CTS Labs Sent AMD and Other Companies a Research Package with Proof-of-Concept Code

[ArchStupid]

I don't trust Israel on anything expecially Political stuff.

Same here..

Very relevant.
How to spot the racists.

 

[Kaotik]

The one vulnerability allows malicious BIOS to be installed. That is a pretty big issue actually. Beyond the normal malware we see today, because it allows the malware to persist even after a reformat and OS re-install, even after a full replacement of the storage drives. That actually is pretty bad.

Yes, but you still need to get that admin access to do the BIOS update/modification and at that point your system is already compromised, no matter whose CPU or chipset or whatever is in there. Also, since they blame it on American Megatrends making things easy, it should apply to any system with their BIOS?

 

[ensabrenoir]

......anything with an operating system or an Internet connection can be hacked. Privacy exists as the thoughts with in your head....even then your mouth, expressions or fingers can still betray you. So were all kinda screwed. The only truely secure computer is:

 

[Kaotik]

Also, regardless of their excuse, 24hrs notice before going public was a stupid decision.

Yes and no, it was the only way they could get real attention and affect AMD stocks with this (in cooperation with Viceroy Research), since any other approach would have led to the industry and other security firms ripping this P.O.S. apart

 

[basco]

sorry did not know tpu has 3 threads open for this.


http://ir.amd.com/news-releases/news-release-details/view-our-corner-street-0

normally you get 80 days time to react to such statements.
in the case of spectre4+meltdown it was 180 days.

linus has something to say:
https://plus.google.com/+LinusTorvalds/posts/PeFp4zYWY46

https://viceroyresearch.org/2018/03/13/amd-the-obituary/

 

[Chaitanya]

Yes, but you still need to get that admin access to do the BIOS update/modification and at that point your system is already compromised, no matter whose CPU or chipset or whatever is in there. Also, since they blame it on American Megatrends making things easy, it should apply to any system with their BIOS?

Blaming asmedia as well. Language used in the so called whitepaper is quite scathing. They might be going under soon with bunch of lawsuits.

 

[Kaotik]

Blaming asmedia as well. Language used in the so called whitepaper is quite scathing. They might be going under soon with bunch of lawsuits.

Pretty sure the company was founded to be a scapegoat for Viceroy Researchs shorting practices, so they're not probably too worried about that

 

[Shihab]

Still, when you have admin access, does it really matter at that point anymore?

How do you think pretty much all other malware infects systems? How do you think ransomware works? I'll give you a hint: Admin Level Code.

Privilege elevation exploits.
And that's assuming such tricks were needed. Malware that rely on admin/root privs can be less of a worry for enterprise machines maintained by an IT dept who know their job, but your average joe and jane would click the yes on the UAC prompt before the background finishes dimming.
UAC itself wasn't particularly that resilient, if I remembered correctly.

 

[B-Real]

Very relevant.
How to spot the racists.

Is it racist to say that political moves by Israel are questionable?

 

[FordGT90Concept]

...but urged those disgruntled with this decision to look at the situation objectively. "If you look at the situation in the following way: right now the public knows about the vulnerabilities and their implications, AMD is fully informed and developing patches, and major security companies are also informed and working on mitigation."

AMD has to rush to fix it as hackers rush to exploit it. Not a good situation. And yes, that's the objective look at it.

Looking at the broader picture "objectively": NVIDIA and AMD don't have a presence in Israel, Intel has a significant presence in Israel.

 

[Prince Valiant]

This is in contrast to the unintentional consequence of keeping Meltdown/Spectre away from the public domain for over half a year, allowing Intel's senior executives to dump company stock, and for big cloud computing providers to harden their infrastructure, giving themselves a competitive advantage over smaller providers. But unlike with Meltdown/Spectre, these vulnerabilities aren't industry-wide (i.e. they don't affect Intel), placing AMD at a disadvantage in both the stock markets, and in the retail markets.

I'd rather let a few executives distance themselves than potentially seeing a company get ruined by a dubious claim.

 

[OneMoar]

Very relevant.
How to spot the racists.

fooy
I don't trust certain parts of that region and it has everything todo with there political climate and instability of there economy
that and they are constantly killing each other over religion

 

[eidairaman1]

CTS Smells of Intel Through and Through. I'll skip this clickbait from here on out.

