We may earn a commission when you buy through links in our articles. Learn more.

AMD CPUs are vulnerable to attack… if you actively invite the attackers in

AMD Ryzen CPU family

AMD are still reeling from the recent Spectre and Meltdown vulnerabilities, but a new report online has outlined further security flaws – complete with their own logos and fancy names. However, these new vulnerabilities may not be quite what they’re made out to be in the initial report and the attention-grabbing website.

Here are some of the best gaming headsets around.

The last 48 hours have been a wild ride for AMD. It started out with Jim Anderson outlining AMD’s success this past year, announcing the sampling of the AMD Zen 2 processors before the end of the year, and the market share growth they expect in the future. All good on that front. But, only a brief period of time later, news broke of a wash of security vulnerabilities supposedly present in AMD chips on-par with Spectre and Meltdown.

The report comes from an Israeli security company, CTS-Labs, and was posted on the new website, amdflaws.com. Supposedly AMD were unaware of the report and were only allowed one day to respond to the security vulnerability – a far cry from the 90 days that has become the industry norm.

The website outlines four ‘classes’ of flaw present in AMD’s processors, each outlining various angles of attack across the entire CPU product stack. It’s worth noting that all of these attacks supposedly require high-level access to carry out on a system, which would be quite a feat to get access to in the first place. Essentially the equivalent of handing a thief the front door keys to your home and asking them not to steal anything.

AMD Ryzen architecture

The current understanding is that these flaws also differ from Spectre largely in that they supposedly would not require hardware fixes to repair. Potentially, if AMD had the chance to respond to the flaws before they had been made public, they may have never seen the light of day. The supplied whitepaper from CTS-Labs has so far not offered much detail into the specifics of the vulnerabilities – a stark contrast to the level of detail offered by Google’s Project Zero report with the Spectre and Meltdown vulnerabilities, which were also made public many months after being disclosed to those potentially affected.

AMD responded with a brief statement on their website.

“We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors,” AMD says. “We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise.”

The white paper outlines a disclaimer advising readers not to use the findings of the report as advice for investment, although the report will almost certainly affect company stock regardless. Members of the CTS-Labs team have also outlined that they may have some ‘economic interest’ in the subject of their report.

AMD Ryzen design

AMD’s stock has somewhat dropped in light of the claims, although that downward slide has eased and was on the way back up at the time of writing.

The ever-outspoken Linux creator Linus Torvalds made his opinion on the matter very clear in a post on social media.

“It looks like the IT security world has hit a new low,” Torvalds says. “I thought the whole industry was corrupt before, but it’s getting ridiculous.”

You tell ‘em, Linus.

Through the frenzy of security community researchers what seems to be a resounding note is that these flaws, while potentially real, are difficult to gauge without the full technical breakdown that has not yet been published. It also seems to be a common thread among some experts that these flaws are rendered obsolete by the steps required to get even close to utilising them for an attack.

While consensus has not yet been reached without further evidence (supposedly incoming), the response from the tech community to the security flaws so far has resulted in very little amounting even close to widespread trepidation. In short: don’t panic.