time. This is the concept of “responsible disclosure,” and gives developers first crack at fixing an issue before it becomes public.
There’s legitimate debate over just how much control big companies should exert over the publicity of their own shortcomings, but generally speaking in the interest of protecting users the convention tends to be adhered to. In this case, however, the CTS Labs team sprang their flaws on AMD fully formed and with little warning.
The flaws discovered by the team are real, though they require administrative privileges to execute a cascade of actions, meaning taking advantage of them requires considerable access to the target system. The research describes some as backdoors deliberately included in the chips by Taiwanese company ASmedia, which partners with many manufacturers to produce components.
...