 

[OneMoar]

I don't know that it stinks of intel but it sure does stink of amature stupidity and agenda (not that those are mutually exclusive )

 

[Falconeer]

I'll just leave this here:

https://www.gamersnexus.net/industry/3260-assassination-attempt-on-amd-by-viceroy-research-cts-labs

 

[eidairaman1]

Sorry Intel being in Israel, Whistle Blown on Intel, now intel is retaliating. Yeah Corruption...

 

[FordGT90Concept]

It could totally be a company created with Intel funding to disseminate vulnerabilities found in their competitors' hardware. Just look at how the last two days panned out and the language on their website: everything was orchestrated to inflict maximum damage on AMD for financial gain.

 

[srsbsns]

Physical access is not required, just admin privileges

The real vulnerability right there. What if I told you there is a vulnerability in the wild that allows anyone to do anything to a system no matter the OS. Its called the login/password.


Are these really vulnerabilities ? If I have admin credentials I can flash the bios of my video card. Does that make my video card vulnerable?

 

[john_]

I think we have a little fire here with too much smoke. There where many vulnerabilities in Intel's Management Engine lately, but I haven't seen anyone coming out and saying that Intel's valuation is $0. Even after Meltdown and Spectre. Maybe Intel started this project "Find vulnerabilities in AMD software" secretly and then co operated with Viceroy (Intel executives making money throught stock market manipulation? I am probably wrong here! ) to make the biggest possibly impact with whatever they would find, with the help of both tech and financial press. I think this kind of attacks between companies could become more often in the future.

 

[Vya Domus]

Yep , they sent out detailed technical papers to major companies making sure the mission critical systems these companies sell are in total safety.

...and also to this bloke a week prior : https://twitter.com/dguido

"I initially responded to their request out of curiosity -- "Hey, do you want to see our new processor bugs before we release them?" "hell yes I do" -- but after their asks continued to grow billed them our week rate for the work."

 

[etayorius]

These guys seem to have done this in very bad faith to hurt AMD. They even claim AMD should file for bankruptcy. It speaks a lot about their agenda.

 

[RejZoR]

Physical access and admin access are two vastly different things. Every malware gets onto PCs through admin access, tons of computers get infected every day, so this is not a non-issue.
The difference here is that the malware can be hidden in a way that's undetectable from security software and persists through reboot, and OS reinstall, which means "buy a new computer" for 99% of the population.


No

That's not true entirely and given you're a programmer, you probably know this. Malware gets on PC via actual vulnerability/exploit, usually via privilege escalation exploitation. Meaning you basically force malware into secured system without admin rights by giving it more rights "unofficially" via a security hole/flaw. Once you do that, you're basically on the same security level as people managing those systems officially. And when you have that kind of access, you can install things on system the normal way and chances are, in 99% of cases, no one would notice anything. You don't even need a flawed CPU or anything else. It's very likely you could actually leave an entry in programs and Features panel and admins probably wouldn't notice it.

 

[OneMoar]

on the upside nobody will ever work with these guys ever again*
and there careers are officially over

*assuming AMD doesn't sue them into the ground first

 

[xkm1948]

I am starting to question whether several tech sites that are so eagerly promoting these stories received any incentives for doing so. This is beyond just click bait titles. TPU's Facebook account is even worse. Paid to promote agenda?

Come on, deliberately ignoring their white paper said they have potential "financial interest in said company" Also ignoring that multiple users, as well as some other tech news such as GamerNexus point out those so called security claims can be executed to ANY machine.

My BS meter is ticking to the max.

 

[W1zzard]

usually via privilege escalation exploitation

I would say "usually" it's people just clicking "accept" in the UAC prompt because they want whatever they downloaded to run?

and chances are, in 99% of cases, no one would notice anything.

How do antivirus companies make billions then? Your point is a fair one though, if the malware doesn't do anything that hurts me, then why bother protecting or fighting against it? Technically not "mal"ware then anymore

some other tech news such as GamerNexus point out those so called security claims can be executed to ANY machine.

Not sure what you are talking about, but are you saying they claim that you can execute attacks against the AMD Secure Processor on systems that don't have an AMD Secure Processor?