I'm curious to see the performance impact on this one. They promise none, but who knows.

software patch mitigation is better.you can turn it off.
with agesa I don't know,you're gonna have to sneak in that update with newer bios versions.

Funny how these flags are raised only at launch dates.

3roldI'm curious to see the performance impact on this one. They promise none, but who knows.

Given that this exploit has nothing to do with the way the processor handles data, yeah the performance impact will be 0. It's a security hole that allows the attacker to manipulate AGESA in order to execute code

cucker tarlsonsoftware patch mitigation is better.you can turn it off.
with agesa I don't know,you're gonna have to sneak in that update with newer bios versions.

You do realize that AGESA runs at a lower level then windows right? Releasing a software update would literally do nothing.

See this, Intel? This is how you deal with security flaws.

The vulnerability was registered a month ago, and AMD are today announcing that new platforms have already been covered in the latest AGESA, with older platforms promised within 6 weeks of the vulnerability initially being brought to light.

Nobody is being asked to sit on it for a year, and then bribed to sit on it for another six months, and then hit by a smear campaign to discredit them after refusal of your second bribery.

Chrispy_See this, Intel? This is how you deal with security flaws.

The vulnerability was registered a month ago, and AMD are today announcing that new platforms have already been covered in the latest AGESA, with older platforms promised within 6 weeks of the vulnerability initially being brought to light.

Nobody is being asked to sit on it for a year, and then bribed to sit on it for another six months, and then hit by a smear campaign to discredit them after refusal of your second bribery.

And AMD even said thanks to the guy who found it...

Chrispy_See this, Intel? This is how you deal with security flaws.

The vulnerability was registered a month ago, and AMD are today announcing that new platforms have already been covered in the latest AGESA, with older platforms promised within 6 weeks of the vulnerability initially being brought to light.

Nobody is being asked to sit on it for a year, and then bribed to sit on it for another six months, and then hit by a smear campaign to discredit them after refusal of your second bribery.

how we really know if amd(or others in the field) din't had covered/bribed security flaws?

laszlohow we really know if amd(or others in the field) din't had covered/bribed security flaws?

We don't.

But this instance is being reported by an independent organisation (mitre.org) so I'm not entirely sure what you're getting at....

mtcn77Funny how these flags are raised only at launch dates.

Usually AMD receive this information months ago and when the deadline arrive they do a blog post.

''execute arbitrary code undetected by the operating system. ''

Hmm..... I have a sneaking suspicion that unpatched AGESA will come in handy to test the true limit of AMD X86 CPU, if they will actually try to run anything we feed the pipeline.

evernessinceYou do realize that AGESA runs at a lower level then windows right? Releasing a software update would literally do nothing.

AGESA is firmware. Operating systems have long had the ability to load more recent firmware versions than what's in the BIOS on startup. It's how one gets updates long after the manufacturer forgets about your model ;)

Enough of the mossad remarks.
Stay on the topic.
And, remember.... keep it civil !

Have a Good Day and Stay Safe.

These are fine example from underdog and slow CPU maker, assertive prevention and quick to respond.
Unlike our neighboring , doesn't announce anything and yet their system getting slower each Windows update, fine example my office's notebook i5-8350U is miles slower than Ryzen 3 2200U :wtf:

Per the AMD website (www.amd.com/en/corporate/product-security)

...requires privileged physical or administrative access to a system based on select AMD notebook or embedded processors. If this level of access is acquired, an attacker could potentially manipulate the AMD Generic Encapsulated Software Architecture (AGESA) to execute arbitrary code undetected by the operating system. :wtf:

The attacker first needs privileged access to the system in order to take advantage of the vulnerability.

mamisanoPer the AMD website (www.amd.com/en/corporate/product-security)


The attacker first needs privileged access to the system in order to take advantage of the vulnerability.

Not too hard to obtain such access, to be fair.
It's worse that once the firmware is altered it's game over. That's pwnage of the highest order.

I'm somewhat concerned that such an elevation of rings is even possible.

