AMD has fixes coming for its 13 chip vulnerabilities

AMD is addressing several vulnerabilities discovered in its Ryzen and EPYC chips, and rolling out updates for millions of devices "in the coming weeks."

The 13 vulnerabilities came to public attention clouded in controversy. The security company CTS Labs gave AMD less than 24 hours notice before releasing the information to the public. Standard vulnerability disclosure practices call for giving companies at least 90 days' notice so they can fix the flaws before researchers go public and hackers can start causing trouble.

Had CTS Labs given AMD that same courtesy, the issues would have been addressed within a week of the notification.

"Each of the issues cited can be mitigated through firmware patches and a standard BIOS update, which we plan to release in the coming weeks," said Sarah Youngbauer, AMD's senior spokeswoman. "We believe this provides a good example of why the more standard 90-day notification window for such notifications exist."

In the original vulnerability report, CTS Labs said that it would take "several months" to fix the issues and that some hardware flaws "cannot be fixed." AMD disagreed with that timeline, and said it would provide more information in several weeks.

CTS Labs responded to AMD on Wednesday, writing that the company is "attempting to downplay the significance of the vulnerabilities." 

"We firmly believe that AMD's suggested rollout timeline for its patches is also drastically optimistic," the company said in the statement.

The chipmaker said the issues were not with its hardware, but with firmware, or software that's embedded in hardware. It'll be sending fixes for all 13 vulnerabilities through patches and BIOS updates. Mark Papermaster, AMD's chief technology officer, said the updates won't affect chip performance, an issue that has plagued Intel's fixes for the Spectre and Meltdown flaws.

The vulnerabilities that CTS Labs reported also drew intense scrutiny because of how difficult they are to take advantage of. While independent researchers like Trail of Bits were able to confirm that the flaws were legitimate, AMD said that to carry out most of these attacks, you'd need to have administrative access to the system, which would already give a hacker plenty of options.

According to AMD's technical assessment, each of the flaws required administrative access.

"Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research," Papermaster said in a statement.

Critics also took issue with another aspect of the CTS Labs report, pointing out the legal disclaimer on the company's website: "You are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."  

Last Wednesday, CTS Labs' chief financial officer and co-founder, Yaron Luk-Zilberman, a former hedge fund manager, said it didn't have "any investment (long or short) in Intel or AMD."

The security report had been leaked to Viceroy Research, a financial firm, one week before CTS Labs disclosed it to AMD. Viceroy admitted to Motherboard that it used the report to try to tank AMD's stock.

CTS Labs said it has no affiliation with Viceroy Research.

AMD declined to speculate on CTS Labs' financial motivation.

First published March 20 at 1:15 p.m. PT. 
Update at 10:05 a.m. PT: To include comment from CTS Labs.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Rebooting the Reef: CNET dives deep into how tech can help save Australia's Great Barrier Reef.