2018 Hasn’t Started Out So Great
In January researchers disclosed a pair of twenty year plus old flaws, Spectre and Meltdown. While Meltdown seems to mainly affect Intel chips and is relatively each to fix, Spectre affects everything from Intel chips to smart light bulbs and is extremely difficult to fix (see here).
Fast forward to this month …..
This week, in a pretty sketchy announcement, researchers claim that they have found 4 different related flaws that only affect AMD chips. The flaws were found by a team of Israeli researchers who only gave AMD 24 hours to review their findings. Compare this to the six months that Intel had to review the Meltdown and Spectre research. They have not provided any details, publicly, of the flaws.
The researchers call the flaws Ryzenfall, Masterkey, Fallout and Chimera. And they gave them cute logos.
The concept of responsible disclosure says that researchers are supposed to tell vendors about flaws in advance of the public disclosure so they have the possibility of fixing it before it becomes public and the hackers get to start figuring how to create an attack around it.
In this case they gave AMD 24 hours. That is not enough time to understand the problem, never mind fix it.
On their web site, the researchers disclosed that they may have “an economic interest in the performance of” (AMD). I guess that means that they shorted the stock before the dropped the bombshell.
There is some good news however, which may indicate this is being overhyped by the researchers. The attack cannot be done remotely. It cannot be done locally if the user does not have access to the system. It cannot be done locally, even with access to the system, unless you are an administrator on the system. That greatly reduces the ability to exploit the flaws.
But there is also some bad news. It is possible that at least one of the flaws is not fixable.
Only time will tell.
What this does mean, at least for now, is that users of AMD based systems should be extra careful about doing things (like opening strange emails or attachments or clicking on sketchy links) that would increase the odds of them falling victim to an attack because if they do, the consequences might not be pretty.
Information for this post came from Techcrunch.