Still, its patched (or will be for those on older systems) at no performance cost so whilst questionable, its not the end of the world.

... and almost every time i see such articles there is always something like this
attacker with elevated system privileges
Does it make sense for an attacker with elevated system privileges to attack to begin with???

Arumio... and almost every time i see such articles there is always something like this
attacker with elevated system privileges

No, it is much more than that. You missed the most important part!

Typically, the bad guy must also have physical access to the computer. How likely is it a bad guy will be able to gain access to your home or place of work, sit at your desk, and start messing with your computer (to include inserting thumb drives), bypassing your password/PIN, without someone wondering what is going on?

A new portion of "AMD too" FUD from the known offenders.
I mean "requires privileged physical or administrative access to a system ", you gotta be kidding me...

Bill_BrightNo, it is much more than that. You missed the most important part!

Typically, the bad guy must also have physical access to the computer. How likely is it a bad guy will be able to gain access to your home or place of work, sit at your desk, and start messing with your computer (to include inserting thumb drives), bypassing your password/PIN, without someone wondering what is going on?

Perhaps a burglar with a specific agenda?

Could invade the worker's home while he's @ work or invade the workplace @ night when there's nobody in the office, thus gaining physical access to the computer(s) in question @ which point the burglar would carry out his nefarious plan ...

Sure: both the home owner and the work place would become aware of the break in, but would they be aware their computer(s) was / were compromised?

Just a scenario i thought of.

HTCPerhaps a burglar with a specific agenda?
Just a scenario i thought of.

Yeah, and if that is the case, you have much greater concerns than a vulnerability in a CPU! Like your own, or your family's personal safety. :(

Bill_BrightYeah, and if that is the case, you have much greater concerns than a vulnerability in a CPU! Like your own, or your family's personal safety. :(

While true, the burglary could be done in a way to divert the owner's "eyes" away from the computer so that the owner changed locks and computer passwords. And if instead of a home break in it were an office break in, they'd likely do the exact same thing: change locks and computer passwords.

Would that be sufficient or would the computer(s) be compromised already, despite the changed passwords?

:( Nobody is saying you are wrong. But that just is not the point. The point is about many in the IT media seeking attention with sensationalized headlines, fanboys (on one side or the other) seeking to discredit the other side, tinfoil hat wearers believing they are constantly being watched, and the Chicken Littles who are convinced the world is about to end.

You are citing an extreme exception to the norm in order to justify your claim. Sure a burglar could break into my house or place of work. All they have to do is get by security cameras, guards, coworkers, nosy neighbors, alarm systems, the deadbolts on my doors, my dogs, and my Glock - without being noticed, and get out again.

And while burglaries do happen, the vast majority are to grab valuables to sell for drug money. Not to plant malware on our systems.

Exceptions don't make the rule. Just because a vulnerability exists, that does not, in any way, mean it is easy to exploit, or that it will be exploited.

Is this AMD vulnerability (or the Intel vulnerability a few days ago) a bad thing? Sure. Is it going to affect any of us here at TPU? Highly unlikely.

Bill_BrightNo, it is much more than that. You missed the most important part!

Typically, the bad guy must also have physical access to the computer. How likely is it a bad guy will be able to gain access to your home or place of work, sit at your desk, and start messing with your computer (to include inserting thumb drives), bypassing your password/PIN, without someone wondering what is going on?

Hard doesn't mean impossible.
Obviously this attack won't be scripted en masse but it is just sad that it is there in a first place.

Hard doesn't mean impossible.

:( Again, nobody said it wasn't. Only a fool would! No doubt those in charge of Ft Knox would like to think it is impossible to steal all the gold there, but would they dare say it is impossible? No way! But is that really the point? No.

Of course any vulnerability is sad. But it is unrealistic to think something as complex as a computer CPU, with many billions of transistor gates in each, could be flaw-free. Humans just are not capable of that "divine" feat.

But if something is possible, that still does not mean it is probable, either - especially considering all the other security precautions and measures one must defeat to get in there (and safely back out).